ELF_VPNFILT.D

This Trojan may be downloaded by other malware/grayware from remote sites.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• ELF_VPNFILT.A

Other Details

This Trojan does the following:

• This module's behavior will depend on the following parameters upon execution:
  • dump: ← used to store all of the intercepted HTTP headers to (reps_*.bin ← created at ELF_VPNFILT.B)
  • dst: ← used to create a specific destination IP address range that the rule for iptables should apply to
  • src: ← used to create a specific source IP address range that the rule for iptables should apply to
  • site: ← When a URL is provided in this parameter, this URL will have its web pages targeted for JavaScript injection
  • hook: ← this parameter specifies the location or URL for the JavaScript file to be injected
• It is capable of JavaScript Injection based on the data in the parameter "site:"
• It converts HTTPS requests with HTTP to lower the security and extract data such as credentials and login information.
• It intercepts the data on the following strings in the authorization header to extract login credentials:
  • ail=
  • sername=
  • ame=
  • ser=
  • ogin=
  • hone=
  • session[password
  • session%5Bpassword
  • session%5Busername
• It intercepts data and network traffic that is destined to port 80 and configures the network address (iptables) of the infected device to be redirected to port 8888 by executing the following Linux Shell Commands:
  • iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
  • iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
• To ensure that the modified rules on the infected device's iptable will not be removed, this module deletes and restores them approximately every four minutes.