Home / malwarePDF  

Linux.Sshscan


First posted on 29 December 2015.
Source: Symantec

Aliases :

There are no other names known for Linux.Sshscan.

Explanation :

When the Trojan is executed, it connects to the following remote locations: [http://]testzzzzzz.10g.me/sshv-servi[REMOVED][http://]testzzzzzz.10g.me/sshv-servi[REMOVED][http://]testzzzzzz.10g.me/sshv-ser[REMOVED]
The Trojan then downloads the following files from these locations: [PATH TO MALWARE]/sshv-service-wordlist[PATH TO MALWARE]/sshv-service-shell.sh[PATH TO MALWARE]/sshv-service-rule
Next, the Trojan connects an IP address specified in [PATH TO MALWARE]/sshv-service-rule

The Trojan may then attempt to crack Secure Shell (SSH) login details for the root user using passwords stored in [PATH TO MALWARE]/sshv-service-wordlist

If the Trojan successfully logs in, it may create a script to allow it to spread itself. It also sends a report to the following remote location: [http://]testzzzzzz.10g.me/sshv[REMOVED]

Last update 29 December 2015

 

TOP