Backdoor.Linux.GOMIR.THEBABD
UDS:Backdoor.Linux.Gomir.a (KASPERSKY)
Linux
Tipo de malware
Backdoor
Destructivo?
No
Cifrado
In the Wild:
Sí
Resumen y descripción
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado.
Detalles técnicos
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Instalación
Infiltra los archivos siguientes:
- /etc/systemd/system/syslogd.service → If "install" parameter is used with process running under superuser privilege.
- {Malware File Path}\cron.txt → If "install" parameter is used with process not running under superuser privilege. Deletes afterwards.
Crea las siguientes copias de sí mismo en el sistema afectado:
- /var/log/syslogd → If "install" parameter is used with process running under superuser privilege.
Agrega los procesos siguientes:
- $SHELL -c systemctl daemon-reload → If "install" parameter is used with process running under superuser privilege.
- $SHELL -c systemctl reenable syslogd → If "install" parameter is used with process running under superuser privilege.
- $SHELL -c systemctl start syslogd → If "install" parameter is used with process running under superuser privilege.
- /bin/sh -c crontab -1 → If "install" parameter is used with process running under superuser privilege.
- $SHELL -c crontab cron.txt → If "install" parameter is used with process running under superuser privilege.
Rutina de puerta trasera
Ejecuta los comandos siguientes desde un usuario remoto malicioso:
- 01 → Temporarily halts communication with the C&C server for a specified period.
- 02 → Executes an arbitrary string as a shell command ("[shell]" "-c" "[arbitrary_string]").
- 03 → Reports the current working directory.
- 04 → Changes the current working directory and reports the working directory’s new pathname.
- 05 → Checks TCP connectivity for arbitrary network endpoints.
- 06 → Terminates its own process, effectively stopping the backdoor.
- 07 → Reports the pathname of its own executable file.
- 08 → Gathers statistics about a specified directory tree and reports the total number of subdirectories, total number of files, and the cumulative size of all files.
- 09 → Reports the configuration details of the affected computer, including hostname, username, CPU, RAM, and network interfaces, listing each interface's name, MAC address, IP address, and IPv6 address.
- 10 → Sets a fallback shell for executing shell commands in operation 02, with the initial value set to "/bin/sh".
- 11 → Sets a codepage for interpreting the output from the shell commands in operation 02.
- 12 → Delays communication with the C&C server until a specified datetime.
- 13 → Responds with the message "Not implemented on Linux!".
- 14 → Starts a reverse proxy by connecting to an arbitrary control endpoint.
- 15 → Reports the control endpoints of the reverse proxy.
- 30 → Creates an arbitrary file on the affected computer.
- 31 → Exfiltrates an arbitrary file from the affected computer.
Otros detalles
Hace lo siguiente:
- It adds the following service:
- Service Name: syslogd
- Start type: Restart=always
- Deletes and terminates itself →If "install" parameter is used with process running under superuser privilege.
Soluciones
Step 2
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Backdoor.Linux.GOMIR.THEBABD En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Rellene nuestra encuesta!