Backdoor.Linux.DOFLOO.AB

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following processes:

• sed -i -e '/exit/d' /etc/rc.local
• sed -i -e '/^\r\n|\r|\n$/d' /etc/rc.local
• sed -i -e '/%s/d' /etc/rc.local
• sed -i -e '2 i%s/%s' /etc/rc.local
• sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
• sed -i -e '2 i%s/%s start' /etc/init.d/boot.local

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Initiate DDoS attacks:
  • TCP flood
  • Challenge Collapsar (CC) attack
• Stop DDoS attack
• Execute shell commands

Information Theft

This Backdoor gathers the following data:

• CPU information
• Memory statistics
• IP address of infected machine
• Reads the following information from /proc:
  • /proc/stat
  • /proc/meminfo
  • /proc/cpuinfo
  • /proc/net/dev
  • /proc/self/exe
  • /proc/self/maps
  • /proc/sys/vm/overcommit_memory
  • /proc/sys/kernel/rtsig-max
  • /proc/sys/kernel/ngroups_max
  • /proc/sys/kernel/osrelease
  • /proc/self/fd/%d/%s
  • /proc/self/fd
  • /proc/net

Other Details

This Backdoor opens the following files:

• /etc/host.conf
• /etc/resolv.conf
• /etc/nsswitch.conf
• /etc/suid-debug
• /etc/ld.so.cache