Trojan.Linux.SSHBRUTE.UWEJS

This Trojan may be downloaded by other malware/grayware from remote sites.

It requires its main component to successfully perform its intended routine. It deletes itself after execution.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• Trojan.SH.MALXMR.UWEJS

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• perl
• sparky.sh
• pscan2

Information Theft

This Trojan gathers the following account information:

• User Name
• System Date and Time
• Current Working Directory
• Number of Processing Units
• List of Graphic Processors

Stolen Information

This Trojan sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}ter.com/assets/.style/remote/info.php

  Other Details

  This Trojan connects to the following URL(s) to get the affected system's IP address:

  • http://{BLOCKED}ter.com/assets/.style/remote/info.php

  It requires its main component to successfully perform its intended routine.

  It does the following:

  • It uses Haiduc scanner to try to infect the following:
    • Devices in the private IP range {BLOCKED}.{BLOCKED}.0.0/16 using the credentials listed in .sslm/pass
    • Devices in the public IP range {random number from 0-216}.0.0.0/8 using the credentials listed in .sslm/.pass
  • It contains the following folder:
    • .sslm/
  • It contains the following files:
    • .sslm/.pass → contains short list of credentials
    • .sslm/a.pl → executes start and uses {random number from 0-216}.0.0.0/8 as argument
    • .sslm/libssl → detected as HackTool.Linux.SSHBRUTE.GA
    • .sslm/pass → contains long list of credentials
    • .sslm/sparky.sh → detected as Trojan.SH.SSHBRUTE.UWEJS
    • .sslm/start → detected as Trojan.SH.SSHBRUTE.UWEJS
    • .sslm/start.pl → executes start.sh
    • .sslm/start.sh → detected as Trojan.SH.SSHBRUTE.UWEJS

  It deletes itself after execution.