Trojan.Linux.SSHBRUTE.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}.{BLOCKED}.70.249/.x15cache
• {BLOCKED}.{BLOCKED}.70.249/rp
• {BLOCKED}.{BLOCKED}.70.249/.satan

Other Details

This Trojan does the following:

• Accepts the following parameters:
  Format → scan [ARGUMENT] [[USER PASS] FILE] [IPs/IPs Port FILE]
  
  • -t [NUMTHREADS] → change the number of threads used. Default is 10
  • -m [MODE] → Change the way the scan works. Default is 1
  • -f [FINAL SCAN] → Does a final scan on found servers. Default is 2
  • Use -f 1 for A.B class /16. Default is 2 for A.B.C /24
  • -i [IPSCAN] → use -i 0 to scan ip class A.B. Default is 1
  • if you use -i 0 then use ./scan -p 22 -i 0 p 192.168 as argument for ip file
  • -m 0 → for non selective scanning
  • -P 0 leave default password unchanged. Changes password by default.
  • -s [TIMEOUT] → Change the timeout. Default is 6
  • -S [2ndTimeout] → change the 2nd time out. Default is 6
  • -p [PORT] → Specify another port to connect to. 0 for multiport
  • -c [REMOTE-COMMAND] → Command to execute on connect. Use ; or && with commands
  • -h → Show this help
  • -H 1 → For Extra help
• This malware performs SSH brute-force to the aforementioned list of IP address from the [IPs/IPs Port FILE] Input file and uses the credentials given by the [[USER PASS] FILE] input file.