Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- /bin/busybox
Launches processes:
- /bin/sh -c cd /bin/; cat tftp > tftp-cpy; cat <SAMPLE_FULL_PATH> > tftp
- cat tftp
- cat <SAMPLE_FULL_PATH>
- /bin/sh -c cd /bin/; cat rm > rm-cpy; cat <SAMPLE_FULL_PATH> > rm
- cat rm
- /bin/sh -c cd /bin/; cat kill > kill-cpy; cat <SAMPLE_FULL_PATH> > kill
- cat kill
- /bin/sh -c cd /bin/; cat cd > cd-cpy; cat <SAMPLE_FULL_PATH> > cd
- cat cd
- /bin/sh -c cd /sbin/; cat tftp > tftp-cpy; cat <SAMPLE_FULL_PATH> > tftp
- /bin/sh -c cd /sbin/; cat rm > rm-cpy; cat <SAMPLE_FULL_PATH> > rm
- /bin/sh -c cd /sbin/; cat kill > kill-cpy; cat <SAMPLE_FULL_PATH> > kill
- /bin/sh -c cd /sbin/; cat cd > cd-cpy; cat <SAMPLE_FULL_PATH> > cd
- /bin/sh -c export PATH=/root:$PATH
- /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/.~/.bash_profile
- /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/.~/.bashrc
- /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/./root/.bash_profile
- /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/./root/.bashrc
Kills the following processes:
- agetty
Performs operations with the file system:
Creates or modifies files:
- /bin/tftp-cpy
- /bin/tftp
- /bin/rm-cpy
- /bin/rm
- /bin/kill-cpy
- /bin/kill
- /bin/cd-cpy
- /bin/cd
- /sbin/tftp-cpy
- /sbin/tftp
- /sbin/rm-cpy
- /sbin/rm
- /sbin/kill-cpy
- /sbin/kill
- /sbin/cd-cpy
- /sbin/cd
- <SAMPLE_FULL_PATH>
- /root/.~/.bash_profile
- /root/.~/.bashrc
- /root/./root/.bash_profile
- /root/./root/.bashrc
Network activity:
Establishes connection:
- 19#.##.97.85:9090
- 25#.###.255.255:9090
- 15#.###.169.254:37215
- 19#.###.169.254:37215
- 15#.###.62.233:37215
- 15#.###.113.144:37215
- 41.###.90.223:37215
- 19#.#.202.48:37215
- 41.###.237.60:37215
- 19#.###.153.34:37215
- 19#.###.154.196:37215
- 41.##.188.243:37215
- 15#.##.76.235:37215
- 41.##.28.189:37215
- 15#.##.207.77:37215
- 15#.##.90.152:37215
- 15#.###.105.96:37215
- 41.##.9.189:37215
- 41.###.100.194:37215
- 15#.##.124.240:37215
- 15#.##.227.37:37215
- 41.###.24.109:37215
- 41.###.149.143:37215
- 41.###.220.174:37215
- 41.###.25.98:37215
- 41.##.242.128:37215
- 15#.#.100.92:37215
- 19#.###.87.227:37215
- 41.##.20.75:37215
- 19#.##4.79.83:37215
- 15#.##.55.190:37215
- 41.#.#78.213:37215
- 15#.###.209.153:37215
- 41.###.3.56:37215
- 41.###.69.165:37215
- 41.###.155.183:37215
- 41.###.2.224:37215
- 19#.###.244.26:37215
- 19#.##.75.126:37215
- 41.###.234.219:37215
- 15#.##.229.245:37215
- 19#.##.196.53:37215
- 19#.##1.1.179:37215
- 19#.###.50.245:37215
- 41.###.68.244:37215
- 15#.##4.5.62:37215
- 41.###.42.194:37215
- 41.##.199.125:37215
- 19#.##.20.99:37215
- 19#.##.187.107:37215
- 15#.###.200.116:37215
- 19#.##.219.225:37215
- 19#.##6.17.23:37215
- 41.##.88.48:37215
- 15#.###.135.165:37215
- 41.###.98.63:37215
- 41.###.99.149:37215
- 19#.##.171.26:37215
- 19#.##.152.49:37215
- 19#.###.196.71:37215
- 19#.##.52.237:37215
- 15#.###.230.15:37215
- 15#.##0.49.58:37215
- 41.#.#8.85:37215
- 19#.##.73.12:37215
- 15#.###.174.83:37215
- 19#.##1.89.49:37215
- 41.###.78.103:37215
- 19#.###.195.247:37215
- 15#.###.135.196:37215
- 41.###.193.45:37215
- 15#.##.255.241:37215
- 15#.###.140.250:37215
- 41.###.156.63:37215
- 15#.###.200.203:37215
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
- 19#.##.97.85:9090
Receives data from the following servers:
- 19#.##.97.85:9090
Other:
Collects information about network activity
