ELF_CHAPRO.B

This Trojan may be dropped by other malware.

Arrival Details

This Trojan may be dropped by other malware.

NOTES:

This Trojan is an Apache module for Linux that functions as an output filter. An output filter is a piece of code that inspect, and possibly modify, the response of the Apache web server before sending it to the requesting client.

It only processes the Web server response if the content type contains the following strings:

• text/html
• javascript
• text/js
• json

It does not process the Web server response if the user agent string contains any of the following:

• SAFARI
• OPERA
• FIREFOX
• CHROME
• GOOGLEBOT
• SLURP
• YAHOO
• BING
• LINUX
• OPENBSD
• MACINTOSH
• MAC OS
• IPHONE
• SYMBIANOS
• NOKIA
• LINKDEX
• FROG/1
• UQER-AGENT
• BLACKBERRY
• MOTOROLA
• APPLE-PUB
• AKREGATOR
• SONYERICSSON
• MACBOOK
• XENU LINK
• METAURI
• REEDER
• MOODLEBOT
• SAMSUNG
• SINDICE-FETCHER
• EZOOMS
• NIKOBOT
• BINLAR
• DARWIN
• PLAYSTATION
• OPERA MINI
• NINTENDO
• YANDEX
• CRAWLER
• JIKE
• SPIDER
• ROBOT
• PAPERLIBOT
• SNAPPREVIEWBOT
• BUFFERBOT
• MEDIAPARTNERS
• HATENA
• BLUEDRAGON
• WORDPRESS
• XIANGUO
• WOOPINGBOT
• CAFFEINATED
• FEEDZIRRA
• BITLYBOT
• FOIIABOT
• PROXIMIC
• VBSEO
• FOLLOWSITE
• SOGOU
• NHN
• WGCT
• MSNBOT
• YOUDAO
• STACKRAMBLER
• LWP::SIMPLE
• QIHOOBOT
• BRUTUS
• HTTPCLIENT
• NIELSEN
• CURL
• PHP
• INDY LIBRARY

It also does not process the Web server response if the Referer name contains any of the following:

• GOOGLE.
• YAHOO.
• YANDEX.
• RAMBLER.
• MAIL.RU
• BING.
• SEARCH.
• MSN.
• ALLTHEWEB.
• ASK.
• LOOKSMART.
• ALTAVISTA.
• WEB.DE
• FIREBALL.
• LYCOS.
• AOL.
• ICQ.
• NETZERO.
• FRESH-WEATHER.
• FREECAUSE.
• MYSEARCH-FINDER.
• NEXPLORE.
• ATT.
• REDROVIN.
• TOSEEKA.
• COMCAST.
• INCREDIMAIL.
• CHARTER.
• VERIZON.
• SUCHE.
• VIRGILIO.
• VERDEN.

It creates the following file to identify the clients with modified***:

• /var/tmp/sess_{random strings generated from the client IP address}

It checks if the file /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2 if it exists. If the file does not exist, it attempts to get the address of its C&C server by reading the file /usr/lib/libbdl.sO.0. If it fails to get the address of its C&C server from /usr/lib/libbdl.sO.0, it uses the following URL:

• http://{BLOCKED}.{BLOCKED}.13.65/Home/index.php

It encrypts and saves the received data to the file /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2. The received data contains the code that is injected to the Web server response.

If the content type is text/html, it searches for the following strings in the Web server response where it injects the code contained in /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2:

If the content type is not text/html, it appends the code in /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2 to the Web server response.