Linux Malware

Lots of users getting malware on their linux computers lately. Most of the time, the infection vector is due to a weak password. That aside, let’s look at a typical malware.

Below is a print out of the particular malware that resides in /var/tmp

var/tmp/ /.m/
var/tmp/ /.m/LinkEvents
var/tmp/ /.m/1.user
var/tmp/ /.m/Makefile
var/tmp/ /.m/.m.tar.gz
var/tmp/ /.m/2.user
var/tmp/ /.m/m.set
var/tmp/ /.m/m.help
var/tmp/ /.m/genuser
var/tmp/ /.m/src/
var/tmp/ /.m/src/com-ons.c
var/tmp/ /.m/src/combot.c
var/tmp/ /.m/src/channel.c
var/tmp/ /.m/src/config.h
var/tmp/ /.m/src/defines.h
var/tmp/ /.m/src/function.c
var/tmp/ /.m/src/link.o
var/tmp/ /.m/src/combot.o
var/tmp/ /.m/src/dcc.c
var/tmp/ /.m/src/Makefile
var/tmp/ /.m/src/xmech.c
var/tmp/ /.m/src/link.c
var/tmp/ /.m/src/xmech.o
var/tmp/ /.m/src/dcc.o
var/tmp/ /.m/src/main.c
var/tmp/ /.m/src/cfgfile.o
var/tmp/ /.m/src/h.h
var/tmp/ /.m/src/cfgfile.c
var/tmp/ /.m/src/userlist.o
var/tmp/ /.m/src/parse.o
var/tmp/ /.m/src/userlist.c
var/tmp/ /.m/src/structs.h
var/tmp/ /.m/src/mcmd.h
var/tmp/ /.m/src/socket.o
var/tmp/ /.m/src/vars.o
var/tmp/ /.m/src/parse.c
var/tmp/ /.m/src/gencmd.c
var/tmp/ /.m/src/global.h
var/tmp/ /.m/src/debug.o
var/tmp/ /.m/src/Makefile.in
var/tmp/ /.m/src/text.h
var/tmp/ /.m/src/com-ons.o
var/tmp/ /.m/src/main.o
var/tmp/ /.m/src/trivia.c
var/tmp/ /.m/src/gencmd
var/tmp/ /.m/src/usage.h
var/tmp/ /.m/src/socket.c
var/tmp/ /.m/src/trivia.o
var/tmp/ /.m/src/debug.c
var/tmp/ /.m/src/vars.c
var/tmp/ /.m/src/function.o
var/tmp/ /.m/src/commands.c
var/tmp/ /.m/src/commands.o
var/tmp/ /.m/src/config.h.in
var/tmp/ /.m/src/channel.o
var/tmp/ /.m/checkmech
var/tmp/ /.m/bash
var/tmp/ /.m/configure
var/tmp/ /.m/3.user
var/tmp/ /.m/go
var/tmp/ /.m/r/
var/tmp/ /.m/r/raway.e
var/tmp/ /.m/r/rversions.e
var/tmp/ /.m/r/rkicks.e
var/tmp/ /.m/r/rsay.e
var/tmp/ /.m/r/rsignoff.e
var/tmp/ /.m/r/rpickup.e
var/tmp/ /.m/r/rinsult.e
var/tmp/ /.m/r/rtsay.e
var/tmp/ /.m/r/rnicks.e
var/tmp/ /.m/mkindex

As you can see. they have cleverly hidden it by using a directory name with 2 spaces. Some interesting files are

$ cat 1.user
handle Santo
mask *!*@91.210.81.78
prot 4
aop
channel *
access 100

handle Ciao
mask *!*@Ciao.users.undernet.org
prot 4
aop
channel *
access 100

$ head src/cfgfile.c
/*
EnergyMech, IRC bot software
Parts Copyright (c) 1997-2001 proton, 2002-2003 emech-dev

The malware looks to be an IRC bot, which is quite typical for linux. Anyway, at this point in time I lost interest. If you want a closer look at this thing, feel free to email me. 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s