ELF_SETAG.AV

 Analysis by: Rhena Inocencio

 ALIASES:

Backdoor:Linux/Setag!rfn (Microsoft), Linux/Setag.B.Gen trojan (ESET)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

1,224,704 bytes

File Type:

ELF

Initial Samples Received Date:

01 Feb 2016

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • /tmp/bill.lock
  • /tmp/notify.file
  • /proc/net/pktgen/kpktgend_{number}
  • /proc/net/pktgen/pgctrl

It drops the following copies of itself into the affected system:

  • /usr/lib/libamplify.so

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}.60.224.5
  • {BLOCKED}.60.224.3
  • {BLOCKED}.31.233.1
  • {BLOCKED}.31.1.1
  • {BLOCKED}.236.93.33
  • {BLOCKED}.235.70.98
  • {BLOCKED}.235.164.18
  • {BLOCKED}.235.164.13
  • {BLOCKED}.234.254.5
  • {BLOCKED}.233.9.9
  • {BLOCKED}.233.9.61
  • {BLOCKED}.187.98.6
  • {BLOCKED}.187.98.3
  • {BLOCKED}.177.7.1
  • {BLOCKED}.166.25.129
  • {BLOCKED}.166.150.139
  • {BLOCKED}.166.150.123
  • {BLOCKED}.166.150.101
  • {BLOCKED}.147.37.1
  • {BLOCKED}.139.54.66
  • {BLOCKED}.139.39.73
  • {BLOCKED}.139.2.69
  • {BLOCKED}.134.1.4
  • {BLOCKED}.132.163.68
  • {BLOCKED}.130.254.34
  • {BLOCKED}.128.192.68
  • {BLOCKED}.128.128.68
  • {BLOCKED}.128.114.166
  • {BLOCKED}.128.114.133
  • {BLOCKED}.10.1.130
  • {BLOCKED}.10.0.130
  • {BLOCKED}.191.244.5
  • {BLOCKED}.51.78.210
  • {BLOCKED}.242.2.2
  • {BLOCKED}.241.208.46
  • {BLOCKED}.240.57.33
  • {BLOCKED}.22.96.66
  • {BLOCKED}.88.88.88
  • {BLOCKED}.85.85.85
  • {BLOCKED}.75.152.129
  • {BLOCKED}.52.118.162
  • {BLOCKED}.47.62.142
  • {BLOCKED}.47.29.93
  • {BLOCKED}.46.120.5
  • {BLOCKED}.45.1.40
  • {BLOCKED}.45.0.110
  • {BLOCKED}.246.129.80
  • {BLOCKED}.243.129.81
  • {BLOCKED}.222.222.222
  • {BLOCKED}.221.5.240
  • {BLOCKED}.172.200.68
  • {BLOCKED}.7.92.98
  • {BLOCKED}.7.92.86
  • {BLOCKED}.7.34.10
  • {BLOCKED}.7.136.68
  • {BLOCKED}.7.128.68
  • {BLOCKED}.7.1.20
  • {BLOCKED}.6.4.66
  • {BLOCKED}.5.88.88
  • {BLOCKED}.5.203.98
  • {BLOCKED}.5.203.90
  • {BLOCKED}.5.203.86
  • {BLOCKED}.4.66.66
  • {BLOCKED}.3.131.11
  • {BLOCKED}.232.129.30
  • {BLOCKED}.228.255.1
  • {BLOCKED}.176.4.9
  • {BLOCKED}.176.4.6
  • {BLOCKED}.176.4.21
  • {BLOCKED}.176.4.18
  • {BLOCKED}.176.4.15
  • {BLOCKED}.176.4.12
  • {BLOCKED}.176.3.85
  • {BLOCKED}.176.3.83
  • {BLOCKED}.176.3.79
  • {BLOCKED}.176.3.76
  • {BLOCKED}.176.3.73
  • {BLOCKED}.176.3.70
  • {BLOCKED}.131.143.69
  • {BLOCKED}.130.33.60
  • {BLOCKED}.130.33.52
  • {BLOCKED}.130.32.109
  • {BLOCKED}.130.32.106
  • {BLOCKED}.130.32.103
  • {BLOCKED}.130.32.100
  • {BLOCKED}.130.252.200
  • {BLOCKED}.12.33.227
  • {BLOCKED}.12.1.227
  • {BLOCKED}.11.132.2
  • {BLOCKED}.170.64.68
  • {BLOCKED}.168.208.6
  • {BLOCKED}.168.208.3
  • {BLOCKED}.72.225.253
  • {BLOCKED}.239.26.42
  • {BLOCKED}.235.127.1
  • {BLOCKED}.150.32.132
  • {BLOCKED}.149.6.99
  • {BLOCKED}.149.194.55
  • {BLOCKED}.148.204.66
  • {BLOCKED}.147.198.230
  • {BLOCKED}.147.1.66
  • {BLOCKED}.146.1.66
  • {BLOCKED}.141.148.39
  • {BLOCKED}.141.148.37
  • {BLOCKED}.141.140.10
  • {BLOCKED}.141.136.10
  • {BLOCKED}.89.0.124
  • {BLOCKED}.85.157.99
  • {BLOCKED}.85.152.99
  • {BLOCKED}.76.192.100
  • {BLOCKED}.6.200.139
  • {BLOCKED}.30.19.50
  • {BLOCKED}.30.19.40
  • {BLOCKED}.203.160.194
  • {BLOCKED}.203.101.3
  • {BLOCKED}.202.152.130
  • {BLOCKED}.201.17.2
  • {BLOCKED}.2.135.1
  • {BLOCKED}.108.248.245
  • {BLOCKED}.108.248.219
  • {BLOCKED}.106.127.122
  • {BLOCKED}.106.127.114
  • {BLOCKED}.104.78.2
  • {BLOCKED}.104.32.106
  • {BLOCKED}.104.128.106
  • {BLOCKED}.104.111.122
  • {BLOCKED}.104.111.114
  • {BLOCKED}.98.72.7
  • {BLOCKED}.98.4.1
  • {BLOCKED}.98.2.4
  • {BLOCKED}.98.121.27
  • {BLOCKED}.97.96.65
  • {BLOCKED}.97.64.129
  • {BLOCKED}.95.72.1
  • {BLOCKED}.95.193.97
  • {BLOCKED}.95.1.97
  • {BLOCKED}.93.64.129
  • {BLOCKED}.93.24.129
  • {BLOCKED}.93.0.81
  • {BLOCKED}.92.144.161
  • {BLOCKED}.92.136.81
  • {BLOCKED}.91.88.129
  • {BLOCKED}.90.80.65
  • {BLOCKED}.90.72.65
  • {BLOCKED}.78.130.1
  • {BLOCKED}.162.62.60
  • {BLOCKED}.162.62.1
  • {BLOCKED}.162.61.255
  • {BLOCKED}.162.61.235
  • {BLOCKED}.162.61.225
  • {BLOCKED}.161.159.3
  • {BLOCKED}.161.158.11
  • {BLOCKED}.147.6.3
  • {BLOCKED}.142.210.98
  • {BLOCKED}.142.210.100
  • {BLOCKED}.141.90.68
  • {BLOCKED}.141.16.99
  • {BLOCKED}.140.197.58
  • {BLOCKED}.139.73.34
  • {BLOCKED}.139.29.68
  • {BLOCKED}.139.29.170
  • {BLOCKED}.139.29.150
  • {BLOCKED}.139.2.18
  • {BLOCKED}.139.1.3
  • {BLOCKED}.138.91.1
  • {BLOCKED}.138.75.123
  • {BLOCKED}.138.245.180
  • {BLOCKED}.138.242.18
  • {BLOCKED}.138.240.100
  • {BLOCKED}.138.200.69
  • {BLOCKED}.138.180.2
  • {BLOCKED}.138.164.6
  • {BLOCKED}.138.156.66
  • {BLOCKED}.138.151.161
  • {BLOCKED}.138.145.194
  • {BLOCKED}.138.106.19
  • {BLOCKED}.137.32.178
  • {BLOCKED}.137.241.34
  • {BLOCKED}.137.160.5
  • {BLOCKED}.137.160.185
  • {BLOCKED}.136.28.237
  • {BLOCKED}.136.28.234
  • {BLOCKED}.136.28.231
  • {BLOCKED}.136.17.107
  • {BLOCKED}.136.150.66
  • {BLOCKED}.136.112.50
  • {BLOCKED}.103.13.101
  • {BLOCKED}.42.241.1
  • {BLOCKED}.38.192.33
  • {BLOCKED}.21.4.130
  • {BLOCKED}.21.3.140
  • {BLOCKED}.21.196.6
  • {BLOCKED}.200.211.225
  • {BLOCKED}.200.211.193
  • {BLOCKED}.80.96.9
  • {BLOCKED}.186.94.241
  • {BLOCKED}.186.94.20
  • {BLOCKED}.142.100.21
  • {BLOCKED}.142.100.18
  • {BLOCKED}.99.96.68
  • {BLOCKED}.99.224.8
  • {BLOCKED}.99.224.67
  • {BLOCKED}.99.192.68
  • {BLOCKED}.99.192.66
  • {BLOCKED}.99.168.8
  • {BLOCKED}.99.166.4
  • {BLOCKED}.99.160.68
  • {BLOCKED}.99.104.68
  • {BLOCKED}.98.96.68
  • {BLOCKED}.98.5.68
  • {BLOCKED}.98.224.68
  • {BLOCKED}.98.198.167
  • {BLOCKED}.98.192.67
  • {BLOCKED}.98.0.68
  • {BLOCKED}.97.7.6
  • {BLOCKED}.97.7.17
  • {BLOCKED}.97.224.68
  • {BLOCKED}.96.96.68
  • {BLOCKED}.96.86.18
  • {BLOCKED}.96.75.68
  • {BLOCKED}.96.69.38
  • {BLOCKED}.96.64.68
  • {BLOCKED}.96.209.5
  • {BLOCKED}.96.209.133
  • {BLOCKED}.96.154.15
  • {BLOCKED}.96.144.47
  • {BLOCKED}.96.134.33
  • {BLOCKED}.96.134.133
  • {BLOCKED}.96.128.86
  • {BLOCKED}.96.128.68
  • {BLOCKED}.96.128.166
  • {BLOCKED}.96.107.27
  • {BLOCKED}.96.104.26
  • {BLOCKED}.96.104.15
  • {BLOCKED}.96.103.36
  • {BLOCKED}.85.128.32
  • {BLOCKED}.60.252.8
  • {BLOCKED}.45.84.67
  • {BLOCKED}.45.84.58
  • {BLOCKED}.38.64.1
  • {BLOCKED}.203.224.33
  • {BLOCKED}.203.208.33
  • {BLOCKED}.203.192.33
  • {BLOCKED}.203.160.33
  • {BLOCKED}.203.144.33
  • {BLOCKED}.203.128.33
  • {BLOCKED}.196.64.1
  • {BLOCKED}.193.64.33
  • {BLOCKED}.175.3.8
  • {BLOCKED}.175.3.3
  • {BLOCKED}.14.67.4
  • {BLOCKED}.14.67.14
  • {BLOCKED}.118.1.53
  • {BLOCKED}.118.1.29
  • {BLOCKED}.117.96.5
  • {BLOCKED}.117.96.10
  • {BLOCKED}.115.32.39
  • {BLOCKED}.115.32.36
  • {BLOCKED}.114.240.6
  • {BLOCKED}.114.0.242
  • {BLOCKED}.113.16.11
  • {BLOCKED}.113.16.10
  • {BLOCKED}.112.144.30
  • {BLOCKED}.112.112.10
  • {BLOCKED}.106.46.151
  • {BLOCKED}.106.196.237
  • {BLOCKED}.106.196.232
  • {BLOCKED}.106.196.230
  • {BLOCKED}.106.196.228
  • {BLOCKED}.106.196.212
  • {BLOCKED}.106.196.115
  • {BLOCKED}.106.195.68
  • {BLOCKED}.106.0.20
  • {BLOCKED}.103.96.112
  • {BLOCKED}.103.44.150
  • {BLOCKED}.103.243.112
  • {BLOCKED}.103.24.68
  • {BLOCKED}.103.225.68
  • {BLOCKED}.103.224.68
  • {BLOCKED}.103.176.22
  • {BLOCKED}.103.0.68
  • {BLOCKED}.103.0.117
  • {BLOCKED}.102.9.141
  • {BLOCKED}.102.8.141
  • {BLOCKED}.102.7.90
  • {BLOCKED}.102.3.144
  • {BLOCKED}.102.3.141
  • {BLOCKED}.102.24.34
  • {BLOCKED}.102.227.68
  • {BLOCKED}.102.224.68
  • {BLOCKED}.102.213.68
  • {BLOCKED}.102.200.101
  • {BLOCKED}.102.199.68
  • {BLOCKED}.102.192.68
  • {BLOCKED}.102.154.3
  • {BLOCKED}.102.152.3
  • {BLOCKED}.102.134.68
  • {BLOCKED}.102.128.68
  • {BLOCKED}.101.98.55
  • {BLOCKED}.101.6.2
  • {BLOCKED}.101.226.68
  • {BLOCKED}.101.224.68
  • {BLOCKED}.101.107.85
  • {BLOCKED}.100.96.68
  • {BLOCKED}.100.199.8
  • {BLOCKED}.100.192.68
  • {BLOCKED}.168.255.18
  • {BLOCKED}.95.192.174
  • {BLOCKED}.95.192.1
  • {BLOCKED}.95.1.1
  • {BLOCKED}.175.55.244
  • {BLOCKED}.175.252.16
  • {BLOCKED}.175.150.20
  • {BLOCKED}.175.10.20
  • {BLOCKED}.207.160.110
  • {BLOCKED}.161.97.242
  • {BLOCKED}.161.97.238
  • {BLOCKED}.161.97.234
  • {BLOCKED}.72.33.240
  • {BLOCKED}.6.6.6
  • {BLOCKED}.233.255.228
  • {BLOCKED}.29.249.54
  • {BLOCKED}.29.249.50
  • {BLOCKED}.228.111.118
  • {BLOCKED}.114.115.115
  • {BLOCKED}.114.114.114
  • {BLOCKED}.111.211.22
  • {BLOCKED}.4.0.55
  • {BLOCKED}.100.100.100
  • {BLOCKED}.47.189.18
  • {BLOCKED}.47.189.10

It does the following:

  • It is capable of performing DDoS attacks