ELF_XORDDOS.JLT
Linux/DDoS-BH (Sophos); HEUR:Trojan-DDoS.Linux.Xarcen.d (Kaspersky); Linux.Xorddos (Norton); DoS:Linux/Xorddos!rfn (Microsoft); ELF/Xorddos.D!tr (Fortinet)
Linux
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
562,338 bytes
ELF
14 Nov 2017
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Backdoor drops the following copies of itself into the affected system:
- /bin/{random 11 characters}
It drops the following files:
- /bin/{random 11 characters}.sh
Autostart Technique
This Backdoor drops the following files:
- /etc/cron.hourly/{string}.sh
- /etc/init.d/{script file name}
- /etc/rc{1-5}.d/S90{script file name}
Other Details
This Backdoor connects to the following possibly malicious URL:
- k1.{BLOCKED}y.com
- p10.{BLOCKED}4.net