Linux.BackDoor.Fysbis.1 — Dr.Web Malware description library

<!DOCTYPE html>     <html lang="en" class="x jsDisabled- en"> <head>  <script> (function (){ const getCookieValue = (name) => { const cookies = document.cookie.split(";"); for (let i = 0; i < cookies.length; i++) { const cookie = cookies[i].trim(); if (cookie.startsWith(name + "=")) { return cookie.substring(name.length + 1); } } return ""; }; const userID = getCookieValue("drwse"); window.dataLayer = window.dataLayer || []; userID && window.dataLayer.push({ userId: userID }); })(); (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ "gtm.start": new Date().getTime(), event: "gtm.js", }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != "dataLayer" ? "&l=" + l : ""; j.async = true; j.src = "https://www.googletagmanager.com/gtm.js?id=" + i + dl; f.parentNode.insertBefore(j, f); })(window, document, "script", "dataLayer", "GTM-THZ4GGSN"); </script>  <script src="//st.drweb.com/static/js/redir-https.js"></script> <script src="//st.drweb.com/static/js/acceptable_browsers_2018.js"></script> <script> (function() { var html = document.documentElement; html.className = html.className.replace( ' jsDisabled-', '' ) }()) </script> <title>Linux.BackDoor.Fysbis.1 — Dr.Web Malware description library</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"/>  <meta name="viewport" content="width=device-width, height=device-height, maximum-scale=1.0, minimum-scale=1.0" /> <meta name="description" content=" A multicomponent Trojan presumably related to the Sednit hacker group. It uses a module structure where every module is implemented as a separate class. Modules can be of the following two types: plug-ins and controllers. The researched sample contained two plug-ins: one designed to work with the file ..." /> <meta property="og:type" content="website" /> <meta property="og:site_name" content="Dr.Web" /> <meta property="og:url" content="https://vms.drweb.com/virus/?i=4276269" /> <meta property="og:title" content="Linux.BackDoor.Fysbis.1 — Dr.Web Malware description library" /> <meta property="og:description" content=" A multicomponent Trojan presumably related to the Sednit hacker group. It uses a module structure where every module is implemented as a separate class. Modules can be of the following two types: plug-ins and controllers. The researched sample contained two plug-ins: one designed to work with the file ..." /> <meta property="og:image" content="https://st.drweb.com/static/new-www/favicons/og-drweb-default.jpg?r=1" /> <meta property="og:image:width" content="968" /> <meta property="og:image:height" content="504" />   <link rel="shortcut icon" type="image/x-icon" href="//st.drweb.com/static/new-www/favicon.ico?r=2" /> <link rel="apple-touch-icon" sizes="57x57" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-57x57.png" /> <link rel="apple-touch-icon" sizes="60x60" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-60x60.png" /> <link rel="apple-touch-icon" sizes="72x72" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-72x72.png" /> <link rel="apple-touch-icon" sizes="76x76" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-76x76.png" /> <link rel="apple-touch-icon" sizes="114x114" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-114x114.png" /> <link rel="apple-touch-icon" sizes="120x120" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-120x120.png" /> <link rel="apple-touch-icon" sizes="144x144" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-144x144.png" /> <link rel="apple-touch-icon" sizes="152x152" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-152x152.png" />  <link rel="apple-touch-icon" sizes="180x180" href="//st.drweb.com/static/new-www/favicons/apple-touch-icon-180x180.png" /> <link rel="icon" type="image/png" sizes="32x32" href="//st.drweb.com/static/new-www/favicons/favicon-32x32.png" /> <link rel="icon" type="image/png" sizes="16x16" href="//st.drweb.com/static/new-www/favicons/favicon-16x16.png" /> <link rel="manifest" href="//st.drweb.com/static/new-www/favicons/manifest.json" /> <link rel="mask-icon" color="#2e2e2e" href="//st.drweb.com/static/new-www/favicons/safari-pinned-tab.svg" /> <meta name="msapplication-TileColor" content="#7cb51b" /> <meta name="msapplication-TileImage" content="//st.drweb.com/static/new-www/favicons/mstile-144x144.png" />  <meta name="theme-color" content="#f2f2f2" />   <link rel="alternate" type="application/rss+xml" title="Dr.Web All News" href="https://news.drweb.com/rss/get/?c=5&lng=en" />  <link rel="stylesheet" type="text/css" href="//st.drweb.com/static/js/drweb_user_login_widget_tile_mobi.css" /> <link rel="stylesheet" type="text/css" href="//st.drweb.com/static/new-www/themes/tiles_mobi/assets/css/tile-mobi-transition.css?r=26" />  <script src="//st.drweb.com/static/js/jquery-1.7.2.min.js"></script> <script src="//st.drweb.com/static/js/jquery.cookie.min.js"></script> <script src="//st.drweb.com/static/js/showit/showit.min.js"></script> <script src="//st.drweb.com/static/js/qdata/qdata.min.js"></script> <script src="//st.drweb.com/static/js/qdata/extensions/pi.js"></script> <script src="//st.drweb.com/static/js/switcher/switcher.min.js"></script> <script src="//st.drweb.com/static/js/scrollx/scrollx.min.js"></script> <script src="//st.drweb.com/static/js/scrollup_button.js"></script> <script src="//st.drweb.com/static/js/ec-events.js"></script>  <script src="//st.drweb.com/static/new-www/themes/tiles_mobi/assets/icons/jquery.icons.min.js?r=7"></script> <script>if( window.SvgIcons && SvgIcons.Rev ){ SvgIcons.Rev(5) }</script>  <link rel="stylesheet" type="text/css" href="//st.drweb.com/static/js/popup/css/tile.css" /> <script src="//st.drweb.com/static/js/popup/popup.js?r=2"></script> <script>$(function(){$('a.preview').popUp({imgAutoResize:true});});</script>  <script src="//st.drweb.com/static/js/dyn-tree/dyn-tree.js"></script>  <link rel="stylesheet" type="text/css" href="//st.drweb.com/static/js/dyn-tree/extensions/data-dyn-mobi-menu.css" /> <script src="//st.drweb.com/static/js/dyn-tree/extensions/data-dyn-mobi-menu.js"></script>  <script src="//st.drweb.com/static/js/makelazy/makelazy.min.js"></script> <script> var Lazy = MakeLazy(); $(function(){ Lazy.Observe(false, '.CONTENT'); $('.NAV-case.on_hover').one('mouseenter', function(){ Lazy.Load(false, this); }); }); </script>  <script src="//st.drweb.com/static/js/cocss/cocss.min.js"></script>  <script src="//st.drweb.com/static/js/jsurl/url.js"></script> <script src="//st.drweb.com/static/js/change_lng_w_domains_v2.js"></script> <script src="//st.drweb.com/static/js/old_browser_detection.js"></script> <script src="//st.drweb.com/static/js/jquery.cookie.min.js" ></script>   <link rel="canonical" href="https://vms.drweb.com/virus/?i=4372597" /> <link rel="alternate" href="https://vms.drweb.ru/virus/?i=4372597" hreflang="ru" /> <link rel="alternate" href="https://vms.drweb.com/virus/?i=4372597" hreflang="en" /> <link rel="alternate" href="https://vms.drweb.fr/virus/?i=4372597" hreflang="fr" /> <link rel="alternate" href="https://vms.drweb-av.de/virus/?i=4372597" hreflang="de" /> <link rel="alternate" href="https://vms.drweb-av.es/virus/?i=4372597" hreflang="es" /> <link rel="alternate" href="https://vms.drweb-av.it/virus/?i=4372597" hreflang="it" /> <link rel="alternate" href="https://vms.drweb.co.jp/virus/?i=4372597" hreflang="ja" /> <link rel="alternate" href="https://vms.drweb.cn/virus/?i=4372597" hreflang="zh" /> <link rel="alternate" href="https://vms.dataprotection.com.ua/virus/?i=4372597" hreflang="uk" /> <link rel="alternate" href="https://vms.drweb.com/virus/?i=4372597" hreflang="x-default"> <link href="https://st.drweb.com/static/js/highlight/default.min.css" rel="stylesheet" type="text/css"/> <script src="https://st.drweb.com/static/js/highlight/highlight.min.js"></script> <link href="//st.drweb.com/static/new-www/themes/tiles/css/news_arrows_new.css" media="screen" rel="stylesheet" type="text/css"/> <script src="//st.drweb.com/static/new-www/themes/tiles/js/vms_arrows.js?v=2" type="text/javascript"></script> <script> hljs.initHighlightingOnLoad(); </script>  <link rel="stylesheet" type="text/css" href="https://st.drweb.com/static/new-www/themes/tiles_mobi/assets/css/vms_new_main.css?r=1" />  <script>window['elephant_aj'] = {common:{preftpl:'showit_'}};</script>    <script src="https://st.drweb.com/static/js/GA4/ga4_lib.js"></script>   <link rel="stylesheet" href="//st.drweb.com/static/js/review_banners/style.css">  </head> <body class="BODYBOX">   <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-THZ4GGSN" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>    <noscript> <div class="JsDisabled"> <strong>JavaScript support is required for our site to be fully operational in your browser.</strong> </div> </noscript>   <div class="OldBrowser" hidden> <p class="title"><strong class="noB"><a href="https://www.drweb.com/old_browser_info/" class="white">Your browser is obsolete!</a></strong></p> <p class="note">The page may not load correctly.</p></div>  <div class="HEAD clearfix">  <div class="PI container container_cell ztop " data-swr-click-outside="hide" data-swr-group="header" data-swr-click="toggle"> <div class="PI-wrp PI-wrp_head flex green-head"> <div class="PI-group PI-group_head flex"> <a class="PI-itm PI-itm_logo PI-group-itm js-data-dyn flex fxItemsCenter noU" href="https://www.drweb.com/?lng=en" data-dyn-mobi-menu="<i data-icon="#logo-drweb.icon_sizeS.icon_logo:size200x50"></i>"> <i class="Icon Icon_noEffects icon_sizeS icon_logo black logo-drweb"> <svg class="Icon-cnt" width="200" height="50"> <use xlink:href="#logo-drweb"></use> </svg> </i> </a> <div class="PI-group-itm PI-group-itm_other flex fxItemsCenter"> <div class="PI-itm PI-itm_other" data-swr-target="protecting"> <a class="Btn Btn_clean black _viewL_white" data-swr="protecting" data-swr-class-active="-Icon_rotate180" href="#"> <p class="Btn-body icon icon_right flex fxItemsCenter noMarg"> <span class="_viewL_none fontS max-content">FOR CUSTOMERS</span> <span class="IconSide"> <i class="Icon" data-icon="#common-arrowDown"> <svg class="Icon-cnt" width="25" height="25"> <use xlink:href="#common-arrowDown"></use> </svg> </i> </span> </p> </a> <div class="PI-case PI-case_other PI-case_new"> <div class="PI-case-content="> <ul class="noList -paddYS noMargB fx fxCol -part_fill"> <li class="PI-case_li borderB"><a href="https://products.drweb.com/register/v4/?lng=en">Activate your Dr.Web license</a></li> <li class="PI-case_li borderB"><a href="https://support.drweb.com/?lng=en">Technical support</a></li> <li class="PI-case_li borderB"><a href="https://download.drweb.com/doc/?lng=en">Documentation</a></li> <li class="PI-case_li borderB"><a href="https://download.drweb.com/?lng=en">Download Dr.Web</a></li> </ul> <a href="#Close" class="PI-case-close" data-swr="protecting" data-swr-click="hide"> <i data-icon="#common-cross.gray_1:hidden">Close</i> </a> </div> </div> </div> </div> </div> <p class="PI-itm PI-itm_menu"> <a class="PI-itm_menu-trig js-menu-open" href="#" ><b><i></i><i></i><i></i></b></a> </p> <div class="PI-itm PI-itm_quick"> <a class="PI-itm_quick-trig" data-swr-group="quick_menu" data-swr-click="toggle" data-swr="menu" href="#"><b><i></i><i></i><i></i></b></a> <div class="PI-itm_quick-target" data-swr-click-outside="hide" data-swr-group="quick_menu" data-swr-target="menu"> <ul class="PI-itm_quick-body"> <li class="PI-itm_quick-list"><a class="PI-itm_quick-link" href="https://partners.drweb.com/?lng=en"> Buy from our partners </a></li> <li class="PI-itm_quick-list"><a class="PI-itm_quick-link" href="https://estore.drweb.com/home/?lng=en"> Buy online </a></li> <li class="PI-itm_quick-list"><a class="PI-itm_quick-link" href="https://support.drweb.com/?lng=en"> Ask about a purchase </a></li> </ul> </div> </div> </div><div class="PI-wrp PI-wrp_panel"> <div class="PI-group PI-group_panel">    <div class="PI-group-itm"> <div class="PI-itm PI-itm_bookmark" data-swr-target="bookmark"> <a class="PI-icon" data-swr="bookmark" href="#Library"> <i class="Icon" data-icon="#common-bookmark"> <svg class="Icon-cnt" width="25" height="25"> <use xlink:href="#common-bookmark">Library</use> </svg> </i> <span class="PI-icon-count"></span> <span class="PI-icon-select"> <i data-icon="#common-arrowDown:hidden"></i> <i data-icon="#common-arrowDown.Icon_rotate180:hidden"></i> </span> </a> <div class="PI-case PI-case_bookmark"> <div class="PI-case-content noPaddB uppercase"> <span>My library</span> </div> <div class="PI-case-content -Grid_1of2 -viewS-Grid_1of1"> <script type="text/javascript"> var Drwebcom = { bookmarkit : function( site, title, description ) { var uri = 'https://www.drweb.com/social/bookmark/?'; uri += 'site=' + encodeURIComponent( site ); uri += '&title=' + encodeURIComponent( title ); uri += '&descr=' + encodeURIComponent( description ); Drwebcom.popup( uri ); return false; }, popup: function( url ) { this._win = window.open( url, '', 'toolbar=0,status=0,width=626,height=436' ); } }; </script> <p class="margYS"> <i data-icon="#common-plus.Icon_portrait2.main_green_4.alignMiddle:hidden">+</i> <a class="main_green_4" href="#" onclick="return Drwebcom.bookmarkit( location.toString(), document.title, '')">Add to library</a> </p> </div> </div> </div> </div>    <div class="PI-group-itm"> <div class="PI-itm PI-itm_search" data-swr-target="search"> <a class="PI-icon" data-swr="search" href="#Search"> <i class="Icon" data-icon="#common-search"> <svg class="Icon-cnt" width="25" height="25"> <use xlink:href="#common-search">Search</use> </svg> </i> <span class="PI-icon-select"> <i data-icon="#common-arrowDown:hidden"></i> <i data-icon="#common-arrowDown.Icon_rotate180:hidden"></i> </span> </a> <div class="PI-case PI-case_search"> <div class="PI-case-content uppercase"> <span>Search</span> <form method="get" action="https://www.drweb.com/search/"> <input type="hidden" name="lng" value="en"> <p class="InputGroup noRadius noWrap margYS"> <input class="Input" type="text" name="q" size="32" value="register a serial number" onfocus="if (this.value == 'register a serial number') this.value = ''" onblur="if (this.value == '') this.value = 'register a serial number'"> <button class="Btn Btn_input bg_main_green_2 alignMiddle" type="submit" title="Search"> <span class="Btn-body"> <span class="Btn-text noPadd"><i class="Btn-text" data-icon="#common-search">Search</i></span> </span> </button> </p> </form> </div> </div> </div> </div>  <div class="PI-group-itm"> <div class="PI-itm PI-itm_contact" data-swr-target="contact"> <a class="PI-icon" data-swr="contact" href="#Contact"> <i class="Icon" data-icon="#common-contact"> <svg class="Icon-cnt" width="25" height="25"> <use xlink:href="#common-contact">Contact us</use> </svg> </i> <span class="PI-icon-select"> <i data-icon="#common-arrowDown:hidden"></i> <i data-icon="#common-arrowDown.Icon_rotate180:hidden"></i> </span> </a> <div class="PI-case PI-case_contact"> <div class="PI-case-content"> <span class="uppercase">24/7 Tech support</span> <span class="defaultNone _viewS_inlineBlock">|</span> <a class="floatR _viewS_noFloat" href="https://support.drweb.com/rules/">Rules regarding submitting</a> </div> <div class="userAuthNone"> <div class="PI-case-content bg_stone_5 -Panel_alignMiddle"> <div class="Panel Panel_iconSide icon icon_sizeM"> <div class="Panel-forIcon"> <i data-icon="#common-info.green_4"></i> </div><div class="Panel-content _viewS_margTS"> <p class="noMarg uppercase"><b>Send a message</b></p> <div class="margYS paddRM"> <a class="Btn margTC noRadius bg_green_4" href="https://support.drweb.com/support_wizard/?lng=en" target="_blank"> <span class="Btn-body icon icon_right" data-icon="#common-arrowRight"> <span class="Btn-text fontS uppercase">A query form</span> </span> </a> </div> </div> </div> </div> <div class="PI-case-content"> <p class="noMarg uppercase"><b>Call us</b></p> <p class="noMargT _viewS_margTS"> <a href="tel:+74957894586" class="fontL alignMiddle noU black">+7 (495) 789-45-86</a> </p> <a class="b uppercase" href="https://forum.drweb.com/" target="_blank">Forum</a>  </div> </div> <div class="defaultNone userAuthBlock"> <div class="PI-case-content bg_stone_5"> <p class="noMarg uppercase"><b>Your tickets</b></p> <div class="-Grid_1of2 -viewS-Grid_1of1"> <div class="Grid margYS"> <ul class="noList noMarg"> <li>Total: <a href="https://www.drweb.com/user/support/requests/?mode=all&lng=en" id="support_req_all" target="_blank"> - </a></li> <li>Active: <a href="https://www.drweb.com/user/support/requests/?mode=not_closed&lng=en" id="support_req_not_closed" target="_blank"> - </a></li> <li id="lastTicketRow" class="defaultNone">Latest: <a href="https://www.drweb.com/user/support/requests/?mode=all&lng=en" id="support_req_last_not_closed" target="_blank"> - </a></li> </ul> <script> QData.Ready( 'user', function( data ){ if( ! data || ! data.authorized ) return; QData.Ready( 'pi_requests', function( data, api ) // when ready { $( '#support_req_all' ) .text( api.CountRequests() ); $( '#support_req_not_closed' ) .text( api.CountRequests( [5,52,53], true ) ); if( data.ticket.updated ) { $( '#support_req_last_not_closed' ) .text( data.ticket.updated ) $( '#lastTicketRow' ).removeClass( 'defaultNone' ); var status_color = ''; switch( data.ticket.status ){ case 'waiting': status_color = 'red_2'; break case 'closed': status_color = 'black'; break case 'not_closed': break case 'new': break } $( '#support_req_last_not_closed' ).addClass( status_color ); } }, function( data, api ) // when loading { $( '#support_req_all, #support_req_not_closed, #support_req_last_not_closed' ) .html( '<img src="https://st.drweb.com/static/loading_28x4_green.gif" class="alignMiddle" alt="">' ); } ); }); </script> </div><div class="Grid margYS"> <a class="Btn Btn_slim noRadius bg_green_4" href="https://support.drweb.com/support_wizard/?lng=en"> <span class="Btn-body"> <span class="Btn-text fontS uppercase">New ticket</span> </span> </a> </div> </div> </div> <div class="PI-case-content"> <p class="noMarg uppercase"><b>Call us</b></p> <p class="noMarg _viewS_margTS"> <a href="tel:+74957894586" class="fontL alignMiddle noU black">+7 (495) 789-45-86</a>  </p> </div> </div> </div> </div> </div>  <div class="PI-group-itm"> <div class="PI-itm PI-itm_profile" data-swr-target="profile"> <a class="PI-icon" data-swr="profile" href="#Profile" onclick="drw_login_widget_once()"> <i class="Icon" data-icon="#common-profile"> <svg class="Icon-cnt" width="25" height="25"> <use xlink:href="#common-profile">Profile</use> </svg> </i> <span class="PI-icon-stat"> <i data-icon="#common-tick:hidden"></i> </span> <span class="PI-icon-select"> <i data-icon="#common-arrowDown:hidden"></i> <i data-icon="#common-arrowDown.Icon_rotate180:hidden"></i> </span> </a> <div class="PI-case PI-case_profile"> <script> window[ 'drw_login_widget_reqdata' ] = { 'style': 'pi_v2', 'caseid': 'case_profile', 'focus': 'drw_site' }; window[ 'drw_login_widget_set_place' ] = function( place ) { if ( typeof loginWidgetFocusInput == 'function' && $( 'html' ).hasClass( 'userNotAuthorized' ) ) return loginWidgetFocusInput(); if ( typeof loginWidgetFocusForm == 'function' ) loginWidgetFocusForm( place ); } window[ 'drw_login_widget_once' ] = function( opt ) { if ( opt && opt.focus ) window[ 'drw_login_widget_reqdata' ].focus = opt.focus; $.getScript( 'https://st.drweb.com/static/js/auth/widgets/login_pi.js?rev=1' ); } </script> <div class="PI-case-content" id="case_profile"> <div class="alignCenter paddYM"> <i data-icon="#common-spinner.Icon_spinSteps12.icon_sizeL.main_green_4"></i> </div> </div> </div> </div> </div> <div class="PI-group-itm"> <div class="PI-separator _viewL_none"></div> </div>  <div class="PI-group-itm"> <div class="PI-itm PI-itm_lng" data-swr-target="lng"> <a class="Btn Btn_clean Btn_slim paddXC main_green_4" data-swr="lng" href="#Language"> <p class="Btn-body"> <span class="Btn-text noPadd fontS"> <span class="PI-itm_lngCurr uppercase"> EN </span> </span> </p> </a> <div class="PI-case PI-case_lng"> <div class="PI-case-content"> <a href="javascript:drweb_site_change_lng('ru')" class="PI-case_lng-itm lng_ru"> RU </a> <a href="javascript:drweb_site_change_lng('cn')" class="PI-case_lng-itm lng_cn"> CN </a> <a href="javascript:drweb_site_change_lng('de')" class="PI-case_lng-itm lng_de"> DE </a> <a class="PI-case_lng-itm lng_en"> EN </a> <a href="javascript:drweb_site_change_lng('es')" class="PI-case_lng-itm lng_es"> ES </a> <a href="javascript:drweb_site_change_lng('fr')" class="PI-case_lng-itm lng_fr"> FR </a> <a href="javascript:drweb_site_change_lng('it')" class="PI-case_lng-itm lng_it"> IT </a> <a href="javascript:drweb_site_change_lng('ja')" class="PI-case_lng-itm lng_ja"> JP </a> <a href="javascript:drweb_site_change_lng('kk')" class="PI-case_lng-itm lng_kk"> KZ </a> <a href="javascript:drweb_site_change_lng('uz')" class="PI-case_lng-itm lng_uz"> UZ </a> <a href="javascript:drweb_site_change_lng('pl')" class="PI-case_lng-itm lng_pl"> PL </a> <a href="javascript:drweb_site_change_lng('be')" class="PI-case_lng-itm lng_be"> BY </a> </div> <a href="#Close" class="PI-case-close" data-swr="lng" data-swr-click="hide"> <i data-icon="#common-cross.white:hidden">Close</i> </a> </div> </div> </div> </div> </div> </div> <style> .PI-case_new { border: none; } .PI-case_other { width: auto; } .PI-case_li a { padding-left: 6px; text-decoration: none; color: #000; } .PI-case_li:hover { background-color: #d4d9dc; } .PI-case_new .PI-case-close { background-color: transparent; } .logo-marker { display: flex; gap: 17px; margin-right: 40px; color: #000; } .logo-marker__separator { border-left: 1px solid #000; } .logo-marker__text { white-space: nowrap; } .green-head { min-height: 58px; } .max-content { width: max-content; } @media screen and (max-width: 966px){ .PI-case { padding-top: 0; } .PI-case_other { width: 100%; } .logo-marker { color: #fff; margin-right: 17px; } .logo-drweb { color: #fff; width: 100%; max-width: 200px; } .logo-marker__separator { border-color: #fff; } } @media screen and (max-width: 480px){ .logo-marker { display: none; } } </style>   <div class="NAV container container_cell bg_main_green_4 "> <div class="NAV-other on_hover"> <a class="NAV-other-trig" href="javascript:void(0)" title="Other sections"><b><i></i><i></i><i></i></b></a> <div class="NAV-other-target use_hover"> <ul class="NAV-other-body"> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://products.drweb.com/home/?lng=en"> Home </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://products.drweb.com/for_biz/?lng=en"> Business </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://estore.drweb.com/home/?lng=en"> eStore </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://download.drweb.com/?lng=en"> Download </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://support.drweb.com/support_wizard/?lng=en"> Support </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://partners.drweb.com/find_partner/?lng=en"> Partners </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://news.drweb.com/?lng=en"> Information </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://vms.drweb.com/?lng=en"> Anti-virus lab </a> </li> <li class="NAV-other-list"> <a class="NAV-other-link" href="https://company.drweb.com/?lng=en"> About Doctor Web </a> </li> </ul> </div> </div> <div class="NAV-store "> <div class="NAV-wrp"> <dl class="NAV-case on_hover"> <dt class="NAV-section"> <a href="javascript:void(0)" class="NAV-section-link"> <span class="NAV-section-name">Support services</span> </a> <div class="NAV-case-arrow"> <i data-icon="#common-arrowDown:hidden"></i> </div> </dt> <dd class="NAV-content use_hover width_2of6"> <div class="margTM margXM"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/?lng=en" data-dyn-mobi-menu="Support services // All services" itemprop="url"> All services </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/sendvirus/?lng=en" data-dyn-mobi-menu="Support services // Send suspicious file" itemprop="url"> Send suspicious file </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/sendvirus/?lng=en" data-dyn-mobi-menu="Support services // Report false positive" itemprop="url"> Report false positive </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://support.drweb.com/new/urlfilter/?lng=en" data-dyn-mobi-menu="Support services // Report malicious URL" itemprop="url"> Report malicious URL </a> </li> </ul> </div> </dd> </dl> </div> <div class="NAV-wrp"> <dl class="NAV-case on_hover"> <dt class="NAV-section"> <a href="javascript:void(0)" class="NAV-section-link"> <span class="NAV-section-name">Scanners</span> </a> <div class="NAV-case-arrow"> <i data-icon="#common-arrowDown:hidden"></i> </div> </dt> <dd class="NAV-content use_hover width_2of8"> <div class="margTM margXM"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/scan_file/?lng=en" data-dyn-mobi-menu="Scanners // Scan file" title="Virus checker online" itemprop="url"> Scan file </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/online/?lng=en" data-dyn-mobi-menu="Scanners // Check link" itemprop="url"> Check link </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://free.drweb.com/for+web+sites/?lng=en" data-dyn-mobi-menu="Scanners // Forms for online virus scanning" itemprop="url"> Forms for online virus scanning </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://free.drweb.com/download+cureit+free/?lng=en" data-dyn-mobi-menu="Scanners // Dr.Web CureIt!" itemprop="url"> Dr.Web CureIt! </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://curenet.drweb.com/?lng=en" data-dyn-mobi-menu="Scanners // Dr.Web CureNet!" itemprop="url"> Dr.Web CureNet! </a> </li> </ul> </div> </dd> </dl> </div> <div class="NAV-wrp"> <dl class="NAV-case on_hover "> <dt class="NAV-section"> <a href="javascript:void(0)" class="NAV-section-link"> <span class="NAV-section-name">Dr.Web vxCube</span> </a> <div class="NAV-case-arrow"> <i data-icon="#common-arrowDown:hidden"></i> </div> </dt> <dd class="NAV-content use_hover width_4of6"> <div class="-Grid_1of2"> <div class="Grid paddXM paddTM"> <a href="https://download.drweb.com/vxcube/?lng=en" class="Btn Btn_block bg_main_green_4 space_4of5 js-data-dyn" data-dyn-mobi-menu="Dr.Web vxCube // Trial" > <span class="Btn-body icon icon_right"> <span class="Btn-text _viewM_fontS">Trial</span><span class="IconSide"><i class="Icon"><svg class="Icon-cnt" width="25" height="25"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#common-arrowRight"></use></svg></i></span> </span> </a> </div> </div> <div class="paddTM paddXM -Grid_1of3"> <div class="Grid"> <div class="paddXS"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://www.drweb.com/vxcube/?lng=en" data-dyn-mobi-menu="Dr.Web vxCube // About" itemprop="url"> About </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://www.drweb.com/vxcube/licensing/?lng=en" data-dyn-mobi-menu="Dr.Web vxCube // Licensing" itemprop="url"> Licensing </a> </li> </ul> </div> </div><div class="Grid"> <div class="paddXS"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://www.drweb.com/vxcube/reports/?lng=en" data-dyn-mobi-menu="Dr.Web vxCube // Reports" itemprop="url"> Reports </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://www.drweb.com/vxcube/reports/?lng=en" data-dyn-mobi-menu="Dr.Web vxCube // Statistics" itemprop="url"> Statistics </a> </li> </ul> </div> </div><div class="Grid"> <div class="paddXS"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vxcube.drweb.com/?lng=en" data-dyn-mobi-menu="Dr.Web vxCube // Sign in to Dr.Web vxCube" itemprop="url"> Sign in to Dr.Web vxCube </a> </li> </ul> </div> </div> </div> </dd> </dl> </div> <div class="NAV-wrp"> <dl class="NAV-case on_hover"> <dt class="NAV-section"> <a href="https://antifraud.drweb.com/expertise/?lng=en" class="NAV-section-link js-data-dyn cursorPointer" data-dyn-mobi-menu="VCI investigations"> <span class="NAV-section-name">VCI investigations</span> </a> </dt> </dl> </div> <div class="NAV-wrp"> <dl class="NAV-case on_hover"> <dt class="NAV-section"> <a href="javascript:void(0)" class="NAV-section-link js-data-dyn margLS"> <span class="NAV-section-name fontS=">Virus library</span> </a> <div class="NAV-case-arrow"> <i data-icon="#common-arrowDown:hidden"></i> </div> </dt> <dd class="NAV-content use_hover width_2of8"> <div class="margTM margXM"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/search/?lng=en" data-dyn-mobi-menu="Virus library // Virus descriptions" itemprop="url"> Virus descriptions </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/vulnerabilities/?lng=en" data-dyn-mobi-menu="Virus library // Vulnerability descriptions" itemprop="url"> Vulnerability descriptions </a> </li> </ul> </div> </dd> </dl> </div> <div class="NAV-wrp"> <dl class="NAV-case on_hover static"> <dt class="NAV-section"> <a href="javascript:void(0)" class="NAV-section-link"> <span class="NAV-section-name">Knowledge base</span> </a> <div class="NAV-case-arrow"> <i data-icon="#common-arrowDown:hidden"></i> </div> </dt> <dd class="NAV-content use_hover width_6of6"> <div class="paddTM paddXM -Grid_cell -Grid_1of4"> <div class="Grid"> <div class="paddXS"> <h4 class="NAV-title noMarg">Technologies</h4> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/database/?lng=en" data-dyn-mobi-menu="Knowledge base // Technologies // About the Dr.Web virus database" itemprop="url"> About the Dr.Web virus database </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/ext_database/?lng=en" data-dyn-mobi-menu="Knowledge base // Technologies // Extended databases" itemprop="url"> Extended databases </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://products.drweb.com/technologies/?lng=en" data-dyn-mobi-menu="Knowledge base // Technologies // Dr.Web technologies" itemprop="url"> Dr.Web technologies </a> </li> </ul> </div> </div><div class="Grid"> <div class="paddXS"> <h4 class="NAV-title noMarg">Terminology</h4> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/classification/?lng=en" data-dyn-mobi-menu="Knowledge base // Terminology // Dr.Web virus classification" itemprop="url"> Dr.Web virus classification </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/virustypes/?lng=en" data-dyn-mobi-menu="Knowledge base // Terminology // Types of viruses" itemprop="url"> Types of viruses </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/malware/?lng=en" data-dyn-mobi-menu="Knowledge base // Terminology // Malware" itemprop="url"> Malware </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/unsolicited/?lng=en" data-dyn-mobi-menu="Knowledge base // Terminology // Unwanted and potentially dangerous software" itemprop="url"> Unwanted and potentially dangerous software </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/unsolicited_elements/?lng=en" data-dyn-mobi-menu="Knowledge base // Terminology // Unwanted and potentially dangerous elements" itemprop="url"> Unwanted and potentially dangerous elements </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://vms.drweb.com/glossary/?lng=en" data-dyn-mobi-menu="Knowledge base // Terminology // Glossary" itemprop="url"> Glossary </a> </li> </ul> </div> </div><div class="Grid"> <div class="paddXS"> <h4 class="NAV-title">Training and education</h4> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://company.drweb.com/press/booklets/?lng=en" data-dyn-mobi-menu="Knowledge base // Training and education // Brochures" itemprop="url"> Brochures </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://training.drweb.com/?lng=en" data-dyn-mobi-menu="Knowledge base // Training and education // Training courses" itemprop="url"> Training courses </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://antifraud.drweb.com/info/?lng=en" data-dyn-mobi-menu="Knowledge base // Training and education // Educational projects" itemprop="url"> Educational projects </a> </li> </ul> </div> </div><div class="Grid"> <div class="paddXS"> <h4 class="NAV-title">Myths</h4> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://antifraud.drweb.com/av_myths/?lng=en" data-dyn-mobi-menu="Knowledge base // Myths // Myths about anti-viruses" itemprop="url"> Myths about anti-viruses </a> </li> </ul> </div> </div> </div> </dd> </dl> </div> <div class="NAV-wrp"> <dl class="NAV-case on_hover static"> <dt class="NAV-section"> <a href="javascript:void(0)" class="NAV-section-link js-data-dyn"> <span class="NAV-section-name">News</span> </a> <div class="NAV-case-arrow"> <i data-icon="#common-arrowDown:hidden"></i> </div> </dt> <dd class="NAV-content use_hover width_2of8 right"> <div class="margTM margXM"> <ul itemscope itemtype="http://www.schema.org/SiteNavigationElement"> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://news.drweb.com/list/?c=10&lng=en" data-dyn-mobi-menu="News // Virus reviews" itemprop="url"> Virus reviews </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://news.drweb.com/list/?c=9&lng=en" data-dyn-mobi-menu="News // Virus alerts" itemprop="url"> Virus alerts </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://news.drweb.com/list/?c=38&lng=en" data-dyn-mobi-menu="News // Mobile threat news" itemprop="url"> Mobile threat news </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://news.drweb.com/list/?c=23&lng=en" data-dyn-mobi-menu="News // Real-time threat news" itemprop="url"> Real-time threat news </a> </li> <li class="NAV-itm" itemprop="name"> <a class="NAV-link js-data-dyn" href="https://news.drweb.com/?lng=en" data-dyn-mobi-menu="News // All news" itemprop="url"> All news </a> </li> </ul> </div> </dd> </dl> </div> </div> </div> <div id="ShowIt"></div>   <div class="HEAD-body"> <div class="container paddYC _viewL_none"> <p class="ROWMENU alignCenter black -inheritedColor noMargY margXC paddYC fontXS"> </p> </div> </div>  </div>  <div class="CONTENT">  <div class="CellBlock VirusContent"> <div class="container" itemscope itemtype="http://schema.org/Article"> <h1 class='alignCenter b fontXXL' itemprop='name headline'>Linux.BackDoor.Fysbis.1</h1><div class="margBM"><p class="margYS"> <span class="_viewS_fontXS"><b>Added to the Dr.Web virus database:</b></span> <span class="paddLS _viewS_block">2014-11-21</span> </p> <p class="margYS"> <span class="_viewS_fontXS"><b>Virus description added:</b></span> <span class="paddLS _viewS_block" itemprop="datePublished">2015-05-12</span> </p> </div><div itemprop="articleBody"><p>A multicomponent Trojan presumably related to the Sednit hacker group. It uses a module structure where every module is implemented as a separate class. Modules can be of the following two types: plug-ins and controllers. The researched sample contained two plug-ins: one designed to work with the file system and another one consisting of a remote control shell and a network controller (executes POST and GET requests in a specified format). </p> <p>During the installation, the Trojan attempts to gain root privileges. If it succeeds, the malware is installed in the folder /bin/ with the name rsyncd and with the description “synchronize and backup service”. If it does not succeed, Linux.BackDoor.Fysbis.1 is installed in ~/.config/dbus-notifier as an executable file with the name dbus-inotifier and with the description “system service d-bus notifier”. </p> <p>Once it is launched, the Trojan verifies that its copy is not running and that the malware itself is not launched using the command interpreter nash.</p> <ol><li>Verifies that the “echo $0” command’s output is different from “nash”.</li> <li>Verifies that there is no process with the name “rsyncd” on the active process list (“dbus-inotifier” if the Trojan does not have root privileges).</li> </ol> <p>Next, the malware checks whether it is configured to start automatically at system startup.</p> <ol><li>It searches the active process list for the systemd process. If this process is found, the Trojan recursively traverses the “/usr/lib/systemd/” directory and checks every file for the “/bin/rsyncd” string. Otherwise, it runs a search for the “/bin/rsyncd” string within the files found in the /etc/ folder.</li> <li>Verifies that there is no “rsyncd” file in the “/bin/” folder.</li> </ol> <p>If the Trojan does not have root privileges, it checks the “~/.config/autostart/” directory for the “dbus-inotifier” file.</p> <p>If Linux.BackDoor.Fysbis.1 is not installed, it registers itself in autorun using one of the following methods:</p> <ol><li>Adds the “/bin/rsyncd & exit 0” string to the end of all “rc.local” files found in the /etc/ folder.</li> <li>Creates the service file /usr/lib/systemd/system/rsyncd.service <pre><code>[Unit]Description= synchronize and backup service.After=syslog.target [Service].ExecStart=/bin/rsyncd.OOMScoreAdjust=-500 [Install].WantedBy=multi-user.target</code></pre> Then it installs the service by executing the following commands: <pre><code>ln -s '/lib/systemd/system/rsyncd.service' '/etc/systemd/system/multi-user.target.wants /rsyncd.service' systemctl daemon-reload</code></pre> </li></ol> <p>The running systemd process determines, which option will be used to register the Trojan in autorun. For example, if this process is active, the first option will be used. If it is not active, the second option is to be used.</p> <p>If the Trojan does not have root privileges to enable its automatic launch, it creates the “~/.config/autostart/dbus-inotifier.desktop” file with the following contents:</p> <pre><code>[Desktop Entry] Type=Application Exec=/home/user/.config/dbus-notifier/dbus-inotifier Name[en_EN]=system service d-bus notifier Name=system service d-bus notifier Comment[en_EN]= Comment=</code></pre> <p>“/home/user/” stands here for the environment variable HOME.</p> <p>During the next step, the malware copies itself to the “/bin/rsyncd” folder (or to the “~/.config/dbus-notifier/dbus-inotifier” folder if the Trojan does not have root privileges) and launches the copy from this folder.</p> <p>The address of the command and control server is stored in the Trojan’s body. All strings used by the Trojan are encrypted with the XOR algorithm. Depending on which task the string corresponds to, different keys are utilized. </p> <p>Linux.BackDoor.Fysbis.1 creates the directory “/usr/lib/cva-ssys” to store its files in it (“~/.local/cva-ssys”—if the Trojan does not have root privileges). When operating, the Trojan uses the SQLite3 database with the name My_BD. The database is located in the “/usr/lib/cva-ssys/My_BD” folder (“~/.local/cva-ssys/My_BD”—if the Trojan does not have root privileges). The database contains the following two tables: Chnnl(id,binary) and prms(id,dword). The dwell time value with “id == 0x310031” for the standby mode is stored in the prms table. The value stands for the interval, during which the Trojan does not receive a reply with the payload from the command and control server. The value with “id == 0x320032” stands for the dwell time value for active mode. The Chnnl table contains configuration data of the backdoor. This data is encrypted with the RC4 algorithm.</p> <p>The configuration data used by the backdoor has the following structure:</p> <pre><code>#pragma pack(push, 1) struct st_cncconfig { _WORD id; _BYTE byte2; _BYTE byte3; _QWORD pCnCBeg; _QWORD pCnCEnd; _QWORD pLastElement; }; #pragma pack(pop)</code></pre> To be able to enter the data into the database, Linux.BackDoor.Fysbis.1 converts the configuration data into the following structure: <pre><code>#pragma pack(push, 1) struct st_crypted_config_data { _WORD id; _BYTE byte2; _BYTE byte3; char* pCnC; //list of CnC addresses separated by '&' }; #pragma pack(pop)</code></pre> <p>Before the configuration data is encrypted with the RC4 algorithm, 11 signature bytes are added to the end of the data (11 bytes are stored in the backdoor's body). Next, the buffer is encrypted using the RC4 algorithm with the 50-byte key (also stored in the backdoor’s body). If there are keys for the string encryption with the XOR algorithm, the configuration data will be also encrypted with the XOR algorithm.</p> <p>Then the buffer with the encrypted package is modified as follows:</p> <ol><li>Two DWORD values are added to the beginning of the buffer.</li> <li>The first DWORD value is equal to zero.</li> <li>The second DWORD value is a hashtag and is calculated using the following function (MakeHash): <pre><code>unsigned __int16 CCryptor::ComputeHash(_BYTE *rc4_key, _DWORD rnd, _BYTE *crypted_data, _QWORD size) { _QWORD i; _WORD result; _BYTE CryptedByte; _BYTE j; i = 0LL; result = 0LL; while ( i < size ) { CryptedByte = crypted_data[i]; j = 0; while ( 1 ) { result = ((unsigned __int8)result ^ CryptedByte) & 1 ? (rnd ^ (result >> 1)) : (result >> 1); ++j; if ( j == 8 ) break; CryptedByte >>= 1; } ++i; } return result; } unsigned __int32 CCryptor::MakeHash(struct st_cryptor *cryptor, _BYTE *crypted_data, __int64 size) { _DWORD rnd; rnd = GetRand(0, -1); return (unsigned __int16)(HIWORD(rnd) ^ rnd) ^ (CCryptor::ComputeHash (&cryptor->rc4_key->buffer, (HIWORD(v4) ^ v4), crypted_data, size) << 16); }</code></pre> </li></ol> <p>The process of the configuration data extraction proceeds opposite to the method described above. When the configuration data is extracted form the database, the backdoor verifies that the hash’s calculated value corresponds to the one saved in the database. It also checks the accuracy of the 11-byte signature.</p> <p>Then the Trojan activates streams for every plug-in that waits for the package containing a command. It also activates one stream to monitor database status, and another one to exchange data with the command and control server.</p> <p>When the backdoor establishes a connection to the command and control server, it sets the request period time equal to the specified dwell time for the standby mode. Once the Trojan receives the payload, it changes the request period to the dwell time value for the active mode. If the dwell time value for the active mode has been set, but the package has not been received, the dwell time value is incremented by the dwell time value for the active period. This action is repeated until the dwell time value is bigger or equal to the dwell time value for the standby mode.</p> <p>The Trojan sends the following GET request to the command and control server:</p> <pre><code>azureon-****.com/watch/?from=W2KIa&oe=YDxQ&aq=KDRHmedegqk&btnG=G&utm=DQ&ai=Y9DmdXRnRMCsX9Mm2KPXQOTAC azureon-****.com/search/?oe=BiQCNKF&aq=wl&oe=Zcl0al2GeHD&from=rfkpqRi-&ags=KZde&text=x &ags=AS79lq&channel=YJa3f673&aq=GyZCExee0D&ai=CgX0bplH8YtBf2ZtNYNiCwngv</code></pre> <p>The from, oe, aq, btnG, utm parameters stand for random strings encoded with the BASE64 algorithm. The string length is from 1 to 14 characters. From the list of available parameters, the Trojan randomly chooses the ones it will use (from 2 to 11 parameters).</p> <pre><code>text= from= ai= ags= oe= aq= btnG= oprnd= ai= utm= channel= </code></pre> <p>The page address in the domain of the command and control server is chosen randomly from the list.</p> <pre><code>watch/? search/? find/? results/? open/? search/? close/? </code></pre> <p>The “ai” value stands for the payload title. This value is generated using the following method:</p> <ol><li>The Trojan takes a random DWORD value and 7 bytes of the UID value for GET/POST requests stored in the backdoor’s body. The UID value is followed by the DWORD value equal to -1 if the first DWORD value is zero. Otherwise, the second DWORD value is taken as the first value.</li> <li>11 bytes of this buffer are encrypted with the XOR algorithm as follows: <pre><code>i = 0 while ( 1 ) { crypted_buffer = (_BYTE *)this_->crypted_buffer; if ( i gt;= this-gt;crypted_buffer_size - 4 ) // this-gt;crypted_buffer_size == 15 break; ++i; crypted_buffer[i + 4] ^= crypted_buffer[i & 3];</pre></code> </li> <li>The generated buffer in encoded using the BASE64 alphabet, where the last two characters are replaced with “-” and “_”.</li> <li>A string with the 5-character length and encoded with BASE64 is added to the beginning of the buffer encoded using the BASE64 algorithm.</li> </ol> <p>In return, the server can send an encoded package or the “400” value. The Trojan checks whether the server's reply is positive by searching for the “OK” substring in it. Then the backdoor checks the reply’s size. If the size is 7 bytes or more, the backdoor verifies that the command and control server sent an encoded package. To decode the package, the BASE64 alphabet is used. The last two characters are replaced with “-” and “_”. If after the package has been decoded its size is bigger than 3 bytes, the Trojan decrypts its first 11 bytes with XOR using the method similar to the one described above.</p> <p>The first 4 bytes in the received package are ignored; the next 7 bytes are the key that will be used for the next POST requests. The rest of the package is the payload.</p> <p>The main module of the Trojan can execute the following commands:</p> <table class="info"> <tr><th>Command</th><th>Description</th></tr> <tr><td>0x1F</td><td>Set the dwell time value for the standby mode</td></tr> <tr><td>0x29</td><td>Activate the controllers</td></tr> <tr><td>0x2A</td><td>Set new configuration data and update the list of command and control servers</td></tr> <tr><td>0x32</td><td>Set the dwell time value for the active mode</td></tr> <tr><td>0x33</td><td>Set up the plug-in</td></tr> <tr><td>0x33</td><td>Save the dwell time values into the database</td></tr> <tr><td>0x34</td><td>Activate the plug-ins</td></tr> <tr><td>0x35</td><td>Add configuration data</td></tr> <tr><td>0x36</td><td>Delete the specified configuration data</td></tr> </table> <p>The Remote Shell Module can execute the following commands:</p> <table class="info"> <tr><th>Command</th><th>Description</th></tr> <tr><td>0x66</td><td>Exit</td></tr> <tr><td>0x65</td><td>Open a remote Shell</td></tr> <tr><td>0x68</td><td>Verify that the Shell in running</td></tr> <tr><td>0x67</td><td>Execute a command</td></tr> </table> <p>The module, which interacts with the file system, can execute the following commands:</p> <table class="info"> <tr><th>cmd</th><th>Description</th></tr> <tr><td>0x65</td><td>Find the file(s)</td></tr> <tr><td>0x66</td><td>Read the file(s)</td></tr> <tr><td>0x67</td><td>Save the file</td></tr> <tr><td>0x68</td><td>Remove the file(s)</td></tr> <tr><td>0x69</td><td>Run the file(s)</td></tr> </table> <p>A report on the operations’ execution by this module is displayed as the HTML code. The string with this code is generated in the infected computer’s memory and is used without being saved into the file.</p> <p>The module monitoring the database checks the connection to the command and control server every millisecond. If the connection is established, checks the values in the prms table of the database. If these values are other than zero, the module sends them to the command and control server using the POST request.</p> <p>To send the POST request, the Trojan uses a random DWORD value and 7 bytes of the key from the encrypted package received in reply to the GET request. 11 bytes that the Trojan receives in the reply are encrypted with the XOR algorithm (similar to the one used to decrypt the reply to the GET request). Then the data is added to the encrypted 11 bytes of the key. The generated buffer is encoded using the BASE64 alphabet to be sent in the POST request. Next, to the beginning of the BASE64 string a random BASE64 string with the length of 5 characters is added. The POST request’s title is generated similarly to the GET request’s title. The payload is generated using the following method:</p> <ol><li>Using zero correction, a random DWORD value is written.</li> <li>Then 11 bytes of the key for POST requests are written. The key is received as a reply to the GET request.</li> <li>Next, other data is added.</li> <li>The first 11 bytes of the received buffer are encrypted with the XOR algorithm.</li> <li>Once it is encrypted using the XOR algorithm, the buffer is encoded with BASE64. A random string with the length of 5 characters is added to the beginning of the buffer.</li> </ol> <p>After the Trojan has sent 4 POST requests via this stream, it pauses for 1 second and then sends another POST request to the command and control server. This request contains the sqlite3 library’s functions, whose addresses were successfully acquired (maximum 13).</p></div> </div> </div> <div id="block_recom">  <div class="CellBlock noMarg paddTL"> <div class="container"> <h3 class="fontL _viewM_alignCenter">Curing recommendations</h3> <hr class="Divider noMargT margXC"> <p class="b fontL main_green_4 paddLL _viewS_noPaddL _viewS_alignCenter _viewS_fontXL">Linux</p> <div class="recom__item paddXM paddTS _viewS_paddXS"> <div class=""> <p>After booting up, run a full scan of all disk partitions with <a class="main_green_4" href="https://products.drweb.com/home/linux/">Dr.Web Anti-virus for Linux</a>.</p> </div> <div class="-Grid_1of2 -viewS-Grid_1of1 alignCenter paddTM"> <div class="Grid _viewS_paddBL"> <a href="https://download.drweb.com/linux/" class="Grid widthCaptcha bg_violet_4 paddXL paddYM"> <span class="fontL b white">Free trial</span> </a> <p class="Grid widthCaptcha alignCenter paddYS"> One month (no registration) or three months (registration and renewal discount) </p> </div><div class="Grid paddLC _viewS_noPaddL"> <a href="https://download.drweb.com/?lng=en" class="Grid widthCaptcha bg_main_green_5 paddXL paddYM"> <span class="fontL b white">Download Dr.Web</span> </a> <p class="Grid widthCaptcha alignCenter paddYS"> Download by serial number </p> </div> </div> </div> </div> </div>  </div>  </div>   <div class="TAIL">  <link rel="stylesheet" href="//st.drweb.com/static/js/components/footer/style/style.css"> <div class="footer-wrap"> <footer class="footer"> <div class="footer__content"> <nav class="footer__head"> <ul class="footer__list"> <li class="footer__list-item footer__list-item--1"> <a class="footer__list-link" href="https://products.drweb.com/home/">Home</a> </li> <li class="footer__list-item footer__list-item--2"> <a class="footer__list-link" href="https://products.drweb.com/for_biz/">Business</a> </li> <li class="footer__list-item footer__list-item--3"> <a class="footer__list-link" href="https://support.drweb.com/">Support</a> </li> <li class="footer__list-item footer__list-item--4"> <a class="footer__list-link" href="https://products.drweb.com/register/v4/">For customers</a> </li> <li class="footer__list-item footer__list-item--5"> <a class="footer__list-link" href="https://partners.drweb.com/joinus/">Partners</a> </li> <li class="footer__list-item footer__list-item--6"> <a class="footer__list-link" href="https://company.drweb.com/">About Doctor Web</a> </li> <li class="footer__list-item footer__list-item--7"> <a class="footer__list-link" href="https://company.drweb.com/contacts/">Contact info</a> </li> <li class="footer__list-item footer__list-item--9"> <ul class="footer__social-list"> <li class="footer__social-list-item"> <a class="footer__social-list-link" href="https://instagram.com/drwebgram"> <img class="footer__social-list-icon" src="//st.drweb.com/static/new-www/components/footer/instagram.svg" alt="Instagram"> </a> </li> <li class="footer__social-list-item"> <a class="footer__social-list-link" href="https://www.facebook.com/drwebcom"> <img class="footer__social-list-icon" src="//st.drweb.com/static/new-www/components/footer/facebook.svg" alt="Facebook"> </a> </li> <li class="footer__social-list-item"> <a class="footer__social-list-link" href="https://twitter.com/#!/DrWeb_antivirus"> <img class="footer__social-list-icon" src="//st.drweb.com/static/new-www/components/footer/twitter.svg" alt="Twitter"> </a> </li> </ul> </li> </ul> </nav> <div class="footer__body"> <div class="footer__body-item footer__body-item--info"> <div class="footer__body-orgname"> <img class="footer__body-label" src="//st.drweb.com/static/new-www/components/footer/label-drweb.svg" alt="label-drweb"> <p class="footer__body-title">© Doctor Web 2003 — 2025</p> </div> <p class="footer__body-text">Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies</p> </div> <div class="footer__body-item"> <a class="footer__body-link" href="https://company.drweb.com/policy/">Privacy Policy</a> </div> </div> </div> </footer> </div>  </div> <div class="noHeight overflowHidden">  <div hidden style="display:none" id="msg_android_huawei" data-showIt-every="days:1"> <div class="paddYC paddXM margRL alignLeft _viewS_noMargT fx fxItemsCenter -noMargB -margTS"> <p class="margRL"> <span class="block paddXS resetLineHeight margBS"> <b class="fontM">Download</b><br>Dr.Web for Android </span> <a href="https://f2.drweb.com/lr/?to=https%3A%2F%2Fappgallery.huawei.com%2F%23%2Fapp%2FC101669955"> <img class="margLC" src="https://st.drweb.com/static/new-www/img/drweb_for_android_demo_via_appgallery_en.png" alt="Available in AppGallery"> </a> </p> <ul class="IconList IconList_spaceM noMargY"> <li class="icon" data-icon="#common-tick.main_green_4"> Free three-month trial  </li> <li class="icon" data-icon="#common-tick.main_green_4"> All protection features available </li> <li class="icon" data-icon="#common-tick.main_green_4"> Renew your trial license in<br>AppGallery/on Google Pay </li> </ul> </div> </div> <script> $(function(){ var ua = window.navigator.userAgent; var isMacLike = /(Mac|iPhone|iPod|iPad)/i.test(navigator.platform); var isAndroid = ua.toLowerCase().indexOf("android") > -1; /* Huawei Honor 8C: BKK-L21 Huawei Honor Holly Hol-U19 Build/HUAWEIHol-U19 Huawei Honor 7 PLK-AL10 Build/HONORPLK-AL10 Huawei Honor 4C CHM-U01 Build/HonorCHM-U01 Huawei Honor 3C H30-T00 Build/HuaweiH30-T00 H30-U10 Build/HuaweiH30-U10 */ var is_huawei_honor = /\b(HUAWEI|HONOR|BKK-L21|Hol-U19|PLK-AL10|H30-T00|H30-U10|CHM-U01)\b/i.test(ua); if (is_huawei_honor) { ShowIt.ReadyMsg( '#msg_android_huawei' ); } }); </script> <script src="https://st.drweb.com/static/js/CookiesControl.js"></script>  <div id="cookie_accept_msg_block" class="bottom left ztop space_1of1 white bg_green_3" style="position:fixed; display:none;" hidden> <div class="container container_cell paddYS _viewS_fontXS"> <p class="paddXM margBS">By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. <a href="https://company.drweb.com/policy/?lng=en" class="main_green_4">Learn more</a></p> <p class="noMarg alignCenter -margYS -margXS"> <button class="Btn Btn_slim bg_main_green_4" onclick="cookieMsg.set('accepted')"> <span class="Btn-body"> <span class="Btn-text paddXM"> OK </span> </span> </button> </p> </div> </div> <script> var cookieMsg = new CookiesControl({ cookieName: 'SwIt_msg_cookies', cookieSettings: { expires: 10*365 } }); $(function(){ cookieMsg .on( 'get', function (cookie) { if ( !cookie || cookie === '0' ) { $( 'body' ).append( $('#cookie_accept_msg_block').show() ); } // to JSON string if ( ['accepted', 'refused'].includes(cookie) ) { cookieMsg.set(`"${cookie}"`); } else if (cookie !== '0') { cookieMsg.set('"accepted"'); } }) .on( 'set', function (cookie) { $('#cookie_accept_msg_block').hide(); }) .get(); // force get callbacks }); </script> </div>  <script>document.documentElement.className += ' docReady-';</script> </body> </html>

CINXE.COM

Linux.BackDoor.Fysbis.1 — Dr.Web Malware description library