UNIX_XORDDOS.A

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

It connects to a website to send and receive information.

Arrival Details

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• http://{BLOCKED}.{BLOCKED}.21.81
• http://{BLOCKED}.{BLOCKED}.9.226
• http://{BLOCKED}.{BLOCKED}.9.225 (if 64-bit)
• http://{BLOCKED}.{BLOCKED}.21.76 (if 64-bit)

It posts the following information to its command and control (C&C) server:

• iid={random value}
• username={hardcoded username}
• password={hard coded password}
• ip={BLOCKED}.{BLOCKED}.9.245:8001|{BLOCKED}.{BLOCKED}.141.50:8001|{BLOCKED}.{BLOCKED}.253.30:8001|ndns.{BLOCKED}1.org:8001|ndns.{BLOCKED}a.org:8001|ndns.{BLOCKED}ao.com:8001|ndns.{BLOCKED}a.com:8001
• ver=3.8.0
• kernel={kernel version}

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.21.82/upload/8001

NOTES:

This backdoor creates a /tmp/{random value} folder. It makes the following changes:

• /usr/bin/wget (Writable and executable)
• /bin/wget (Writable and executable)
• /usr/bin/cut (Writable and executable)
• /bin/cut (Writable and executable)

This backdoor selects the malicious URLs to communicate to based on the processor of the infected system.