Viruses based on Linux systems

Although the virus spread in Linux is not much, but there are some, I from someSafetyThe website collects some information.
　
1. Virus Name:
　
Linux.Slapper.Worm
　
Category: Worms
　
Virus data: Infection system: Linux
　
Non-affected system:Windows3.x,Windows98, Windows NT, Windows $, Windows XP, Windows Me, Macintosh
　
Virus spread:
　
PORT:80, 443, 2002
　
Infection target: Apache Web on version number Linux systemsServer
　
Technical Features:
　
The worm attempts to connect to the 80port continuously andServerAn invalid "GET" request was sent to identify the Apache system. Once the Apache system is discovered, it connects to 443port and sends malicious code to the listening SSL service on the remote system.
　
This worm exploits the vulnerabilities that Linux shell code can only perform on Intel systems. The code needs to have the shell command/bin/sh ability to execute correctly. The worm exploits the UU encoding method, first encoding the virus source code into ". Bugtraq.c" (so that only the "ls-a" command can display this code file), and then send it to the remote system and decode the file. It then uses GCC to compile the file and execute the compiled binaries ". Bugtraq". These files will be stored in the/tmp folder.
　
The worm executes with an IP address as its number of parameters. These IP addresses are the addresses of the machines used by hackers to build a network of denial-of-service attacks using infected machines. Each infected system listens to the UDPport2002 to receive hacker instructions.
　
This worm exploits the Apache system with a fixed IP address that is suffixed with the following numbers, for example:
　
3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 80, 81, 128, 129, 130, 131, 132, 133, 134 , 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 18 3, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 2 36, 237, 238, 239
　
2. Virus name:
　
Trojan.linux.typot.a
　
Category: Trojan virus
　
Virus data: Destruction method:
　
The virus is the Trojan under the Linux operating system, the Trojan executes every few seconds to send a TCP packet, its destination IP and source IP address is random, there are fixed features in this package, including TCP window size < here for 55808> The virus will sniff the network, assuming that the TCP packet's window size equals 55808, a file < filename is generated under the current folder called: R> every 24 hours, the virus detects the existence of a file "R", assuming it exists, tries to connect a fixed IP address < Client&gt may be a Trojan horse; if the connection succeeds, the virus deletes the file:/tmp/....../a and exits
　
3. Virus Name:
　
TROJAN.LINUX.TYPOT.B Category: Trojan virus
　
Virus data: Destruction method:
　
The virus is the Trojan under the Linux operating system, the Trojan executes every few seconds to send a TCP packet, its destination IP and source IP address is random, there are fixed features in this package, including TCP window size < here for 55808> The virus will sniff the network, assuming that the TCP packet's window size equals 55808, a file < filename is generated under the current folder called: R> every 24 hours, the virus detects the existence of a file "R", assuming it exists, tries to connect a fixed IP address < Client&gt may be a Trojan horse; if the connection succeeds, the virus deletes the file:/tmp/....../a and exits
　
4. Virus name:
　
W32/linux.bi Category: WL virus
　
Virus data: W32/linux.bi is a cross-platform virus, 1287 bytes in length, infected with Linux, Windows X, Windows 98, Windows Me, Windows NT, Windows Serv Er 2003, the Windows XP operating system, which infects the executable files of the current folder according to the operating system type. When this virus is received and opened, the following behavior occurs:
　
A infects the running files that are between 4K and 4M in length under the current folder (does not infect DLL files under Windows)
　
5. Virus Name:
　
LINUX.PLUPII.C Category: Linux virus
　
Virus data: LINUX.PLUPII.C is a Linux virus, the virus length 40,7576 bytes, infected with Linux, Novell Netware, UNIX system, it spreads through system vulnerabilities, the phenomenon of this virus infection is:
　
A in UDP Port 27015 open backdoor, consent to hackers remote control computer
　
B generate the IP address, add the following content to generate the URL address
　
/cvs/
　
/articles/mambo/
　
/cvs/mambo/
　
/blog/xmlrpc.php
　
/blog/xmlsrv/xmlrpc.php
　
/blogs/xmlsrv/xmlrpc.php
　
/drupal/xmlrpc.php
　
/phpgroupware/xmlrpc.php
　
/wordpress/xmlrpc.php
　
/xmlrpc/xmlrpc.php
　
C sends an HTTP request to the above address, attempting to propagate through the following vulnerability
　
PHP XML-RPC Remote injection Attack (see vulnerability list ID 14088
　
http://www.securityfocus.com/bid/14088)
　
Awstats log plug-in Parameter input determination Vulnerability (see vulnerability list ID 10950
　
http://www.securityfocus.com/bid/10950)
　
Darryl perimeter Remote Run command Vulnerability (see vulnerability list ID 13930
　
http://www.securityfocus.com/bid/13930)
　
D when a vulnerable computer is found, the virus exploits the vulnerability from 198.170.105.69DownloadScript file to a vulnerable computer and run
　
EDownloadThe following virus to the/tmp/.temp folder, infecting the computer
　
CB (Virus LINUX.PLUPII.B)
　
HTTPS (Perl script backdoor virus)
　
Ping.txt (Perl script Shell Backdoor virus.) ）
　
httpd
　
F attempt to connect to the reserved address of TCP port 8080, open a shell backdoor
　
G Open the IRC backdoor and connect the following IRC server
　
eu.undernet.org
　
us.undernet.org
　
195.204.1.130
　
194.109.20.90
　
Virus lookup Add channel containing Lametrapchan string, wait for hacker command
　
6. Virus Name:
　
Linux.mare Category: Linux virus
　
Virus data: The virus is variable in length, infects Linux, it spreads through PHP's Phpbb_root_path vulnerability, and opens the backdoor for hackersDownloadWhen you run a remote file, you have the following hazards when you infect this virus:
　
A dozen back door connect the following server
　
81.223.104.152
　
24.224.174.18
　
B accept and run a remote hacker release such as the following command
　
Update virus
　
Run command
　
Stop the virus
　
C run remote files from the above server download listen
　
D download Run Remote update file Update.listen
　
E record information to file Listen.log
　
F-Scan via PHP Phpbb_root_path vulnerability
　

G run the following command on the scanned computer http://209.136.48.69/[deleted]/cvac

7. Virus Name:
　
LINUX.PLUPII Category: Linux virus
　
Virus data: The virus length of 34,724 bytes, infected with the Linux system, the virus exploits webserver vulnerability spread, and open the backdoor for hackers, to when received, opened the virus, the following hazards:
　
A send a notification message to a remote hacker via UPDport7222
　
B Open the backdoor for hacker action
　
C generates a URL that includes the following content
　
/cgi-bin/
　
/scgi-bin/
　
/awstats/
　
/cgi-bin/awstats/
　
/scgi-bin/awstats/
　
/cgi/awstats/
　
/scgi/awstats/
　
/scripts/
　
/cgi-bin/stats/
　
/scgi-bin/stats/
　
/stats/
　
/xmlrpc.php
　
/xmlrpc/xmlrpc.php
　
/xmlsrv/xmlrpc.php
　
/blog/xmlrpc.php
　
/drupal/xmlrpc.php
　
/community/xmlrpc.php
　
/blogs/xmlrpc.php
　
/blogs/xmlsrv/xmlrpc.php
　
/blog/xmlsrv/xmlrpc.php
　
/blogtest/xmlsrv/xmlrpc.php
　
/b2/xmlsrv/xmlrpc.php
　
/b2evo/xmlsrv/xmlrpc.php
　
/wordpress/xmlrpc.php
　
/phpgroupware/xmlrpc.php
　
/cgi-bin/includer.cgi
　
/scgi-bin/includer.cgi
　
/includer.cgi
　
/cgi-bin/include/includer.cgi
　
/scgi-bin/include/includer.cgi
　
/cgi-bin/inc/includer.cgi
　
/scgi-bin/inc/includer.cgi
　
/cgi-local/includer.cgi
　
/scgi-local/includer.cgi
　
/cgi/includer.cgi
　
/scgi/includer.cgi
　
/hints.pl
　
/cgi/hints.pl
　
/scgi/hints.pl
　
/cgi-bin/hints.pl
　
/scgi-bin/hints.pl
　
/hints/hints.pl
　
/cgi-bin/hints/hints.pl
　
/scgi-bin/hints/hints.pl
　
/webhints/hints.pl
　
/cgi-bin/webhints/hints.pl
　
/scgi-bin/webhints/hints.pl
　
/hints.cgi
　
/cgi/hints.cgi
　
/scgi/hints.cgi
　
/cgi-bin/hints.cgi
　
/scgi-bin/hints.cgi
　
/hints/hints.cgi
　
/cgi-bin/hints/hints.cgi
　
/scgi-bin/hints/hints.cgi
　
/webhints/hints.cgi
　
/cgi-bin/webhints/hints.cgi
　
/scgi-bin/webhints/hints.cgi
　
D sends an HTTP request using the URL connection generated above, attempting to propagate using the following Web vulnerability
　
PHP Remote Overflow Vulnerability xml-rpc (ID 14088)
　
AWStats Rawlog Plugin log file Input Vulnerability (ID 10950)
　
Darryl Burgdorf webhints Remote Run Vulnerability (ID 13930)
　
F try Fromhttp://62.101.193.244/[deleted]/lupii Download run virus
　
G save downloaded virus to/tmp/lupii
　
8. Virus Name:
　
linux.jac.8759 Category: Linux virus
　
Virus data: Infection Length: 8759 bytes
　
Virus Introduction: linux.jac.8759 is a virus that specifically infects files under the Linux system and can infect all executable files that are suffixed with the elf in its same folder.
　
Technical features: When linux.jac.8759 is run, it detects all files in its same folder, and if it finds executable files with writable permissions, it will infect them. Only, the virus does not infect files ending with the letter PS, nor does it infect files under the X86 platform.
　
The virus will change the number of places that are infected with the file header. One of these changes is used as an infection marker, which makes the virus not feel the same file multiple times.
　
9. Virus Name:
　
Linux.Mighty.worm Category: Unix/linux worm
　
Virus data: Technical features:
　
This is a Linux worm, similar to the slapper that occurred in the previous period, all with the help of the Linux implementation of Apacheserver software
　
Machine for transmission. Once an infected machine is found, the worm uses a buffer overflow vulnerability of opensslserver (443port) to run remote shell instructions. For specific information about this vulnerability, you can browse http://www.kb.cert.org/vuls/id/102795.
　
The worm is made up of four files:
　
a.script.sh: initial shell script for downloading, compiling and running other components;
　
B.DEVNUL:32 bit x86 elf executable file, about 19050 bytes, it is used by worms to scanInternetThe main part;
　
C.SSLX.C: Using the source file of OpenSSL vulnerability, compiled by script.sh for Devnul use;
　
The d.k:32-bit x86 elf executable file, approximately 37237 bytes, is the linuxport of the Kaiten backdoor and DDoS tools.
　
When the shell program (script.sh) executes, it downloads the three components of the worm and compiles the vulnerability code file (SSLX.C) into a binary SSLX, then executes the Kaiten backdoor (K) and executes the Devnul file. and Devnul will scanInternetOn a vulnerable machine, once the unpatched machine is found, it executes the buffer overflow vulnerability code in the SSLX program.
　
Once the worm enters a new system and executes successfully on this system, it downloads and executes the shell script (script.sh), so that the worm's self-reproduction process is complete.
　
10. Virus Name:
　
Linux.simile Category: Win32 virus
　
Virus data: Infection Length: variable
　
Hazard Level: Low
　
Affected systems: Windows, Windows 98, Windows NT, Windows $, Windows XP, Windows Me, Linux
　
Unaffected systems: Windows, Microsoft IIS, Macintosh, Unix
　
Technical Features:
　
This is a very complex virus, using the fuzzy entry endpoint, deformation and polymorphism encryption technology, is also the first to be able to infect the Windows and Linux platform under the polymorphic variant virus. It does not contain destructive payloads, but after infecting a file, it pops up a dialog box on a specific date, which makes you feel bored. The virus is the fourth variant of the Simile family, introducing a new infection mechanism under the Intel Linux platform that infects 32-bit ELF files (the standard UNIX binary format). This virus can infect the PE and elf files under Linux and Win32 systems.
　
After the virus first executes, it checks the current system date, and if the virus is attached to the main file is a PE file, and on the day of March or September 17, a message box will appear:
　
If the main file is in elf format, then in March 17 or May 14 This day, the virus will output a text message similar to the following for example to the control Panel:
　
The virus has been proven to infect red Hat Linux6.2, versions 7.0 and 7.2, and it is also highly likely to infect under other version numbers. The infected file adds an average of 110K bytes, but the number of bytes grown varies depending on how the virus's warp engine shrinks or expands and how it is inserted.
　
11. Virus Name:
　
Linux.slapper.b Category: Unix/linux worm
　
Virus data: Hazard level: Medium
　
Propagation Speed: Medium
　
Technical Features:
　
This is a network worm that infects Linux systems, similar to the original LINUX.SLAPPER.A, but with some new features. It searches for a system that executes apacheserver, and once it finds an infected machine, it uses the Opensslserver buffer overflow vulnerability to execute remote shell commands. For specific information about this vulnerability, please browse: http://www.kb.cert.org/vuls/id/102795
　
When the variant is propagated, it will carry its own source code and compile it on each victim machine to make it a running file. The virus source file name is called ". Cinik.c ", it is copied to the"/tmp "folder, and its compiled file is called". Cinik ", stored in the same folder, and as the Uuencoded version number of the source code. This variant also contains a shell script/tmp/.cinik.go that searches for files on the infected system, and then overwrites the searched files with the worm's two code. The script also sends information about the local machine and the network to a mail address with a suffix of yahoo.com.
　
If the virus source file/tmp/cinik.c is deleted by the user, it will download a copy of the source file from a website, and the file name is also called CINIK.C.
　
In addition, the infected system executes a backdoor server program on UDP 1978port. Similar to all backdoors, the server side responds to special instructions sent by the remote unauthorized user to perform a variety of actions according to the instructions, for example, one of the instructions is to search the email address on the infected machine.
　
It scans all files under All folders (except for three/proc,/dev and/bin) to find a valid email address. And that contains the string ". HLP "and" [email protected] "The same address is ignored, and all other e-mail addresses are sent as a list to the IP address that the remote user initially specified.
　
In addition, remote unauthorized users may also send other instructions, such as:
　
A.dos attack (TCP or UDP);
　
B. Turn on or off the TCP proxy (1080port);
　
C. Run arbitrary procedures;
　
D. Obtaining the names of other infected servers;
　
This variant checks for an IP address that meets the following forms, for example, when scanning a machine that may be vulnerable:
　
A. B. 0-255.0-255
　
where B is a random number between 0 and 255;
　
A is a randomly selected number from the following list:
　
3 4 6 8 9 11 12 13 14
　
15 16 17 18 19 20 21 22 24
　
25 26 28 29 30 32 33 34 35
　
38 40 43 44 45 46 47 48 49
　
50 51 52 53 54 55 56 57 61
　
62 63 64 65 66 67 68 80 81
　
128 129 130 131 132 133 134 135 136
　
137 138 139 140 141 142 143 144 145
　
146 147 148 149 150 151 152 153 154
　
155 156 157 170 171 172 173 174 175
　
176 177 178 179 180 181 182 183 184
　
185 186 187 188 189 190 191 192 193
　
194 195 196 198 200 201 202 203 204
　
205 206 207 208 209 210 211 212 213
　
214 215 216 217 218 219 220 224 225
　
226 227 228 229 230 231 232 233 234
　
235 236 237) 238 239
　
12. Virus Name:
　
LINUX.SLAPPER.C Category: Unix/linux worm
　
Virus data: Technical features:
　
This is a network worm that infects Linux systems, similar to the original LINUX.SLAPPER.A, but with some new features. It searches for a system that executes apacheserver, and once it finds an infected machine, it uses the Opensslserver buffer overflow vulnerability to execute remote shell commands. For specific information about this vulnerability, please browse: http://www.kb.cert.org/vuls/id/102795
　
When the variant is propagated, it will carry its own source code and compile two running programs on each victim machine. " Unlock.c "and" update.c ", both of which are created under the"/tmp "folder. The first successful compiled run program is called "HTTPd" and is located under the same folder. The second executable file "update" listens for 1052port when the input is correct frethem/index.htm "target=" _blank "style= ' Text-decoration:underline;color: # After 0000FF ' >password, it will agree to a lot of interactive shell commands through. In addition, the variant sends the host name and IP address of the infected machine to the specified email address.
　
Like Slapper.a and Slapper.b, the SLAPPER.C infected system executes a backdoor server program in UDP 4156port that responds to a special instruction sent by a remote unauthorized user to perform a variety of operations according to the instructions. For example, a common instruction is to search for an email address on an infected machine.
　
It scans all files under All folders (except for three special folders/proc,/dev and/bin) to find a valid email address. And that contains the string ". HLP "and" [email protected] "The same address is ignored, and all other e-mail addresses are sent as a list to the IP address that the remote user initially specified.
　
In addition, remote unauthorized users may also send other instructions, such as:
　
A.dos attack (TCP or UDP);
　
B. Turn on or off the TCP proxy (1080port);
　
C. Run arbitrary procedures;
　
D. Obtaining the names of other infected servers;
　
This variant checks for an IP address that meets the following forms, for example, when scanning a machine that may be vulnerable:
　
A. B. 0-255.0-255
　
where B is a random number between 0 and 255;
　
A is a randomly selected number from the following list:
　
3 4 6 8 9 11 12 13 14
　
15 16 17 18 19 20 21 22 24
　
25 26 28 29 30 32 33 34 35
　
38 40 43 44 45 46 47 48 49
　
50 51 52 53 54 55 56 57 61
　
62 63 64 65 66 67 68 80 81
　
128 129 130 131 132 133 134 135 136
　
137 138 139 140 141 142 143 144 145
　
146 147 148 149 150 151 152 153 154
　
155 156 157 170 171 172 173 174 175
　
176 177 178 179 180 181 182 183 184
　
185 186 187 188 189 190 191 192 193
　
194 195 196 198 200 201 202 203 204
　
205 206 207 208 209 210 211 212 213
　
214 215 216 217 218 219 220 224 225
　
226 227 228 229 230 231 232 233 234
　
235 236 237) 238 239