Linux.VPNFilter (Norton), Trojan.Linux.VPNFilter.D (Bitdefender)
Threat Type: Trojan
In the wild: Yes
Dropped by other malware
This Trojan may be downloaded by other malware/grayware from remote sites.
07 Jun 2018
Compromises system security, Steals information
This Trojan may be downloaded by the following malware/grayware from remote sites:
This Trojan does the following:
- This module's behavior will depend on the following parameters upon execution:
- dump: ← used to store all of the intercepted HTTP headers to (reps_*.bin ← created at ELF_VPNFILT.B)
- dst: ← used to create a specific destination IP address range that the rule for iptables should apply to
- src: ← used to create a specific source IP address range that the rule for iptables should apply to
- It converts HTTPS requests with HTTP to lower the security and extract data such as credentials and login information.
- It intercepts the data on the following strings in the authorization header to extract login credentials:
- It intercepts data and network traffic that is destined to port 80 and configures the network address (iptables) of the infected device to be redirected to port 8888 by executing the following Linux Shell Commands:
- iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
- iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
- To ensure that the modified rules on the infected device's iptable will not be removed, this module deletes and restores them approximately every four minutes.
07 Jun 2018
08 Jun 2018
Scan your computer with your Trend Micro product to delete files detected as ELF_VPNFILT.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.