HKTL_SSHBRUTE.GA-ELF

 Analysis by: Kiyoshi Obuchi

 ALIASES:

Linux/HackTool.Sshbrute.C potentially unsafe (ESSET); HackTool:Linux/BF.E (Microsoft)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware, Bundled with other malware

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages.

It does not have any propagation routine.

It does not have any backdoor routine.

  TECHNICAL DETAILS

File Size:

1,384,518 bytes

File Type:

ELF

Memory Resident:

No

Initial Samples Received Date:

02 Feb 2011

Payload:

Modifies files

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

Propagation

This Hacking Tool does not have any propagation routine.

Backdoor Routine

This Hacking Tool does not have any backdoor routine.

Other Details

This Hacking Tool does the following:

  • This hacking tool modifies the following files:
    • vuln.txt : appends the IP address of the host if bash is available and if the host is resolved or not
    • nobash.txt: appends the IP address of the host if bash is unavailable and if host is existing or not
  • The hacking tool requires the following arguments to proceed with its intended routine:
    • max forks: (maximum forks allowed)
  • The hacking tool requires the following files to proceed with its intended routine:
    • pass.txt: the list of usernames and passwords that will be used as credentials to login to hosts listed in scan.log
    • scan.log: list of IP addresses to connect to
  • This hacking tool is used as a brute force tool to connect to a host specified in scan.log (list of IP addresses to connect to). It then uses the entries in pass.txt to login to the IP address. This is all done via SSH network protocol.

  SOLUTION

Minimum Scan Engine:

9.850

SSAPI PATTERN File:

1.995.00

SSAPI PATTERN Date:

05 Sep 2018

Scan your computer with your Trend Micro product to delete files detected as HKTL_SSHBRUTE.GA-ELF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.