Trojan.Linux.SKIDMAP.UWEJY

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /lib64/security/pam_unix.so -> if 64-bit, compromised pam_unix.so file
• /lib/x86_64-linux-gnu/security/pam_unix.so -> if 32-bit, compromised pam_unix.so file
• /etc/rctlconf/certs/rctl_ca.crt
• /etc/rctlconf/rctlcli.cfg

It drops and executes the following files:

• /usr/bin/irqbalanced
• /usr/bin/rctlcli
• /usr/bin/systemd-network ← detected as Trojan.Linux.SKIDMAP.A
• /usr/bin/kswaped ← detected as Backdoor.Linux.SKIDMAP.A

Other Details

This Trojan does the following:

• It installs LKM (Linux Kernel Module) rootkits in the victim machine and has different versions of the modules for specific kernel versions:
  • /lib/udev/ssd_control/iproute.ko ← detected as Rootkit.Linux.SKIDMAP.A
  • /lib/udev/ssd_control/netlink.ko ← detected as Rootkit.Linux.SKIDMAP.B
  • /lib/udev/ssd_control/cryptov2.ko ← detected as Rootkit.Linux.SKIDMAP.C
• It modified all dropped files accessed and modified information to:
  • 02/22/2012
• It deletes the following files if exist in the affected system:
  • /etc/cron.d/ntp
  • /etc/cron.hourly/ntp
• It clears the content of the following files by executing the following command:
  • /bin/echo 0 > /var/log/messages
  • /bin/echo 0 > /var/log/kern.log
  • /bin/echo 0 > /var/log/audit/audit.log
• It checks for the presence of the following files:
  /lib64/security/pam_unix.so
  /lib/x86_64-linux-gnu/security/pam_unix.so.
  If present, it will replace it with a malicious copy of "pam_unix.so", otherwise it will create its own "pam_unix.so"
• It sets the following configurations:
  SELINUX=disabled
  SELINUXTYPE=targeted, to disabled setenforce