Backdoor.Linux.SETAG.RPA
2018年10月25日
:
Linux.Chikdos.B!gen2 (NORTON); Backdoor:Linux/Setag!rfn (MICROSOFT); HEUR:Backdoor.Linux.Ganiw.d (KASPERSKY)
平台:
Linux
总體(tǐ)风险等级:
潜在破坏:
潜在分(fēn)布:
感染次数:
信息暴露:
恶意软件类型:
Backdoor
有(yǒu)破坏性?:
没有(yǒu)
加密?:
没有(yǒu)
In the Wild:
是的
概要
感染途徑: 从互联网上下载,或由其他(tā)恶意软件释放。
它以其他(tā)恶意软件释放的文(wén)件或用(yòng)户访问恶意网站时不知不觉下载的文(wén)件的形式到达系统。它开始执行然后再删除。
技(jì )术详细信息
文(wén)件大小(xiǎo): 1,223,123 bytes
报告日期: ELF
内存驻留: 没有(yǒu)
初始樣本接收日期: 2018年11月1日
Payload: 植入文(wén)件, 连接到 URL/Ip, 窃取信息
新(xīn)病毒详细信息
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
安(ān)装(zhuāng)
它在受感染的系统中(zhōng)植入并执行下列自身副本:
- /usr/bin/bsd-port/getty
它创建下列文(wén)件夹:
- /usr/bin/dpkgd
- /usr/bin/bsd-port
后门例程
它执行遠(yuǎn)程恶意用(yòng)户的下列命令:
- Initiate DDoS attacks:
- SYN flood
- DNS flood
- ICMP flood
- UDP flood
- TCP flood
- TNS poisoning
- Challenge Collapsar (CC) attack
- Stop DDoS attack
- Execute shell commands
植入例程
它植入下列文(wén)件:
- /usr/bin/bsd-port/getty.lock
- /tmp/gates.lod
- /tmp/moni.lod
- /tmp/notify.file
信息窃取
它收集下列数据:
- OS name
- OS version
- CPU clock rate
- CPU usage
- Number of CPU cores
- Network usage
- RAM size
- IP address of infected machine
其他(tā)详细信息
它连接到下列网站,发送和接收信息:
- {BLOCKED}.{BLOCKED}.163.68
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.213.68
- {BLOCKED}.{BLOCKED}.200.101
- {BLOCKED}.{BLOCKED}.2.2
- {BLOCKED}.{BLOCKED}.64.1
- {BLOCKED}.{BLOCKED}.88.129
- {BLOCKED}.{BLOCKED}.180.2
- {BLOCKED}.{BLOCKED}.78.2
- {BLOCKED}.{BLOCKED}.199.68
- {BLOCKED}.{BLOCKED}.3.3
- {BLOCKED}.{BLOCKED}.3.8
- {BLOCKED}.{BLOCKED}.144.30
- {BLOCKED}.{BLOCKED}.9.9
- {BLOCKED}.{BLOCKED}.9.61
- {BLOCKED}.{BLOCKED}.160.110
- {BLOCKED}.{BLOCKED}.7.6
- {BLOCKED}.{BLOCKED}.7.17
- {BLOCKED}.{BLOCKED}.0.20
- {BLOCKED}.{BLOCKED}.46.151
- {BLOCKED}.{BLOCKED}.195.68
- {BLOCKED}.{BLOCKED}.196.115
- {BLOCKED}.{BLOCKED}.196.212
- {BLOCKED}.{BLOCKED}.196.228
- {BLOCKED}.{BLOCKED}.196.230
- {BLOCKED}.{BLOCKED}.196.232
- {BLOCKED}.{BLOCKED}.196.237
- {BLOCKED}.{BLOCKED}.112.10
- {BLOCKED}.{BLOCKED}.17.107
- {BLOCKED}.{BLOCKED}.28.231
- {BLOCKED}.{BLOCKED}.28.234
- {BLOCKED}.{BLOCKED}.28.237
- {BLOCKED}.{BLOCKED}.6.3
- {BLOCKED}.{BLOCKED}.136.10
- {BLOCKED}.{BLOCKED}.140.10
- {BLOCKED}.{BLOCKED}.148.37
- {BLOCKED}.{BLOCKED}.148.39
- {BLOCKED}.{BLOCKED}.26.42
- {BLOCKED}.{BLOCKED}.32.100
- {BLOCKED}.{BLOCKED}.32.103
- {BLOCKED}.{BLOCKED}.32.106
- {BLOCKED}.{BLOCKED}.32.109
- {BLOCKED}.{BLOCKED}.33.52
- {BLOCKED}.{BLOCKED}.33.60
- {BLOCKED}.{BLOCKED}.3.70
- {BLOCKED}.{BLOCKED}.3.73
- {BLOCKED}.{BLOCKED}.3.76
- {BLOCKED}.{BLOCKED}.3.79
- {BLOCKED}.{BLOCKED}.3.83
- {BLOCKED}.{BLOCKED}.3.85
- {BLOCKED}.{BLOCKED}.4.6
- {BLOCKED}.{BLOCKED}.4.9
- {BLOCKED}.{BLOCKED}.4.12
- {BLOCKED}.{BLOCKED}.4.15
- {BLOCKED}.{BLOCKED}.4.18
- {BLOCKED}.{BLOCKED}.4.21
- {BLOCKED}.{BLOCKED}.96.66
- {BLOCKED}.{BLOCKED}.128.106
- {BLOCKED}.{BLOCKED}.98.55
- {BLOCKED}.{BLOCKED}.145.194
- {BLOCKED}.{BLOCKED}.151.161
- {BLOCKED}.{BLOCKED}.156.66
- {BLOCKED}.{BLOCKED}.152.99
- {BLOCKED}.{BLOCKED}.157.99
- {BLOCKED}.{BLOCKED}.29.93
- {BLOCKED}.{BLOCKED}.107.85
- {BLOCKED}.{BLOCKED}3.255.228
- {BLOCKED}.{BLOCKED}.62.142
- {BLOCKED}.{BLOCKED}.33.240
- {BLOCKED}.{BLOCKED}.121.27
- {BLOCKED}.{BLOCKED}.160.194
- {BLOCKED}.{BLOCKED}4.10
- {BLOCKED}.{BLOCKED}.70.98
- {BLOCKED}.{BLOCKED}.211.22
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.128.86
- {BLOCKED}.{BLOCKED}.128.166
- {BLOCKED}.{BLOCKED}.3.140
- {BLOCKED}.{BLOCKED}.4.130
- {BLOCKED}.{BLOCKED}.193.97
- {BLOCKED}.{BLOCKED}.2.4
- {BLOCKED}.{BLOCKED}.4.1
- {BLOCKED}.{BLOCKED}.61.225
- {BLOCKED}.{BLOCKED}.61.235
- {BLOCKED}.{BLOCKED}.61.255
- {BLOCKED}.{BLOCKED}.62.1
- {BLOCKED}.{BLOCKED}.62.60
- {BLOCKED}.{BLOCKED}.66.66
- {BLOCKED}.{BLOCKED}.176.22
- {BLOCKED}.{BLOCKED}.144.47
- {BLOCKED}.{BLOCKED}.192.33
- {BLOCKED}.{BLOCKED}.134.33
- {BLOCKED}.{BLOCKED}.134.133
- {BLOCKED}.{BLOCKED}.154.15
- {BLOCKED}.{BLOCKED}.196.6
- {BLOCKED}.{BLOCKED}.88.88
- {BLOCKED}.{BLOCKED}.243.112
- {BLOCKED}.{BLOCKED}.64.33
- {BLOCKED}.{BLOCKED}.164.13
- {BLOCKED}.{BLOCKED}.164.18
- {BLOCKED}.{BLOCKED}.225.68
- {BLOCKED}.{BLOCKED}.136.68
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.64.129
- {BLOCKED}.{BLOCKED}.240.100
- {BLOCKED}.{BLOCKED}.242.18
- {BLOCKED}.{BLOCKED}.245.180
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.118.162
- {BLOCKED}.{BLOCKED}.192.67
- {BLOCKED}.{BLOCKED}.198.167
- {BLOCKED}.{BLOCKED}.136.81
- {BLOCKED}.{BLOCKED}.1.3
- {BLOCKED}.{BLOCKED}.2.18
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.96.65
- {BLOCKED}.{BLOCKED}.164.6
- {BLOCKED}.{BLOCKED}.132.2
- {BLOCKED}.{BLOCKED}.199.8
- {BLOCKED}.{BLOCKED}.160.68
- {BLOCKED}.{BLOCKED}.166.4
- {BLOCKED}.{BLOCKED}.168.8
- {BLOCKED}.{BLOCKED}.222.222
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.227.68
- {BLOCKED}.{BLOCKED}.85.85
- {BLOCKED}.{BLOCKED}.88.88
- {BLOCKED}.{BLOCKED}.241.1
- {BLOCKED}.{BLOCKED}.64.1
- {BLOCKED}.{BLOCKED}.100.100
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.127.1
- {BLOCKED}.{BLOCKED}.93.33
- {BLOCKED}.{BLOCKED}.24.129
- {BLOCKED}.{BLOCKED}.241.34
- {BLOCKED}.{BLOCKED}.198.230
- {BLOCKED}.{BLOCKED}.0.68
- {BLOCKED}.{BLOCKED}.0.117
- {BLOCKED}.{BLOCKED}.24.68
- {BLOCKED}.{BLOCKED}.44.150
- {BLOCKED}.{BLOCKED}.0.242
- {BLOCKED}.{BLOCKED}.240.6
- {BLOCKED}.{BLOCKED}.158.11
- {BLOCKED}.{BLOCKED}.159.3
- {BLOCKED}.{BLOCKED}.111.114
- {BLOCKED}.{BLOCKED}.111.122
- {BLOCKED}.{BLOCKED}.127.114
- {BLOCKED}.{BLOCKED}.127.122
- {BLOCKED}.{BLOCKED}.129.30
- {BLOCKED}.{BLOCKED}.78.210
- {BLOCKED}.{BLOCKED}.254.5
- {BLOCKED}.{BLOCKED}.96.112
- {BLOCKED}.{BLOCKED}.225.253
- {BLOCKED}.{BLOCKED}.129.81
- {BLOCKED}.{BLOCKED}.129.80
- {BLOCKED}.{BLOCKED}.210.98
- {BLOCKED}.{BLOCKED}.210.100
- {BLOCKED}.{BLOCKED}.208.3
- {BLOCKED}.{BLOCKED}.208.6
- {BLOCKED}.{BLOCKED}.64.68
- {BLOCKED}.{BLOCKED}.192.100
- {BLOCKED}.{BLOCKED}.98.3
- {BLOCKED}.{BLOCKED}.98.6
- {BLOCKED}.{BLOCKED}.0.68
- {BLOCKED}.{BLOCKED}.64.129
- {BLOCKED}.{BLOCKED}.16.99
- {BLOCKED}.{BLOCKED}.5.68
- {BLOCKED}.{BLOCKED}.194.55
- {BLOCKED}.{BLOCKED}.200.69
- {BLOCKED}.{BLOCKED}.3.141
- {BLOCKED}.{BLOCKED}.3.144
- {BLOCKED}.{BLOCKED}.57.33
- {BLOCKED}.{BLOCKED}.0.55
- {BLOCKED}.{BLOCKED}.114.114
- {BLOCKED}.{BLOCKED}.115.115
- {BLOCKED}.{BLOCKED}.24.34
- {BLOCKED}.{BLOCKED}.135.1
- {BLOCKED}.{BLOCKED}.4.66
- {BLOCKED}.{BLOCKED}.143.69
- {BLOCKED}.{BLOCKED}.8.141
- {BLOCKED}.{BLOCKED}.0.110
- {BLOCKED}.{BLOCKED}.7.1
- {BLOCKED}.{BLOCKED}.32.106
- {BLOCKED}.{BLOCKED}.13.101
- {BLOCKED}.{BLOCKED}.255.1
- {BLOCKED}.{BLOCKED}.37.1
- {BLOCKED}.{BLOCKED}.1.40
- {BLOCKED}.{BLOCKED}.208.46
- {BLOCKED}.{BLOCKED}.9.141
- {BLOCKED}.{BLOCKED}.7.90
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.226.68
- {BLOCKED}.{BLOCKED}.90.68
- {BLOCKED}.{BLOCKED}.32.178
- {BLOCKED}.{BLOCKED}.69.38
- {BLOCKED}.{BLOCKED}.197.58
- {BLOCKED}.{BLOCKED}.6.99
- {BLOCKED}.{BLOCKED}.86.18
- {BLOCKED}.{BLOCKED}.189.10
- {BLOCKED}.{BLOCKED}.189.18
- {BLOCKED}.{BLOCKED}.249.50
- {BLOCKED}.{BLOCKED}.249.54
- {BLOCKED}.{BLOCKED}.64.68
- {BLOCKED}.{BLOCKED}.75.68
- {BLOCKED}.{BLOCKED}.1.29
- {BLOCKED}.{BLOCKED}.1.53
- {BLOCKED}.{BLOCKED}.204.66
- {BLOCKED}.{BLOCKED}.224.8
- {BLOCKED}.{BLOCKED}.224.67
- {BLOCKED}.{BLOCKED}.72.65
- {BLOCKED}.{BLOCKED}.91.1
- {BLOCKED}.{BLOCKED}.101.3
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.0.81
- {BLOCKED}.{BLOCKED}.152.129
- {BLOCKED}.{BLOCKED}.75.123
- {BLOCKED}.{BLOCKED}.154.3
- {BLOCKED}.{BLOCKED}.152.3
- {BLOCKED}.{BLOCKED}.1.66
- {BLOCKED}.{BLOCKED}.1.66
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.134.68
- {BLOCKED}.{BLOCKED}.106.19
- {BLOCKED}.{BLOCKED}.80.65
- {BLOCKED}.{BLOCKED}.192.66
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.1.4
- {BLOCKED}.{BLOCKED}.96.5
- {BLOCKED}.{BLOCKED}.96.10
- {BLOCKED}.{BLOCKED}.19.40
- {BLOCKED}.{BLOCKED}.19.50
- {BLOCKED}.{BLOCKED}.111.118
- {BLOCKED}.{BLOCKED}.255.18
- {BLOCKED}.{BLOCKED}.209.5
- {BLOCKED}.{BLOCKED}.209.133
- {BLOCKED}.{BLOCKED}.6.2
- {BLOCKED}.{BLOCKED}.1.97
- {BLOCKED}.{BLOCKED}.72.1
- {BLOCKED}.{BLOCKED}.112.50
- {BLOCKED}.{BLOCKED}.150.66
- {BLOCKED}.{BLOCKED}.6.6
- {BLOCKED}.{BLOCKED}.97.234
- {BLOCKED}.{BLOCKED}.97.238
- {BLOCKED}.{BLOCKED}.97.242
- {BLOCKED}.{BLOCKED}.2.69
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.32.36
- {BLOCKED}.{BLOCKED}.32.39
- {BLOCKED}.{BLOCKED}.200.139
- {BLOCKED}.{BLOCKED}.0.124
- {BLOCKED}.{BLOCKED}.54.66
- {BLOCKED}.{BLOCKED}.39.73
- {BLOCKED}.{BLOCKED}.10.20
- {BLOCKED}.{BLOCKED}.55.244
- {BLOCKED}.{BLOCKED}.150.20
- {BLOCKED}.{BLOCKED}.252.16
- {BLOCKED}.{BLOCKED}.1.1
- {BLOCKED}.{BLOCKED}.211.193
- {BLOCKED}.{BLOCKED}.211.225
- {BLOCKED}.{BLOCKED}.130.1
- {BLOCKED}.{BLOCKED}.1.1
- {BLOCKED}.{BLOCKED}.233.1
- {BLOCKED}.{BLOCKED}.192.1
- {BLOCKED}.{BLOCKED}.192.174
- {BLOCKED}.{BLOCKED}.224.3
- {BLOCKED}.{BLOCKED}.224.5
- {BLOCKED}.{BLOCKED}.16.10
- {BLOCKED}.{BLOCKED}.16.11
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.104.68
- {BLOCKED}.{BLOCKED}.160.5
- {BLOCKED}.{BLOCKED}.160.185
- {BLOCKED}.{BLOCKED}.32.132
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.73.34
- {BLOCKED}.{BLOCKED}.0.130
- {BLOCKED}.{BLOCKED}.1.130
- {BLOCKED}.{BLOCKED}.67.4
- {BLOCKED}.{BLOCKED}.67.14
- {BLOCKED}.{BLOCKED}.84.58
- {BLOCKED}.{BLOCKED}.84.67
- {BLOCKED}.{BLOCKED}.252.8
- {BLOCKED}.{BLOCKED}.128.32
- {BLOCKED}.{BLOCKED}.96.9
- {BLOCKED}.{BLOCKED}.100.18
- {BLOCKED}.{BLOCKED}.100.21
- {BLOCKED}.{BLOCKED}.94.20
- {BLOCKED}.{BLOCKED}.94.241
- {BLOCKED}.{BLOCKED}.1.20
- {BLOCKED}.{BLOCKED}.114.133
- {BLOCKED}.{BLOCKED}.114.166
- {BLOCKED}.{BLOCKED}.152.130
- {BLOCKED}.{BLOCKED}.150.123
- {BLOCKED}.{BLOCKED}.128.33
- {BLOCKED}.{BLOCKED}.72.7
- {BLOCKED}.{BLOCKED}.29.68
- {BLOCKED}.{BLOCKED}.29.150
- {BLOCKED}.{BLOCKED}.29.170
- {BLOCKED}.{BLOCKED}.131.11
- {BLOCKED}.{BLOCKED}.200.68
- {BLOCKED}.{BLOCKED}.150.101
- {BLOCKED}.{BLOCKED}.150.139
- {BLOCKED}.{BLOCKED}.144.33
- {BLOCKED}.{BLOCKED}.160.33
- {BLOCKED}.{BLOCKED}.192.33
- {BLOCKED}.{BLOCKED}.208.33
- {BLOCKED}.{BLOCKED}.224.33
- {BLOCKED}.{BLOCKED}.144.161
- {BLOCKED}.{BLOCKED}.5.240
- {BLOCKED}.{BLOCKED}.25.129
- {BLOCKED}.{BLOCKED}.103.36
- {BLOCKED}.{BLOCKED}.1.227
- {BLOCKED}.{BLOCKED}.252.200
- {BLOCKED}.{BLOCKED}.120.5
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.248.219
- {BLOCKED}.{BLOCKED}.248.245
- {BLOCKED}.{BLOCKED}.254.34
- {BLOCKED}.{BLOCKED}.244.5
- {BLOCKED}.{BLOCKED}.104.15
- {BLOCKED}.{BLOCKED}.104.26
- {BLOCKED}.{BLOCKED}.33.227
- {BLOCKED}.{BLOCKED}.107.27
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.17.2
- {BLOCKED}.{BLOCKED}.203.86
- {BLOCKED}.{BLOCKED}.203.90
- {BLOCKED}.{BLOCKED}.203.98
- {BLOCKED}.{BLOCKED}.92.86
- {BLOCKED}.{BLOCKED}.92.98
该程序执行以下操作(zuò):
- capable of updating itself to its latest version
- replaces the following files with the copy of the malware and stores the original files in /usr/bin/dpkg/:
- /bin/netstat
- /bin/lsof
- /bin/ps
- /bin/ss
- /usr/bin/netstat
- /usr/bin/lsof
- /usr/bin/ps
- /usr/bin/ss
- /usr/sbin/netstat
- /usr/sbin/lsof
- /usr/sbin/ps
- /usr/sbin/ss
- It adds the following scripts in /etc/rc{1-5}.d/ and /etc/init.d/ to automatically execute itself when the system starts up:
- /etc/rc{1-5}.d/S97DbSecuritySpt
- /etc/rc{1-5}.d/S99selinux
- /etc/init.d/selinux
- /etc/init.d/DbSecuritySpt
解决方案
最小(xiǎo)扫描引擎: 9.850
First VSAPI Pattern File: 14.568.04
VSAPI 第一样式发布日期: 2018年10月16日
VSAPI OPR样式版本: 15.237.00
VSAPI OPR样式发布日期: 2019年7月16日
使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机,并删除检测到的Backdoor.Linux.SETAG.RPA文(wén)件 如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离,则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。