Home / malware Linux.Zorroten
First posted on 24 February 2015.
Source: SymantecAliases :
There are no other names known for Linux.Zorroten.
Explanation :
When the Trojan is executed, it changes its process name to the following: n1mWrb6l1t67Gvj
The Trojan then scans random IP addresses for Telnet services (TCP port 23) using the following user name/password combinations: root/rootroot/adminroot/[BLANK]root/1234root/12345root/123456root/1111root/passwordroot/dreamboxroot/vizxvroot/systemadmin/adminadmin/[BLANK]admin/passwordadmin/1234admin/12345admin/123456admin/1111admin/smcadminadmin/4321support/support
If the Trojan is able to gain access to a Telnet service, it then sends the IP address, user name, and password to the following remote location: [http://]104.192.0.18/[REMOVED]Last update 24 February 2015