Backdoor.Linux.DOFLOO.AB

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Führt Befehle eines externen, böswilligen Benutzers aus, wodurch das betroffene System gefährdet wird.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Prozesse hinzu:

• sed -i -e '/exit/d' /etc/rc.local
• sed -i -e '/^\r\n|\r|\n$/d' /etc/rc.local
• sed -i -e '/%s/d' /etc/rc.local
• sed -i -e '2 i%s/%s' /etc/rc.local
• sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
• sed -i -e '2 i%s/%s start' /etc/init.d/boot.local

Backdoor-Routine

Führt die folgenden Befehle eines externen, böswilligen Benutzers aus:

• Initiate DDoS attacks:
  • TCP flood
  • Challenge Collapsar (CC) attack
• Stop DDoS attack
• Execute shell commands

Datendiebstahl

Folgende Daten werden gesammelt:

• CPU information
• Memory statistics
• IP address of infected machine
• Reads the following information from /proc:
  • /proc/stat
  • /proc/meminfo
  • /proc/cpuinfo
  • /proc/net/dev
  • /proc/self/exe
  • /proc/self/maps
  • /proc/sys/vm/overcommit_memory
  • /proc/sys/kernel/rtsig-max
  • /proc/sys/kernel/ngroups_max
  • /proc/sys/kernel/osrelease
  • /proc/self/fd/%d/%s
  • /proc/self/fd
  • /proc/net

Andere Details

Öffnet die folgenden Dateien:

• /etc/host.conf
• /etc/resolv.conf
• /etc/nsswitch.conf
• /etc/suid-debug
• /etc/ld.so.cache