ELF_CHAPRO.B

 Analysis by: Anthony Joe Melgarejo

 ALIASES:

Backdoor:Linux/Apmod.gen!A (Microsoft), Linux.Apmod (Symantec), Linux/Chapro.E trojan (ESET), Troj/Apmod-Gen (Sophos), Backdoor.Linux.Apmod (Ikarus)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware

This Trojan may be dropped by other malware.

  TECHNICAL DETAILS

File Size:

37,272 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

16 Mar 2013

Payload:

Connects to URLs/IPs

Arrival Details

This Trojan may be dropped by other malware.

NOTES:

This Trojan is an Apache module for Linux that functions as an output filter. An output filter is a piece of code that inspect, and possibly modify, the response of the Apache web server before sending it to the requesting client.

It only processes the Web server response if the content type contains the following strings:

  • text/html
  • javascript
  • text/js
  • json

It does not process the Web server response if the user agent string contains any of the following:

  • SAFARI
  • OPERA
  • FIREFOX
  • CHROME
  • GOOGLEBOT
  • SLURP
  • YAHOO
  • BING
  • LINUX
  • OPENBSD
  • MACINTOSH
  • MAC OS
  • IPHONE
  • SYMBIANOS
  • NOKIA
  • LINKDEX
  • FROG/1
  • UQER-AGENT
  • BLACKBERRY
  • MOTOROLA
  • APPLE-PUB
  • AKREGATOR
  • SONYERICSSON
  • MACBOOK
  • XENU LINK
  • METAURI
  • REEDER
  • MOODLEBOT
  • SAMSUNG
  • SINDICE-FETCHER
  • EZOOMS
  • NIKOBOT
  • BINLAR
  • DARWIN
  • PLAYSTATION
  • OPERA MINI
  • NINTENDO
  • YANDEX
  • CRAWLER
  • JIKE
  • SPIDER
  • ROBOT
  • PAPERLIBOT
  • SNAPPREVIEWBOT
  • BUFFERBOT
  • MEDIAPARTNERS
  • HATENA
  • BLUEDRAGON
  • WORDPRESS
  • XIANGUO
  • WOOPINGBOT
  • CAFFEINATED
  • FEEDZIRRA
  • BITLYBOT
  • FOIIABOT
  • PROXIMIC
  • VBSEO
  • FOLLOWSITE
  • SOGOU
  • NHN
  • WGCT
  • MSNBOT
  • YOUDAO
  • STACKRAMBLER
  • LWP::SIMPLE
  • QIHOOBOT
  • BRUTUS
  • HTTPCLIENT
  • NIELSEN
  • CURL
  • PHP
  • INDY LIBRARY

It also does not process the Web server response if the Referer name contains any of the following:

  • GOOGLE.
  • YAHOO.
  • YANDEX.
  • RAMBLER.
  • MAIL.RU
  • BING.
  • SEARCH.
  • MSN.
  • ALLTHEWEB.
  • ASK.
  • LOOKSMART.
  • ALTAVISTA.
  • WEB.DE
  • FIREBALL.
  • LYCOS.
  • AOL.
  • ICQ.
  • NETZERO.
  • FRESH-WEATHER.
  • FREECAUSE.
  • MYSEARCH-FINDER.
  • NEXPLORE.
  • ATT.
  • REDROVIN.
  • TOSEEKA.
  • COMCAST.
  • INCREDIMAIL.
  • CHARTER.
  • VERIZON.
  • SUCHE.
  • VIRGILIO.
  • VERDEN.

It creates the following file to identify the clients with modified***:

  • /var/tmp/sess_{random strings generated from the client IP address}

It checks if the file /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2 if it exists. If the file does not exist, it attempts to get the address of its C&C server by reading the file /usr/lib/libbdl.sO.0. If it fails to get the address of its C&C server from /usr/lib/libbdl.sO.0, it uses the following URL:

  • http://{BLOCKED}.{BLOCKED}.13.65/Home/index.php

It encrypts and saves the received data to the file /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2. The received data contains the code that is injected to the Web server response.

If the content type is text/html, it searches for the following strings in the Web server response where it injects the code contained in /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2:

If the content type is not text/html, it appends the code in /var/tmp/sess_d0c94b5412e3494af1e7db042c59afa2 to the Web server response.

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.848.04

FIRST VSAPI PATTERN DATE:

10 Apr 2013

VSAPI OPR PATTERN File:

9.849.00

VSAPI OPR PATTERN Date:

11 Apr 2013

NOTES:

Step 1

  1. In the server terminal, type the following command:
    rm /var/tmp/sess_*

Step 2: Terminating the Apache Web Server

  1. In the server terminal, type the following command:
    apachectl -k stop

Step 3

  1. Open the file Apache configuration file (usually in /etc/httpd/conf/httpd.conf) in a text editor and delete all lines which start with the following:
    LoadModule uni_expires_module

Step 4

Scan your computer with your Trend Micro product to delete files detected as ELF_CHAPRO.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 5: Restart the Apache Web Server

  1. In the server terminal, type the following command:
    apachectl -k start


Did this description help? Tell us how we did.