Trojan.SH.BROOTKIT.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se ejecuta y, a continuación, se elimina.

Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.

Ejecuta los archivos descargados cuyas rutinas maliciosas muestra el sistema afectado.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• /usr/lib/...
• /tmp/...

Crea las siguientes copias de sí mismo en el sistema afectado:

• /usr/lib/.../diskmanagerd
• /tmp/.../diskmanagerd
• /tmp/.../just4root

Se ejecuta y, a continuación, se elimina.

Otras modificaciones del sistema

Elimina los archivos siguientes:

• /usr/lib/.../diskmanagerd
• /tmp/.../just4run
• /tmp/.../pxe
• /tmp/.../pxe.c
• /tmp/.../.d1r7y.txt
• /tmp/.h
• /tmp/.hh
• /tmp/.helpdd
• /tmp/.../
• /tmp/.../brootkit.sh
• /tmp/.../install.sh
• /tmp/vxbkyxrlq2hly2s
• /usr/lib/.../kacpi_notify
• /tmp/moni.lod
• /tmp/gates.lod
• /etc/init.d/selinux
• /etc/init.d/DbSecuritySpt
• /etc/rc1.d/S97DbSecuritySpt
• /etc/rc2.d/S97DbSecuritySpt
• /etc/rc3.d/S97DbSecuritySpt
• /etc/rc4.d/S97DbSecuritySpt
• /etc/rc5.d/S97DbSecuritySpt
• /usr/bin/bsd-port/conf.n
• /usr/bin/bsd-port/getty
• /usr/bin/bsd-port/getty.lock
• /tmp/pythompy
• /etc/rc1.d/S99selinux
• /etc/rc2.d/S99selinux
• /etc/rc3.d/S99selinux
• /etc/rc4.d/S99selinux
• /etc/rc5.d/S99selinux

Rutina de infiltración

Infiltra los archivos siguientes:

• /tmp/.helpdd
• /etc/cron.hourly/gcc4lef.sh
• /tmp/.../just4run

Rutina de descarga

Ejecuta los archivos descargados cuyas rutinas maliciosas muestra el sistema afectado.

Otros detalles

Hace lo siguiente:

• It creates the following cron jobs for persistence:
  
  • Path: /etc/cron.hourly/gcc4lef.sh
  • Schedule: Every 3 minutes
  • Command: */3 * * * * root /etc/cron.hourly/gcc4lef.sh
• It does the following once an Anti-Virus program is running on the affected machine:
  • safedog
  • Uninstall the following:
  • sddev
  • Terminates the following:
  • safedog
  • sdmonitor
  • sdcc
  • udcenter
  • sdcmd
  • sdsvrd
  • Sdacm
  • Udpro
  • sduibin
  • Deletes the following:
  • /etc/sd_uninstall
  • /etc/init.d/sdccboot
  • /etc/init.d/safedog
  • /etc/init.d/sdboot
  • /etc/init.d/udboot
  • /etc/rc2.d/S99sdccboot
  • /etc/rc3.d/S99sdccboot
  • /etc/rc4.d/S99sdccboot
  • /etc/rc5.d/S99sdccboot
  • /etc/rc2.d/S99udboot
  • /etc/rc3.d/S99udboot
  • /etc/rc4.d/S99udboot
  • /etc/rc5.d/S99udboot
  • /etc/rc2.d/S99sdboot
  • /etc/rc3.d/S99sdboot
  • /etc/rc4.d/S99sdboot
  • /etc/rc5.d/S99sdboot
  • /usr/bin/sdcc
  • /usr/bin/sdmonitor
  • /usr/bin/sd_autoexmn
  • /usr/bin/runsdcc
  • /usr/bin/sdccboot
  • /usr/bin/udboot
  • /usr/bin/udcenter
  • /usr/bin/udpro
  • /usr/bin/sdalarm
  • /usr/bin/sdsetos
  • /usr/bin/safedog_uninstall
  • /usr/bin/safedog
  • /usr/bin/sdboot
  • /usr/bin/sdstart
  • /usr/bin/sdsvrd
  • /usr/bin/sdwebdir
  • /usr/bin/sdrtdefendupdate
  • /usr/bin/sdcmd
  • /usr/bin/sdtest
  • /usr/bin/sdui
  • /usr/bin/sduibin
  • /usr/bin/sdcloud
  • /usr/bin/udinstall
  • /usr/bin/sdacm
  • /usr/bin/sdrepo
  • /usr/bin/uduninstall
  • /usr/bin/SDDownload
  • /etc/sdinfo.conf
  • /etc/udcenter.conf
  • /etc/safedog
  • /etc/safedog/libs/safedog
  • /etc/safedog/libs/sdcommon
  • /etc/safedog/libs/sdcc
  • /etc/cloudhelper
  • /etc/init.d/sdccboot
  • /etc/init.d/rc2.d/S99sdccboot
  • /etc/init.d/rc3.d/S99sdccboot
  • /etc/init.d/rc4.d/S99sdccboot
  • /etc/init.d/rc5.d/S99sdccboot
  • /etc/rc2.d/S99sdccboot
  • /etc/rc3.d/S99sdccboot
  • /etc/rc4.d/S99sdccboot
  • /etc/rc5.d/S99sdccboot
  • /etc/safedog/sdcc/bin/sdcc
  • /usr/bin/sdcc
  • /etc/safedog/sdcc/script/runsdcc
  • /usr/bin/runsdcc
  • /etc/safedog/sdcc/script/sdccboot
  • /usr/bin/sdccboot
  • /etc/safedog/logs/sdcc.log
  • /etc/safedog/sdcc/script/udboot
  • /etc/safedog/sdcc/bin/udcenter
  • /etc/safedog/sdcc/bin/udpro
  • /etc/safedog/sdcc/bin/sdalarm
  • /etc/safedog/server/script/sdsetos
  • /etc/safedog/script/safedog_uninstall
  • /etc/sd_uninstall/
  • aegis
  • Uninstall the following:
  • /etc/init.d/aegis
  • Terminates the following:
  • /etc/init.d/aegis
  • aegis_cli
  • aegis_update
  • AliYunDun
  • AliHids
  • AliYunDunUpdate
  • Deletes the following:
  • /etc/init.d/aegis
  • /etc/runlevels/default/aegis
  • /etc/rc2.d/S80aegis
  • /etc/rc3.d/S80aegis
  • /etc/rc4.d/S80aegis
  • /etc/rc5.d/S80aegis
  • /etc/rc.d/rc2.d/S80aegis
  • /etc/rc.d/rc3.d/S80aegis
  • /etc/rc.d/rc4.d/S80aegis
  • /etc/rc.d/rc5.d/S80aegis
  • /usr/local/aegis/aegis_client
  • /usr/local/aegis/aegis_update
  • /usr/local/aegis/alihids
  • yunsuo
  • Uninstall the following:
  • /usr/local/yunsuo_agent
  • Terminates the following:
  • yunsuo
  • /etc/init.d/yunsuo
  • Deletes the following:
  • /etc/init.d/yunsuo
  • clamd
  • Terminates the following:
  • clamd
  • /etc/init.d/avast
  • Deletes the following files:
  • all files related to clamav
  • avast
  • Terminates the following:
  • avast
  • /etc/init.d/avast
  • Deletes the following:
  • all files related to avast
  • avgd
  • Terminates the following:
  • avgd
  • /etc/init.d/avgd
  • Deletes the following:
  • /opt/avg/
  • all files related to avg
  • cmdavd and cmdmgd
  • Terminates the following:
  • cmdavd
  • Cmdmgd
  • /etc/init.d/cmdavd
  • /etc/init.d/cmdmgd
  • Deletes the following:
  • /opt/COMODO
  • all files related to CAV_LINUX
  • drweb-configd and drweb-spider-kmod
  • Terminates the following:
  • drweb-spider-kmod
  • drweb-configd
  • /etc/init.d/drweb-spider-kmod
  • /etc/init.d/drweb-configd
  • Deletes the following:
  • /opt/drweb.com
  • all files related to drweb
  • esets
  • Terminates the following:
  • /etc/init.d/esets
  • Deletes the following:
  • /opt/eset/
  • xmirrord
  • Uninstall the following:
  • /usr/share/xmirror/scripts
  • Terminates the following:
  • xmirrord
  • /etc/init.d/xmirrord
  • Deletes the following:
  • all files related to xmirrord