Backdoor.Linux.SETAG.RPA
2018年10月25日
:
Linux.Chikdos.B!gen2 (NORTON); Backdoor:Linux/Setag!rfn (MICROSOFT); HEUR:Backdoor.Linux.Ganiw.d (KASPERSKY)
平台:
Linux
总体风险等级:
潜在破坏:
潜在分布:
感染次数:
信息暴露:
恶意软件类型:
Backdoor
有破坏性?:
没有
加密?:
没有
In the Wild:
是的
概要
感染途徑: 从互联网上下载,或由其他恶意软件释放。
它以其他恶意软件释放的文件或用户访问恶意网站时不知不觉下载的文件的形式到达系统。
它执行远程恶意用户的命令,有效地攻击受感染的系统。
它连接到某个网站,发送和接收信息。
技术详细信息
文件大小: 1,223,123 bytes
报告日期: ELF
内存驻留: 没有
初始樣本接收日期: 2018年11月1日
Payload: 植入文件, 连接到 URL/Ip, 窃取信息
新病毒详细信息
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
安装
它在受感染的系统中植入并执行下列自身副本:
- /usr/bin/bsd-port/getty
它创建下列文件夹:
- /usr/bin/dpkgd
- /usr/bin/bsd-port
后门例程
它执行远程恶意用户的下列命令:
- Initiate DDoS attacks:
- SYN flood
- DNS flood
- ICMP flood
- UDP flood
- TCP flood
- TNS poisoning
- Challenge Collapsar (CC) attack
- Stop DDoS attack
- Execute shell commands
植入例程
它植入下列文件:
- /usr/bin/bsd-port/getty.lock
- /tmp/gates.lod
- /tmp/moni.lod
- /tmp/notify.file
信息窃取
它收集下列数据:
- OS name
- OS version
- CPU clock rate
- CPU usage
- Number of CPU cores
- Network usage
- RAM size
- IP address of infected machine
其他详细信息
它连接到下列网站,发送和接收信息:
- {BLOCKED}.{BLOCKED}.163.68
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.213.68
- {BLOCKED}.{BLOCKED}.200.101
- {BLOCKED}.{BLOCKED}.2.2
- {BLOCKED}.{BLOCKED}.64.1
- {BLOCKED}.{BLOCKED}.88.129
- {BLOCKED}.{BLOCKED}.180.2
- {BLOCKED}.{BLOCKED}.78.2
- {BLOCKED}.{BLOCKED}.199.68
- {BLOCKED}.{BLOCKED}.3.3
- {BLOCKED}.{BLOCKED}.3.8
- {BLOCKED}.{BLOCKED}.144.30
- {BLOCKED}.{BLOCKED}.9.9
- {BLOCKED}.{BLOCKED}.9.61
- {BLOCKED}.{BLOCKED}.160.110
- {BLOCKED}.{BLOCKED}.7.6
- {BLOCKED}.{BLOCKED}.7.17
- {BLOCKED}.{BLOCKED}.0.20
- {BLOCKED}.{BLOCKED}.46.151
- {BLOCKED}.{BLOCKED}.195.68
- {BLOCKED}.{BLOCKED}.196.115
- {BLOCKED}.{BLOCKED}.196.212
- {BLOCKED}.{BLOCKED}.196.228
- {BLOCKED}.{BLOCKED}.196.230
- {BLOCKED}.{BLOCKED}.196.232
- {BLOCKED}.{BLOCKED}.196.237
- {BLOCKED}.{BLOCKED}.112.10
- {BLOCKED}.{BLOCKED}.17.107
- {BLOCKED}.{BLOCKED}.28.231
- {BLOCKED}.{BLOCKED}.28.234
- {BLOCKED}.{BLOCKED}.28.237
- {BLOCKED}.{BLOCKED}.6.3
- {BLOCKED}.{BLOCKED}.136.10
- {BLOCKED}.{BLOCKED}.140.10
- {BLOCKED}.{BLOCKED}.148.37
- {BLOCKED}.{BLOCKED}.148.39
- {BLOCKED}.{BLOCKED}.26.42
- {BLOCKED}.{BLOCKED}.32.100
- {BLOCKED}.{BLOCKED}.32.103
- {BLOCKED}.{BLOCKED}.32.106
- {BLOCKED}.{BLOCKED}.32.109
- {BLOCKED}.{BLOCKED}.33.52
- {BLOCKED}.{BLOCKED}.33.60
- {BLOCKED}.{BLOCKED}.3.70
- {BLOCKED}.{BLOCKED}.3.73
- {BLOCKED}.{BLOCKED}.3.76
- {BLOCKED}.{BLOCKED}.3.79
- {BLOCKED}.{BLOCKED}.3.83
- {BLOCKED}.{BLOCKED}.3.85
- {BLOCKED}.{BLOCKED}.4.6
- {BLOCKED}.{BLOCKED}.4.9
- {BLOCKED}.{BLOCKED}.4.12
- {BLOCKED}.{BLOCKED}.4.15
- {BLOCKED}.{BLOCKED}.4.18
- {BLOCKED}.{BLOCKED}.4.21
- {BLOCKED}.{BLOCKED}.96.66
- {BLOCKED}.{BLOCKED}.128.106
- {BLOCKED}.{BLOCKED}.98.55
- {BLOCKED}.{BLOCKED}.145.194
- {BLOCKED}.{BLOCKED}.151.161
- {BLOCKED}.{BLOCKED}.156.66
- {BLOCKED}.{BLOCKED}.152.99
- {BLOCKED}.{BLOCKED}.157.99
- {BLOCKED}.{BLOCKED}.29.93
- {BLOCKED}.{BLOCKED}.107.85
- {BLOCKED}.{BLOCKED}3.255.228
- {BLOCKED}.{BLOCKED}.62.142
- {BLOCKED}.{BLOCKED}.33.240
- {BLOCKED}.{BLOCKED}.121.27
- {BLOCKED}.{BLOCKED}.160.194
- {BLOCKED}.{BLOCKED}4.10
- {BLOCKED}.{BLOCKED}.70.98
- {BLOCKED}.{BLOCKED}.211.22
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.128.86
- {BLOCKED}.{BLOCKED}.128.166
- {BLOCKED}.{BLOCKED}.3.140
- {BLOCKED}.{BLOCKED}.4.130
- {BLOCKED}.{BLOCKED}.193.97
- {BLOCKED}.{BLOCKED}.2.4
- {BLOCKED}.{BLOCKED}.4.1
- {BLOCKED}.{BLOCKED}.61.225
- {BLOCKED}.{BLOCKED}.61.235
- {BLOCKED}.{BLOCKED}.61.255
- {BLOCKED}.{BLOCKED}.62.1
- {BLOCKED}.{BLOCKED}.62.60
- {BLOCKED}.{BLOCKED}.66.66
- {BLOCKED}.{BLOCKED}.176.22
- {BLOCKED}.{BLOCKED}.144.47
- {BLOCKED}.{BLOCKED}.192.33
- {BLOCKED}.{BLOCKED}.134.33
- {BLOCKED}.{BLOCKED}.134.133
- {BLOCKED}.{BLOCKED}.154.15
- {BLOCKED}.{BLOCKED}.196.6
- {BLOCKED}.{BLOCKED}.88.88
- {BLOCKED}.{BLOCKED}.243.112
- {BLOCKED}.{BLOCKED}.64.33
- {BLOCKED}.{BLOCKED}.164.13
- {BLOCKED}.{BLOCKED}.164.18
- {BLOCKED}.{BLOCKED}.225.68
- {BLOCKED}.{BLOCKED}.136.68
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.64.129
- {BLOCKED}.{BLOCKED}.240.100
- {BLOCKED}.{BLOCKED}.242.18
- {BLOCKED}.{BLOCKED}.245.180
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.118.162
- {BLOCKED}.{BLOCKED}.192.67
- {BLOCKED}.{BLOCKED}.198.167
- {BLOCKED}.{BLOCKED}.136.81
- {BLOCKED}.{BLOCKED}.1.3
- {BLOCKED}.{BLOCKED}.2.18
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.96.65
- {BLOCKED}.{BLOCKED}.164.6
- {BLOCKED}.{BLOCKED}.132.2
- {BLOCKED}.{BLOCKED}.199.8
- {BLOCKED}.{BLOCKED}.160.68
- {BLOCKED}.{BLOCKED}.166.4
- {BLOCKED}.{BLOCKED}.168.8
- {BLOCKED}.{BLOCKED}.222.222
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.227.68
- {BLOCKED}.{BLOCKED}.85.85
- {BLOCKED}.{BLOCKED}.88.88
- {BLOCKED}.{BLOCKED}.241.1
- {BLOCKED}.{BLOCKED}.64.1
- {BLOCKED}.{BLOCKED}.100.100
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.127.1
- {BLOCKED}.{BLOCKED}.93.33
- {BLOCKED}.{BLOCKED}.24.129
- {BLOCKED}.{BLOCKED}.241.34
- {BLOCKED}.{BLOCKED}.198.230
- {BLOCKED}.{BLOCKED}.0.68
- {BLOCKED}.{BLOCKED}.0.117
- {BLOCKED}.{BLOCKED}.24.68
- {BLOCKED}.{BLOCKED}.44.150
- {BLOCKED}.{BLOCKED}.0.242
- {BLOCKED}.{BLOCKED}.240.6
- {BLOCKED}.{BLOCKED}.158.11
- {BLOCKED}.{BLOCKED}.159.3
- {BLOCKED}.{BLOCKED}.111.114
- {BLOCKED}.{BLOCKED}.111.122
- {BLOCKED}.{BLOCKED}.127.114
- {BLOCKED}.{BLOCKED}.127.122
- {BLOCKED}.{BLOCKED}.129.30
- {BLOCKED}.{BLOCKED}.78.210
- {BLOCKED}.{BLOCKED}.254.5
- {BLOCKED}.{BLOCKED}.96.112
- {BLOCKED}.{BLOCKED}.225.253
- {BLOCKED}.{BLOCKED}.129.81
- {BLOCKED}.{BLOCKED}.129.80
- {BLOCKED}.{BLOCKED}.210.98
- {BLOCKED}.{BLOCKED}.210.100
- {BLOCKED}.{BLOCKED}.208.3
- {BLOCKED}.{BLOCKED}.208.6
- {BLOCKED}.{BLOCKED}.64.68
- {BLOCKED}.{BLOCKED}.192.100
- {BLOCKED}.{BLOCKED}.98.3
- {BLOCKED}.{BLOCKED}.98.6
- {BLOCKED}.{BLOCKED}.0.68
- {BLOCKED}.{BLOCKED}.64.129
- {BLOCKED}.{BLOCKED}.16.99
- {BLOCKED}.{BLOCKED}.5.68
- {BLOCKED}.{BLOCKED}.194.55
- {BLOCKED}.{BLOCKED}.200.69
- {BLOCKED}.{BLOCKED}.3.141
- {BLOCKED}.{BLOCKED}.3.144
- {BLOCKED}.{BLOCKED}.57.33
- {BLOCKED}.{BLOCKED}.0.55
- {BLOCKED}.{BLOCKED}.114.114
- {BLOCKED}.{BLOCKED}.115.115
- {BLOCKED}.{BLOCKED}.24.34
- {BLOCKED}.{BLOCKED}.135.1
- {BLOCKED}.{BLOCKED}.4.66
- {BLOCKED}.{BLOCKED}.143.69
- {BLOCKED}.{BLOCKED}.8.141
- {BLOCKED}.{BLOCKED}.0.110
- {BLOCKED}.{BLOCKED}.7.1
- {BLOCKED}.{BLOCKED}.32.106
- {BLOCKED}.{BLOCKED}.13.101
- {BLOCKED}.{BLOCKED}.255.1
- {BLOCKED}.{BLOCKED}.37.1
- {BLOCKED}.{BLOCKED}.1.40
- {BLOCKED}.{BLOCKED}.208.46
- {BLOCKED}.{BLOCKED}.9.141
- {BLOCKED}.{BLOCKED}.7.90
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.226.68
- {BLOCKED}.{BLOCKED}.90.68
- {BLOCKED}.{BLOCKED}.32.178
- {BLOCKED}.{BLOCKED}.69.38
- {BLOCKED}.{BLOCKED}.197.58
- {BLOCKED}.{BLOCKED}.6.99
- {BLOCKED}.{BLOCKED}.86.18
- {BLOCKED}.{BLOCKED}.189.10
- {BLOCKED}.{BLOCKED}.189.18
- {BLOCKED}.{BLOCKED}.249.50
- {BLOCKED}.{BLOCKED}.249.54
- {BLOCKED}.{BLOCKED}.64.68
- {BLOCKED}.{BLOCKED}.75.68
- {BLOCKED}.{BLOCKED}.1.29
- {BLOCKED}.{BLOCKED}.1.53
- {BLOCKED}.{BLOCKED}.204.66
- {BLOCKED}.{BLOCKED}.224.8
- {BLOCKED}.{BLOCKED}.224.67
- {BLOCKED}.{BLOCKED}.72.65
- {BLOCKED}.{BLOCKED}.91.1
- {BLOCKED}.{BLOCKED}.101.3
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.0.81
- {BLOCKED}.{BLOCKED}.152.129
- {BLOCKED}.{BLOCKED}.75.123
- {BLOCKED}.{BLOCKED}.154.3
- {BLOCKED}.{BLOCKED}.152.3
- {BLOCKED}.{BLOCKED}.1.66
- {BLOCKED}.{BLOCKED}.1.66
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.134.68
- {BLOCKED}.{BLOCKED}.106.19
- {BLOCKED}.{BLOCKED}.80.65
- {BLOCKED}.{BLOCKED}.192.66
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.1.4
- {BLOCKED}.{BLOCKED}.96.5
- {BLOCKED}.{BLOCKED}.96.10
- {BLOCKED}.{BLOCKED}.19.40
- {BLOCKED}.{BLOCKED}.19.50
- {BLOCKED}.{BLOCKED}.111.118
- {BLOCKED}.{BLOCKED}.255.18
- {BLOCKED}.{BLOCKED}.209.5
- {BLOCKED}.{BLOCKED}.209.133
- {BLOCKED}.{BLOCKED}.6.2
- {BLOCKED}.{BLOCKED}.1.97
- {BLOCKED}.{BLOCKED}.72.1
- {BLOCKED}.{BLOCKED}.112.50
- {BLOCKED}.{BLOCKED}.150.66
- {BLOCKED}.{BLOCKED}.6.6
- {BLOCKED}.{BLOCKED}.97.234
- {BLOCKED}.{BLOCKED}.97.238
- {BLOCKED}.{BLOCKED}.97.242
- {BLOCKED}.{BLOCKED}.2.69
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.32.36
- {BLOCKED}.{BLOCKED}.32.39
- {BLOCKED}.{BLOCKED}.200.139
- {BLOCKED}.{BLOCKED}.0.124
- {BLOCKED}.{BLOCKED}.54.66
- {BLOCKED}.{BLOCKED}.39.73
- {BLOCKED}.{BLOCKED}.10.20
- {BLOCKED}.{BLOCKED}.55.244
- {BLOCKED}.{BLOCKED}.150.20
- {BLOCKED}.{BLOCKED}.252.16
- {BLOCKED}.{BLOCKED}.1.1
- {BLOCKED}.{BLOCKED}.211.193
- {BLOCKED}.{BLOCKED}.211.225
- {BLOCKED}.{BLOCKED}.130.1
- {BLOCKED}.{BLOCKED}.1.1
- {BLOCKED}.{BLOCKED}.233.1
- {BLOCKED}.{BLOCKED}.192.1
- {BLOCKED}.{BLOCKED}.192.174
- {BLOCKED}.{BLOCKED}.224.3
- {BLOCKED}.{BLOCKED}.224.5
- {BLOCKED}.{BLOCKED}.16.10
- {BLOCKED}.{BLOCKED}.16.11
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.104.68
- {BLOCKED}.{BLOCKED}.160.5
- {BLOCKED}.{BLOCKED}.160.185
- {BLOCKED}.{BLOCKED}.32.132
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.73.34
- {BLOCKED}.{BLOCKED}.0.130
- {BLOCKED}.{BLOCKED}.1.130
- {BLOCKED}.{BLOCKED}.67.4
- {BLOCKED}.{BLOCKED}.67.14
- {BLOCKED}.{BLOCKED}.84.58
- {BLOCKED}.{BLOCKED}.84.67
- {BLOCKED}.{BLOCKED}.252.8
- {BLOCKED}.{BLOCKED}.128.32
- {BLOCKED}.{BLOCKED}.96.9
- {BLOCKED}.{BLOCKED}.100.18
- {BLOCKED}.{BLOCKED}.100.21
- {BLOCKED}.{BLOCKED}.94.20
- {BLOCKED}.{BLOCKED}.94.241
- {BLOCKED}.{BLOCKED}.1.20
- {BLOCKED}.{BLOCKED}.114.133
- {BLOCKED}.{BLOCKED}.114.166
- {BLOCKED}.{BLOCKED}.152.130
- {BLOCKED}.{BLOCKED}.150.123
- {BLOCKED}.{BLOCKED}.128.33
- {BLOCKED}.{BLOCKED}.72.7
- {BLOCKED}.{BLOCKED}.29.68
- {BLOCKED}.{BLOCKED}.29.150
- {BLOCKED}.{BLOCKED}.29.170
- {BLOCKED}.{BLOCKED}.131.11
- {BLOCKED}.{BLOCKED}.200.68
- {BLOCKED}.{BLOCKED}.150.101
- {BLOCKED}.{BLOCKED}.150.139
- {BLOCKED}.{BLOCKED}.144.33
- {BLOCKED}.{BLOCKED}.160.33
- {BLOCKED}.{BLOCKED}.192.33
- {BLOCKED}.{BLOCKED}.208.33
- {BLOCKED}.{BLOCKED}.224.33
- {BLOCKED}.{BLOCKED}.144.161
- {BLOCKED}.{BLOCKED}.5.240
- {BLOCKED}.{BLOCKED}.25.129
- {BLOCKED}.{BLOCKED}.103.36
- {BLOCKED}.{BLOCKED}.1.227
- {BLOCKED}.{BLOCKED}.252.200
- {BLOCKED}.{BLOCKED}.120.5
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.248.219
- {BLOCKED}.{BLOCKED}.248.245
- {BLOCKED}.{BLOCKED}.254.34
- {BLOCKED}.{BLOCKED}.244.5
- {BLOCKED}.{BLOCKED}.104.15
- {BLOCKED}.{BLOCKED}.104.26
- {BLOCKED}.{BLOCKED}.33.227
- {BLOCKED}.{BLOCKED}.107.27
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.17.2
- {BLOCKED}.{BLOCKED}.203.86
- {BLOCKED}.{BLOCKED}.203.90
- {BLOCKED}.{BLOCKED}.203.98
- {BLOCKED}.{BLOCKED}.92.86
- {BLOCKED}.{BLOCKED}.92.98
该程序执行以下操作:
- capable of updating itself to its latest version
- replaces the following files with the copy of the malware and stores the original files in /usr/bin/dpkg/:
- /bin/netstat
- /bin/lsof
- /bin/ps
- /bin/ss
- /usr/bin/netstat
- /usr/bin/lsof
- /usr/bin/ps
- /usr/bin/ss
- /usr/sbin/netstat
- /usr/sbin/lsof
- /usr/sbin/ps
- /usr/sbin/ss
- It adds the following scripts in /etc/rc{1-5}.d/ and /etc/init.d/ to automatically execute itself when the system starts up:
- /etc/rc{1-5}.d/S97DbSecuritySpt
- /etc/rc{1-5}.d/S99selinux
- /etc/init.d/selinux
- /etc/init.d/DbSecuritySpt
解决方案
最小扫描引擎: 9.850
First VSAPI Pattern File: 14.568.04
VSAPI 第一样式发布日期: 2018年10月16日
VSAPI OPR样式版本: 15.237.00
VSAPI OPR样式发布日期: 2019年7月16日
使用亚信安全产品扫描计算机,并删除检测到的Backdoor.Linux.SETAG.RPA文件 如果检测到的文件已被亚信安全产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。