Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The FinFisher dropper 'wgetTest' found in the leaked ~36GB torrent for Linux creates a random directory in /home/$USER selecting from the following list:
- .data:0804D0E0 common_directories_to_infect dd offset a_cache
- .data:0804D0E0 ; DATA XREF: count_infection_element_paths_and_names+10o
- .data:0804D0E0 ; get_and_create_infection_dir_and_filename+68r ...
- .data:0804D0E0 ; ".cache"
- .data:0804D0E4 off_804D0E4 dd offset a_dbus ; DATA XREF: FFB8F40Co
- .data:0804D0E4 ; ".dbus"
- .data:0804D0E8 dd offset a_fontconfig ; ".fontconfig"
- .data:0804D0EC dd offset a_gconf ; ".gconf"
- .data:0804D0F0 dd offset a_gnome ; ".gnome"
- .data:0804D0F4 dd offset a_gnome2 ; ".gnome2"
- .data:0804D0F8 dd offset a_kde ; ".kde"
- .data:0804D0FC dd offset a_local ; ".local"
- .data:0804D100 dd offset a_qt ; ".qt"
- .data:0804D104 dd offset a_ssh ; ".ssh"
- So, an example could be /home/joxean/.cache/. Then, a sub-directory inside this directory is selected from the following list:
- .data:0804D140 ; char **possible_files_to_detect_infection[6]
- .data:0804D140 possible_files_to_detect_infection dd offset a_config
- .data:0804D140 ; DATA XREF: count_infection_element_paths_and_names+42o
- .data:0804D140 ; get_and_create_infection_dir_and_filename+104r ...
- .data:0804D140 ; ".config"
- .data:0804D144 dd offset a_bin ; ".bin"
- .data:0804D148 off_804D148 dd offset a_sbin ; DATA XREF: FFB8F408o
- .data:0804D148 ; ".sbin"
- .data:0804D14C off_804D14C dd offset a_etc ; ".etc"
- .data:0804D150 dd offset a_cfg ; ".cfg"
- .data:0804D154 dd offset a_apps ; ".apps"
- So, an example could be /home/asier/.cache/.sbin. Then, the dropper patches itself and copies (patched) in the selected directory with the following name:
- data:0804D1A0 ; char *g_likely_executable_names[8]
- .data:0804D1A0 g_likely_executable_names dd offset aCpuset
- .data:0804D1A0 ; DATA XREF: count_infection_element_paths_and_names+74o
- .data:0804D1A0 ; check_already_infected+396o ...
- .data:0804D1A0 ; "cpuset"
- .data:0804D1A4 dd offset aKthreadd ; "kthreadd"
- .data:0804D1A8 dd offset aKsnapd ; "ksnapd"
- .data:0804D1AC dd offset aUdevd ; "udevd"
- .data:0804D1B0 dd offset aDbusDaemon ; "dbus-daemon"
- .data:0804D1B4 dd offset aAtd ; "atd"
- .data:0804D1B8 dd offset aCrond ; "crond"
- .data:0804D1BC dd offset aHald ; "hald"
- So, again, an example process could be /home/joe/.cache/.sbin/atd.
- When the file is dropped and patched then the main dropper forks and the child executes the dropped process with a line similar to the following one:
- (...)
- chdir(infection_path);
- execl(infection_command, infection_command, "80.so", "RunDll", 0);
- (...)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement