Backdoor.Linux.SETAG.RPB

2018年10月25日

分析者: Patrick Angelo Roderno

HEUR:Backdoor.Linux.Ganiw.d (KASPERSKY); Backdoor:Linux/Setag!rfn (MICROSOFT); Linux/Setag.B.Gen trojan (NOD32)

平台:

Linux

总体风险等级:

潜在破坏:

潜在分布:

感染次数:

信息暴露:

恶意软件类型:
Backdoor
有破坏性？:
没有
加密？:
没有
In the Wild:
是的

概要

感染途徑: 从互联网上下载，或由其他恶意软件释放。

它执行远程恶意用户的命令，有效地攻击受感染的系统。

它连接到某个网站，发送和接收信息。

技术详细信息

文件大小: 1,135,000 bytes

报告日期: ELF

内存驻留: 没有

初始樣本接收日期: 2018年4月12日

Payload: 植入文件, 连接到 URL/Ip, 窃取信息

安装

它在受感染的系统中植入并执行下列自身副本：

/usr/bin/bsd-port/knerl

它创建下列文件夹：

/usr/bin/dpkgd
/usr/bin/bsd-port

后门例程

它执行远程恶意用户的下列命令：

Initiate DDoS attacks:
- SYN flood
- DNS flood
- ICMP flood
- UDP flood
- TCP flood
- TNS poisoning
- Challenge Collapsar (CC) attack
Stop DDoS attack
Execute shell commands

植入例程

它植入下列文件：

/usr/bin/bsd-port/knerl.conf
/tmp/notify.file
{Malware path}/idus.log
{Malware Path}/vga.conf

信息窃取

它收集下列数据:

OS name
OS version
CPU clock rate
CPU usage
Number of CPU cores
Network usage
RAM size
IP address of infected machine

其他详细信息

它连接到下列网站，发送和接收信息：

{BLOCKED}163.68
{BLOCKED}.192.68
{BLOCKED}.213.68
{BLOCKED}101
{BLOCKED}2.2
{BLOCKED}.64.1
{BLOCKED}.88.129
{BLOCKED}.180.2
{BLOCKED}.78.2
{BLOCKED}.199.68
{BLOCKED}.3.3
{BLOCKED}.3.8
{BLOCKED}.30
{BLOCKED}.9.9
{BLOCKED}.9.61
{BLOCKED}160.110
{BLOCKED}.6
{BLOCKED}.17
{BLOCKED}0.20
{BLOCKED}51
{BLOCKED}68
{BLOCKED}115
{BLOCKED}212
{BLOCKED}228
{BLOCKED}230
{BLOCKED}232
{BLOCKED}237
{BLOCKED}10
{BLOCKED}07
{BLOCKED}31
{BLOCKED}34
{BLOCKED}37
{BLOCKED}6.3
{BLOCKED}136.10
{BLOCKED}140.10
{BLOCKED}148.37
{BLOCKED}148.39
{BLOCKED}26.42
{BLOCKED}32.100
{BLOCKED}32.103
{BLOCKED}32.106
{BLOCKED}32.109
{BLOCKED}33.52
{BLOCKED}33.60
{BLOCKED}3.70
{BLOCKED}3.73
{BLOCKED}3.76
{BLOCKED}3.79
{BLOCKED}3.83
{BLOCKED}3.85
{BLOCKED}4.6
{BLOCKED}4.9
{BLOCKED}4.12
{BLOCKED}4.15
{BLOCKED}4.18
{BLOCKED}4.21
{BLOCKED}.96.66
{BLOCKED}128.106
{BLOCKED}98.55
{BLOCKED}145.194
{BLOCKED}151.161
{BLOCKED}156.66
{BLOCKED}152.99
{BLOCKED}157.99
{BLOCKED}29.93
{BLOCKED}107.85
{BLOCKED}255.228
{BLOCKED}62.142
{BLOCKED}33.240
{BLOCKED}121.27
{BLOCKED}160.194
{BLOCKED}34.10
{BLOCKED}70.98
{BLOCKED}211.22
{BLOCKED}128.68
{BLOCKED}128.86
{BLOCKED}128.166
{BLOCKED}3.140
{BLOCKED}4.130
{BLOCKED}193.97
{BLOCKED}2.4
{BLOCKED}4.1
{BLOCKED}61.225
{BLOCKED}1.235
{BLOCKED}1.255
{BLOCKED}2.1
{BLOCKED}2.60
{BLOCKED}66
{BLOCKED}76.22
{BLOCKED}4.47
{BLOCKED}2.33
{BLOCKED}4.33
{BLOCKED}4.133
{BLOCKED}4.15
{BLOCKED}6.6
{BLOCKED}88
{BLOCKED}43.112
{BLOCKED}4.33
{BLOCKED}4.13
{BLOCKED}4.18
{BLOCKED}25.68
{BLOCKED}.68
{BLOCKED}24.68
{BLOCKED}.129
{BLOCKED}40.100
{BLOCKED}42.18
{BLOCKED}45.180
{BLOCKED}.68
{BLOCKED}8.162
{BLOCKED}2.67
{BLOCKED}8.167
{BLOCKED}6.81
{BLOCKED}.3
{BLOCKED}.18
{BLOCKED}92.68
{BLOCKED}.65
{BLOCKED}64.6
{BLOCKED}2.2
{BLOCKED}99.8
{BLOCKED}0.68
{BLOCKED}6.4
{BLOCKED}8.8
{BLOCKED}22.222
{BLOCKED}24.68
{BLOCKED}27.68
{BLOCKED}.85
{BLOCKED}.88
{BLOCKED}1.1
{BLOCKED}4.1
{BLOCKED}00.100
{BLOCKED}4.68
{BLOCKED}27.1
{BLOCKED}.33
{BLOCKED}.129
{BLOCKED}41.34
{BLOCKED}98.230
{BLOCKED}.68
{BLOCKED}.117
{BLOCKED}4.68
{BLOCKED}4.150
{BLOCKED}.242
{BLOCKED}40.6
{BLOCKED}58.11
{BLOCKED}59.3
{BLOCKED}11.114
{BLOCKED}11.122
{BLOCKED}27.114
{BLOCKED}27.122
{BLOCKED}29.30
{BLOCKED}210
{BLOCKED}4.5
{BLOCKED}6.112
{BLOCKED}5.253
{BLOCKED}29.81
{BLOCKED}29.80
{BLOCKED}10.98
{BLOCKED}10.100
{BLOCKED}08.3
{BLOCKED}08.6
{BLOCKED}4.68
{BLOCKED}2.100
{BLOCKED}.3
{BLOCKED}.6
{BLOCKED}68
{BLOCKED}.129
{BLOCKED}6.99
{BLOCKED}68
{BLOCKED}94.55
{BLOCKED}00.69
{BLOCKED}.141
{BLOCKED}.144
{BLOCKED}.33
{BLOCKED}5
{BLOCKED}14.114
{BLOCKED}15.115
{BLOCKED}4.34
{BLOCKED}.1
{BLOCKED}6
{BLOCKED}43.69
{BLOCKED}.141
{BLOCKED}110
{BLOCKED}1
{BLOCKED}2.106
{BLOCKED}3.101
{BLOCKED}55.1
{BLOCKED}.1
{BLOCKED}40
{BLOCKED}8.46
{BLOCKED}.141
{BLOCKED}.90
{BLOCKED}24.68
{BLOCKED}26.68
{BLOCKED}0.68
{BLOCKED}2.178
{BLOCKED}.38
{BLOCKED}97.58
{BLOCKED}.99
{BLOCKED}.18
{BLOCKED}9.10
{BLOCKED}9.18
{BLOCKED}9.50
{BLOCKED}9.54
{BLOCKED}.68
{BLOCKED}.68
{BLOCKED}.29
{BLOCKED}.53
{BLOCKED}04.66
{BLOCKED}4.8
{BLOCKED}.67
{BLOCKED}65
{BLOCKED}.1
{BLOCKED}1.3
{BLOCKED}.68
{BLOCKED}1
{BLOCKED}.129
{BLOCKED}.123
{BLOCKED}4.3
{BLOCKED}2.3
{BLOCKED}66
{BLOCKED}66
{BLOCKED}8.68
{BLOCKED}4.68
{BLOCKED}6.19
{BLOCKED}65
{BLOCKED}.66
{BLOCKED}.68
{BLOCKED}
{BLOCKED}.5
{BLOCKED}.10
{BLOCKED}40
{BLOCKED}50
{BLOCKED}1.118
{BLOCKED}5.18
{BLOCKED}.5
{BLOCKED}.133
{BLOCKED}2
{BLOCKED}7
{BLOCKED}1
{BLOCKED}2.50
{BLOCKED}0.66
{BLOCKED}
{BLOCKED}.234
{BLOCKED}.238
{BLOCKED}.242
{BLOCKED}9
{BLOCKED}68
{BLOCKED}.36
{BLOCKED}.39
{BLOCKED}139
{BLOCKED}24
{BLOCKED}66
{BLOCKED}73
{BLOCKED}.20
{BLOCKED}.244
{BLOCKED}0.20
{BLOCKED}2.16
{BLOCKED}
{BLOCKED}1.193
{BLOCKED}1.225
{BLOCKED}.1
{BLOCKED}
{BLOCKED}1
{BLOCKED}.1
{BLOCKED}.174
{BLOCKED}3
{BLOCKED}5
{BLOCKED}.10
{BLOCKED}.11
{BLOCKED}68
{BLOCKED}.68
{BLOCKED}0.5
{BLOCKED}0.185
{BLOCKED}.132
{BLOCKED}.68
{BLOCKED}.34
{BLOCKED}0
{BLOCKED}0
{BLOCKED}4
{BLOCKED}14
{BLOCKED}58
{BLOCKED}67
{BLOCKED}.8
{BLOCKED}.32
{BLOCKED}9
{BLOCKED}0.18
{BLOCKED}0.21
{BLOCKED}.20
{BLOCKED}.241
{BLOCKED}
{BLOCKED}.133
{BLOCKED}.166
{BLOCKED}2.130
{BLOCKED}.123
{BLOCKED}8.33
{BLOCKED}7
{BLOCKED}.68
{BLOCKED}.150
{BLOCKED}.170
{BLOCKED}11
{BLOCKED}0.68
{BLOCKED}.101
{BLOCKED}.139
{BLOCKED}4.33
{BLOCKED}0.33
{BLOCKED}2.33
{BLOCKED}8.33
{BLOCKED}4.33
{BLOCKED}.161
{BLOCKED}240
{BLOCKED}129
{BLOCKED}.36
{BLOCKED}27
{BLOCKED}2.200
{BLOCKED}.5
{BLOCKED}68
{BLOCKED}8.219
{BLOCKED}8.245
{BLOCKED}.34
{BLOCKED}244.5
{BLOCKED}04.15
{BLOCKED}04.26
{BLOCKED}227
{BLOCKED}07.27
{BLOCKED}28.68
{BLOCKED}92.68
{BLOCKED}17.2
{BLOCKED}03.86
{BLOCKED}03.90
{BLOCKED}03.98
{BLOCKED}92.86
{BLOCKED}92.98

解决方案

最小扫描引擎: 9.850

First VSAPI Pattern File: 15.236.04

VSAPI 第一样式发布日期: 2019年7月15日

VSAPI OPR样式版本: 15.237.00

VSAPI OPR样式发布日期: 2019年7月16日

使用亚信安全产品扫描计算机，并删除检测到的Backdoor.Linux.SETAG.RPB文件如果检测到的文件已被亚信安全产品清除、删除或隔离，则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。