ELF_ROOPRE.E

 Analysis by: RonJay Kristoffer Caragay

 ALIASES:

Backdoor.Linux.Roopre.d (Kaspersky), ELF/Roopre-A (Sophos); Backdoor.Linux.Roopre (Ikarus); Linux/BackDoor-Roopre.gen.a (McAfee); Linux/Roopre.A (ESET-NOD32)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size:

27,304 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

11 Oct 2014

Payload:

Compromises system security

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Q - Sends additional data and information
  • P - Sends current state of running tasks, or count of current working threads
  • R - Refresh the session with C&C server
  • F - Download file drom C&C server
  • L - Set maximum number of threads and connection timeout, or load a shared library
  • S - Stop all threads executing the loaded shared library routines
  • G - Create threads to execute exported functions of loaded shared libraries

It connects to the following websites to send and receive information:

  • http://{BLOCKED}atelit.biz/ololo.php

  SOLUTION

Minimum Scan Engine:

9.700

FIRST VSAPI PATTERN FILE:

11.204.06

FIRST VSAPI PATTERN DATE:

11 Oct 2014

VSAPI OPR PATTERN File:

11.205.00

VSAPI OPR PATTERN Date:

11 Oct 2014

Scan your computer with your Trend Micro product and note files detected as ELF_ROOPRE.E


Did this description help? Tell us how we did.