Linux.Siggen.2960

Malicious functions:

Launches itself as a daemon

Substitutes application name for:

Replaces the following system files:

Launches processes:

/bin/sh -c mkdir app && >app/lib && cd app/lib; mv <SAMPLE_FULL_PATH> app/lib; chmod 777 app/lib
mkdir app
mv <SAMPLE_FULL_PATH> app/lib
chmod 777 app/lib
/bin/sh -c cd /bin/; cat tftp > tftp-cpy; cat /proc/692/exe > tftp ; chmod 777 tftp
cat tftp
cat /proc/692/exe
chmod 777 tftp
/bin/sh -c cd /bin/; cat rm > rm-cpy; cat /proc/692/exe > rm ; chmod 777 rm
cat rm
chmod 777 rm
/bin/sh -c cd /bin/; cat cd > cd-cpy; cat /proc/692/exe > cd ; chmod 777 cd
cat cd
chmod 777 cd
/bin/sh -c cd /bin/; cat wget > wget-cpy; cat /proc/692/exe > wget ; chmod 777 wget
cat wget
chmod 777 wget
/bin/sh -c cd /bin/; cat echo > echo-cpy; cat /proc/692/exe > echo ; chmod 777 echo
cat echo
chmod 777 echo
/bin/sh -c cd /sbin/; cat tftp > tftp-cpy; cat /proc/692/exe > tftp ; chmod 777 tftp
/bin/sh -c cd /sbin/; cat rm > rm-cpy; cat /proc/692/exe > rm ; chmod 777 rm
/bin/sh -c cd /sbin/; cat cd > cd-cpy; cat /proc/692/exe > cd ; chmod 777 cd
/bin/sh -c cd /sbin/; cat wget > wget-cpy; cat /proc/692/exe > wget ; chmod 777 wget
/bin/sh -c cd /sbin/; cat echo > echo-cpy; cat /proc/692/exe > echo ; chmod 777 echo

Kills system processes:

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates or modifies files:

Network activity:

Awaits incoming connections on ports:

Establishes connection:

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

DNS ASK:

Sends data to the following servers: