Defend what you create

Mehr

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.CyberEurope.1

Added to the Dr.Web virus database: 2016-09-06

Virus description added:

SHA1:

  • f72dc68b30a06e1df2ab9cf8cd2664ea16d42b28

A Trojan for Linux operating systems. Its code appears to have been written for research purposes as part of the https://cyber-europe.net project.

To determine whether it is running on a virtual machine or in the debugger, the Trojan (named Linux.CyberEurope.1) checks whether the “gdb” or “trace” strings are present in the following files:

/proc/<PID>/cmdline
/proc/<PID>/status

If the Trojan finds these strings, it keeps running; however, the byte used by the malicious program to retrieve the command and control (C&C) server’s IP address and decrypt the following lines is modified:

screen Linux.CyberEurope.1 #drweb

Linux.CyberEurope.1 verifies whether the process is running on a virtual machine by executing the cpuid instruction and analyzing the result. Once verification is complete, the Trojan establishes a connection with the C&C server and sends it the following request:

GET /evl/host/files/file.ext HTTP/1.0\r\n\r\n

The server’s response is saved to /tmp/.cron, which is launched and then deleted.

The Trojan has a two-part payload. The first part is implemented via ROP, while the second part is compressed with ZLIB and encrypted using AES. The first part of the payload sends the contents of /etc/shadow to 127.127.127.127:2222; the second part does the same thing for the contents of /etc/passwd.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Führender russischer Hersteller von Virenschutzsoftware
Entwickelt seit 1992
Dr.Web wird in mehr als 200 Ländern genutzt
Antivirus im SaaS-Modell seit 2007
Technischer Support rund um die Uhr

Dr.Web © Doctor Web
2003 — 2020

Doctor Web ist ein russischer Entwickler von IT-Sicherheitslösungen unter dem Markennamen Dr.Web. Dr.Web Produkte werden seit 1992 entwickelt.

Doctor Web Deutschland GmbH. Quettigstr. 12, 76530 Baden-Baden