Trojan.SH.BROOTKIT.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Wird ausgeführt und löscht sich dann selbst.

Löscht Dateien, so dass Programme und Anwendungen nicht ordnungsgemäß ausgeführt werden.

Führt heruntergeladene Dateien aus, deren bösartige Routinen vom betroffenen System angezeigt werden.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Ordner hinzu:

• /usr/lib/...
• /tmp/...

Schleust die folgenden Eigenkopien in das betroffene System ein:

• /usr/lib/.../diskmanagerd
• /tmp/.../diskmanagerd
• /tmp/.../just4root

Wird ausgeführt und löscht sich dann selbst.

Andere Systemänderungen

Löscht die folgenden Dateien:

• /usr/lib/.../diskmanagerd
• /tmp/.../just4run
• /tmp/.../pxe
• /tmp/.../pxe.c
• /tmp/.../.d1r7y.txt
• /tmp/.h
• /tmp/.hh
• /tmp/.helpdd
• /tmp/.../
• /tmp/.../brootkit.sh
• /tmp/.../install.sh
• /tmp/vxbkyxrlq2hly2s
• /usr/lib/.../kacpi_notify
• /tmp/moni.lod
• /tmp/gates.lod
• /etc/init.d/selinux
• /etc/init.d/DbSecuritySpt
• /etc/rc1.d/S97DbSecuritySpt
• /etc/rc2.d/S97DbSecuritySpt
• /etc/rc3.d/S97DbSecuritySpt
• /etc/rc4.d/S97DbSecuritySpt
• /etc/rc5.d/S97DbSecuritySpt
• /usr/bin/bsd-port/conf.n
• /usr/bin/bsd-port/getty
• /usr/bin/bsd-port/getty.lock
• /tmp/pythompy
• /etc/rc1.d/S99selinux
• /etc/rc2.d/S99selinux
• /etc/rc3.d/S99selinux
• /etc/rc4.d/S99selinux
• /etc/rc5.d/S99selinux

Einschleusungsroutine

Schleust die folgenden Dateien ein:

• /tmp/.helpdd
• /etc/cron.hourly/gcc4lef.sh
• /tmp/.../just4run

Download-Routine

Führt heruntergeladene Dateien aus, deren bösartige Routinen vom betroffenen System angezeigt werden.

Andere Details

Es macht Folgendes:

• It creates the following cron jobs for persistence:
  
  • Path: /etc/cron.hourly/gcc4lef.sh
  • Schedule: Every 3 minutes
  • Command: */3 * * * * root /etc/cron.hourly/gcc4lef.sh
• It does the following once an Anti-Virus program is running on the affected machine:
  • safedog
  • Uninstall the following:
  • sddev
  • Terminates the following:
  • safedog
  • sdmonitor
  • sdcc
  • udcenter
  • sdcmd
  • sdsvrd
  • Sdacm
  • Udpro
  • sduibin
  • Deletes the following:
  • /etc/sd_uninstall
  • /etc/init.d/sdccboot
  • /etc/init.d/safedog
  • /etc/init.d/sdboot
  • /etc/init.d/udboot
  • /etc/rc2.d/S99sdccboot
  • /etc/rc3.d/S99sdccboot
  • /etc/rc4.d/S99sdccboot
  • /etc/rc5.d/S99sdccboot
  • /etc/rc2.d/S99udboot
  • /etc/rc3.d/S99udboot
  • /etc/rc4.d/S99udboot
  • /etc/rc5.d/S99udboot
  • /etc/rc2.d/S99sdboot
  • /etc/rc3.d/S99sdboot
  • /etc/rc4.d/S99sdboot
  • /etc/rc5.d/S99sdboot
  • /usr/bin/sdcc
  • /usr/bin/sdmonitor
  • /usr/bin/sd_autoexmn
  • /usr/bin/runsdcc
  • /usr/bin/sdccboot
  • /usr/bin/udboot
  • /usr/bin/udcenter
  • /usr/bin/udpro
  • /usr/bin/sdalarm
  • /usr/bin/sdsetos
  • /usr/bin/safedog_uninstall
  • /usr/bin/safedog
  • /usr/bin/sdboot
  • /usr/bin/sdstart
  • /usr/bin/sdsvrd
  • /usr/bin/sdwebdir
  • /usr/bin/sdrtdefendupdate
  • /usr/bin/sdcmd
  • /usr/bin/sdtest
  • /usr/bin/sdui
  • /usr/bin/sduibin
  • /usr/bin/sdcloud
  • /usr/bin/udinstall
  • /usr/bin/sdacm
  • /usr/bin/sdrepo
  • /usr/bin/uduninstall
  • /usr/bin/SDDownload
  • /etc/sdinfo.conf
  • /etc/udcenter.conf
  • /etc/safedog
  • /etc/safedog/libs/safedog
  • /etc/safedog/libs/sdcommon
  • /etc/safedog/libs/sdcc
  • /etc/cloudhelper
  • /etc/init.d/sdccboot
  • /etc/init.d/rc2.d/S99sdccboot
  • /etc/init.d/rc3.d/S99sdccboot
  • /etc/init.d/rc4.d/S99sdccboot
  • /etc/init.d/rc5.d/S99sdccboot
  • /etc/rc2.d/S99sdccboot
  • /etc/rc3.d/S99sdccboot
  • /etc/rc4.d/S99sdccboot
  • /etc/rc5.d/S99sdccboot
  • /etc/safedog/sdcc/bin/sdcc
  • /usr/bin/sdcc
  • /etc/safedog/sdcc/script/runsdcc
  • /usr/bin/runsdcc
  • /etc/safedog/sdcc/script/sdccboot
  • /usr/bin/sdccboot
  • /etc/safedog/logs/sdcc.log
  • /etc/safedog/sdcc/script/udboot
  • /etc/safedog/sdcc/bin/udcenter
  • /etc/safedog/sdcc/bin/udpro
  • /etc/safedog/sdcc/bin/sdalarm
  • /etc/safedog/server/script/sdsetos
  • /etc/safedog/script/safedog_uninstall
  • /etc/sd_uninstall/
  • aegis
  • Uninstall the following:
  • /etc/init.d/aegis
  • Terminates the following:
  • /etc/init.d/aegis
  • aegis_cli
  • aegis_update
  • AliYunDun
  • AliHids
  • AliYunDunUpdate
  • Deletes the following:
  • /etc/init.d/aegis
  • /etc/runlevels/default/aegis
  • /etc/rc2.d/S80aegis
  • /etc/rc3.d/S80aegis
  • /etc/rc4.d/S80aegis
  • /etc/rc5.d/S80aegis
  • /etc/rc.d/rc2.d/S80aegis
  • /etc/rc.d/rc3.d/S80aegis
  • /etc/rc.d/rc4.d/S80aegis
  • /etc/rc.d/rc5.d/S80aegis
  • /usr/local/aegis/aegis_client
  • /usr/local/aegis/aegis_update
  • /usr/local/aegis/alihids
  • yunsuo
  • Uninstall the following:
  • /usr/local/yunsuo_agent
  • Terminates the following:
  • yunsuo
  • /etc/init.d/yunsuo
  • Deletes the following:
  • /etc/init.d/yunsuo
  • clamd
  • Terminates the following:
  • clamd
  • /etc/init.d/avast
  • Deletes the following files:
  • all files related to clamav
  • avast
  • Terminates the following:
  • avast
  • /etc/init.d/avast
  • Deletes the following:
  • all files related to avast
  • avgd
  • Terminates the following:
  • avgd
  • /etc/init.d/avgd
  • Deletes the following:
  • /opt/avg/
  • all files related to avg
  • cmdavd and cmdmgd
  • Terminates the following:
  • cmdavd
  • Cmdmgd
  • /etc/init.d/cmdavd
  • /etc/init.d/cmdmgd
  • Deletes the following:
  • /opt/COMODO
  • all files related to CAV_LINUX
  • drweb-configd and drweb-spider-kmod
  • Terminates the following:
  • drweb-spider-kmod
  • drweb-configd
  • /etc/init.d/drweb-spider-kmod
  • /etc/init.d/drweb-configd
  • Deletes the following:
  • /opt/drweb.com
  • all files related to drweb
  • esets
  • Terminates the following:
  • /etc/init.d/esets
  • Deletes the following:
  • /opt/eset/
  • xmirrord
  • Uninstall the following:
  • /usr/share/xmirror/scripts
  • Terminates the following:
  • xmirrord
  • /etc/init.d/xmirrord
  • Deletes the following:
  • all files related to xmirrord