September 29, 2015
Linux.Ellipsis.1 is designed to set up a proxy server on the attacked machine. However, this sample is not like other malicious programs targeting Linux—its behavior was called “paranoid” by Doctor Web security researchers. It is already known that cybercriminals use such proxy servers to get anonymous access to devices hacked by another malicious program dubbed Linux.Ellipsis.2. The attack scheme looks as follows: using Linux.Ellipsis.2, cybercriminals get unauthorized access via SSH to any network device or computer and then use it to perform their malicious activities while maintaining anonymity thanks to Linux.Ellipsis.1.
Let us now have a closer look at Linux.Ellipsis.1.
Once launched on the infected machine, Linux.Ellipsis.1 removes its own working directory, clears the list of iptables rules, and attempts to “kill” processes of a number of running applications—for example, of programs used to log events and analyze traffic. After that, the Trojan replaces existing directories and system log files with folders under the same names—this makes creation of logs with identical names in future impossible.
Next, Linux.Ellipsis.1 modifies the "/etc/coyote/coyote.conf" configuration file by adding the alias passwd=cat\n string. Then it removes a number of system tools from /bin/, /sbin/, and /usr/bin/ and adds the immutable attribute to some files necessary for its operation. Moreover, the Trojan blocks subnet IP addresses specified in the configuration file or in the command received by the Trojan. At that, “blocking” means that after an appropriate iptables rule is created, a specific IP address is not allowed to send or receive packages over a specified port or protocol.
The main purpose of Linux.Ellipsis.1 is to set up a proxy server on the infected computer. For that, the Trojan monitors connections on a local address and port proxying all traffic transmitted via them.
Compared to other malicious programs, the behavior of Linux.Ellipsis.1 is rather unique—the Trojan encompasses a list of strings for which it searchers network traffic. If any of the strings is detected, the Trojan blocks data transfer to the corresponding remote server at the IP address. The list of forbidden words also has a part which changes in accordance with the contents of the incoming package. For example, if the incoming package contains the “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” string, the list is appended with the “eapmygev.” and “ascuviej.” values. Moreover, the Trojan uses the list of ignored and suspicious words too.
The “paranoid” behavior of Linux.Ellipsis.1 also lies in the fact that, apart from blocking remote nodes from the list, it checks all network connections and sends the remote server the IP address to which the connection is established. If the server responds with the “kill” command, the Trojan shuts down the application that established the connection and blocks the IP address using iptables. In the home directory, Linux.Ellipsis.1 creates the "ip.filtered" file, where "ip" is replaced with a string representation of the blocked IP address. The same check is applied to processes that contain "sshd" in their names. IP addresses from the lists are blocked forever, while other addresses are blocked just for 2 hours—once every half an hour, a separate malicious process scans the contents of the home directory looking for files that were created more than two hours ago and whose names start with an IP address. After that, these files are deleted and a corresponding rule in iptables is created.
Right after Linux.Ellipsis.1 was detected, Doctor Web security researchers traced Linux.Ellipsis.2 which is, judging by some of its features, a creation of the same virus writer and is designed to brute-force passwords. Like Linux.Ellipsis.1, this Trojan clears the list of iptables rules, removes applications that are “in its way”, creates folders to prevent the system from logging events, and refers for tasks to the server whose address it gets as an incoming argument on startup. Linux.Ellipsis.2 calculates the total number of scanning threads and SSH connections on the basis of the infected computer' processor frequency.
A task obtained from the server contains an IP address of a subnet that the malicious program scans for devices with open SSH connections on port 22. If such devices are detected, the Trojan tries to connect to them by going through all login:password pairs from a special list. If such an attempt is successful, the Trojan sends an appropriate message to the server controlled by cybercriminals.
Signatures of all the programs mentioned in this article have been added to Dr.Web virus database. Therefore, these Trojans pose no threat to Dr.Web users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.