Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- aaaaaaaaaaaa
- a
Modifies firewall settings:
- iptables -A INPUT -p tcp --destination-port 23 -j DROP
Launches processes:
- /bin/sh -c echo Uh O
- /bin/sh -c killall -9 telnetd || kill -9 telnet
- /bin/sh -c iptables -A INPUT -p tcp --destination-port 23 -j DROP
- /bin/sh -c killall -r infn.
- /bin/sh -c killall -r infn
- /bin/sh -c killall -r fBot
Attempts to kill system processes:
- killall -9 telnetd
Attempts to kill the following processes:
- killall -r infn.
- killall -r infn
- killall -r fBot
Performs operations with the file system:
Creates or modifies files:
- /root/vBot_Infected.txt
- /home/vBot_Infected.txt
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:38527
- 0.0.0.0:23
Establishes connection:
- 8.#.8.8:53
- 21#.##.184.17:23
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- cn#.#eno.xyz
Sends data to the following servers:
- 10#.##0.111.7:23
- 89.##.97.198:23
- 2.###.185.5:23
- 61.###.144.133:23
- 24#.##9.56.126:23
- 23#.##1.127.198:23
- 24#.##1.56.126:23
- 15#.##9.89.133:23
- 12#.##1.103.6:23
- 17#.##4.74.80:23
- 11#.##8.84.244:23
- 21#.##9.115.127:23
- 18#.#9.94.72:23
- 16.##.173.134:23
- 64.###.147.117:23
- 21#.##.138.189:23
- 10#.##1.16.237:23
- 23#.##5.185.252:23
- 92.##.137.160:23
- 10#.#87.3.21:23
- 95.##6.75.1:23
- 10#.##4.233.247:23
- 79.###.121.255:23
- 12#.##.170.159:23
- 23#.##3.209.247:23
- 21#.##.184.17:23
