Linux/Roopre [Threat Name] go to Threat

Linux/Roopre.A [Threat Variant Name]

Category trojan
Detection created May 08, 2014
Detection database version 10115
Aliases Backdoor.Linux.Roopre.g (Kaspersky)
  Trojan:Linux/Roopre.A (Microsoft)
  Backdoor.Linux.Roopre.A (BitDefender)
  Linux.Roopre.1 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan may create the following files:

  • %currentfolder%/1.sh
  • %currentfolder%/rss-aggr.so
  • %currentfolder%/libworker.so
  • /etc/rc.local
  • /tmp/.sc (12 MB)
  • %currentfolder%/.caches (12 MB)
  • %currentfolder%/.cache (12 MB)
  • %currentfolder%/.sd0 (12 MB)
  • %currentfolder%/.fghv (12 MB)
  • %currentfolder%/1.%pid% (106B)

A PHP dropper script is used.


The trojan ensures it is run every 1 min by adding an entry to the crontab configuration file.


The trojan attempts to modify the following files:

  • /etc/rc.local
  • /etc/rc.d/rc.local

The trojan writes the following entries to the file:

  • php -q %malwarefilepath% > /dev/null

This way the trojan ensures that the file is executed on every system start.


The trojan may execute the following commands:

  • killall -9 /usr/bin/host
  • ./1.sh
  • export LD_PRELOAD=./%droppedmalwarefilepath%; /usr/bin/host
Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • operating system version
  • user name

The trojan can send the information to a remote machine.

Other information

Linux/Roopre.A is a trojan that receives data and instructions for its operation from the Internet or a remote computer in a botnet.


The trojan contains a list of URLs. The HTTP, HTTPS protocol is used.


It can execute the following operations:

  • create a scheduled task that repeatedly executes the malicious file
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • execute shell commands
  • create files
  • send gathered information

Using HTTP protocol, the trojan connects to the following addresses:

  • cyber%removed%.asia/rain.php
  • silen%removed%.asia/pictures/2.gif/rain.php
  • cyber%removed%.asia/RZ02.swf/rain.php
  • silenc%removed%.asia/pictures/1.gif/rain.php
  • cat%removed%.com/ssbot.php
  • el-par%removed%.ru/soks/ssbot.php
  • complete-%removed%.com/bkavod/xenta.php
  • webdom%removed%.com/lovetech/techtor.php
  • akee%removed%.com/kimo/kimork.php
  • 91.%removed%.43/startrek/startrek.php
  • 103.31%removed%.31/dynaglobe/startrek.php
  • hen%removed%.com/sears/sears.php
  • hen%removed%.com/the-henner/hennesystuff.php
  • erstory%removed%.us/kuku/theend.php
  • usatopse%removed%.biz/kuku/theend.php
  • lovecupido%removed%.info/cupids_banner/cupids.php
  • stroy-pomosh%removed%.ru/bt/mayhem.php
  • imbosat%removed%.biz/ololo.php
  • shop-co%removed%.com/kuku/bubu.php
  • ads-ba%removed%.com/startrek/startrek.php
  • v34.mayhem%removed%.com/_mHm_/mayhem.php
  • lesykb%removed%.com/kuku/sss.php
  • shop-c%removed%.com/herosima/nagasaki.php
  • 103.%removed%.31/dynaglobe/startrek.php
  • imbos%removed%.biz/go.php
  • 176.%removed%.76/be/123.php
  • 95.%removed%.2/bt/mayhem.php
  • kub%removed%.com/soros/soros_design.php
  • webdom%removed%.com/lovetech/techtor.php
  • lesykb%removed%.com/kuku/sss.php
  • clo%removed%.red/closed.php

The trojan may delete the following files:

  • %currentfolder%/1.sh
  • %currentfolder%/rss-aggr.so
  • %currentfolder%/libworker.so
  • /tmp/.sc
  • %currentfolder%/.caches
  • %currentfolder%/.cache
  • %currentfolder%/.sd0
  • %currentfolder%/.fghv
  • %currentfolder%/1.%pid%

The trojan sets the following environment variables:

  • AU=%URL%

A string with variable content is used instead of %URL% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.