Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
- ks0ftirqd/0
- telnetd
Replaces the following system files:
- /usr/bin/ps
- /usr/bin/netstat
- /usr/bin/ss
- /usr/bin/lsof
Launches processes:
- mv <SAMPLE_FULL_PATH> /tmp/.bash_profi1e -f
- chmod 777 /usr/bin/ss
- mv /usr/bin/lsofs /usr/bin/lsof;mv /usr/bin/lsof /usr/bin/lsofs
- mv /usr/bin/netstat /usr/bin/netstats
- chmod 777 /usr/bin/ps
- mv /usr/bin/lss /usr/bin/ls;mv /usr/bin/ls /usr/bin/lss
- chmod 777 /usr/bin/netstat
- mv /usr/bin/sss /usr/bin/ss;mv /usr/bin/ss /usr/bin/sss
- /tmp/.bash_profi1e ks0ftirqd/0
- chmod 777 bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinux vmlinux.old /tmp/.bash_prof
- mv /usr/bin/ls /usr/bin/lss
- mv /usr/bin/lsof /usr/bin/lsofs
- chmod 777 /usr/bin/ls
- mv /usr/bin/ps /usr/bin/pss
- mv /usr/bin/pss /usr/bin/ps;mv /usr/bin/ps /usr/bin/pss
- mv /usr/bin/lsofs /usr/bin/lsof
- mv /usr/bin/sss /usr/bin/ss
- mv /usr/bin/netstats /usr/bin/netstat;mv /usr/bin/netstat /usr/bin/netstats
- mv /usr/bin/pss /usr/bin/ps
- chmod 777 /usr/bin/lsof
- mv /usr/bin/ss /usr/bin/sss
- mv <SAMPLE_FULL_PATH> /tmp/.bash_profi1e -f;chmod 777 * /tmp/.bash_prof
- mv /usr/bin/lss /usr/bin/ls
- rm -rf /tmp/.bash_profi1e
- mv /usr/bin/netstats /usr/bin/netstat
Performs operations with the file system:
Modifies file access rights:
- /usr/bin
- /boot
- /dev
- /etc
- /home
- /boot/initrd.img-4.19.0-21-4kc-malta
- /usr/lib
- /usr/lib32
- /usr/lib64
- /lost+found
- /media
- /mnt
- /opt
- /proc
- /root
- /run
- /usr/sbin
- /srv
- /sys
- /tmp
- /usr
- /var
- /boot/vmlinux-4.19.0-21-4kc-malta
- /usr/bin/ps
- /usr/bin/netstat
- /usr/bin/ls
- /usr/bin/ss
- /usr/bin/lsof
Creates or modifies files:
- /proc/498/cmdline
- <SAMPLE_FULL_PATH>
- /proc/510/cmdline
- /usr/bin/ps
- /usr/bin/ls
- /usr/bin/ss
- /usr/bin/lsof
Mounts file systems:
- /tmp
