Защити созданное

Другие наши ресурсы

  • free.drweb.uz — бесплатные утилиты, плагины, информеры
  • av-desk.com — интернет-сервис для поставщиков услуг Dr.Web AV-Desk
  • curenet.drweb.uz — сетевая лечащая утилита Dr.Web CureNet!
  • www.drweb.uz/web-iq — ВебIQметр
Закрыть

Библиотека
Моя библиотека

Чтобы добавить ресурс в библиотеку, войдите в аккаунт.

+ Добавить в библиотеку

Ресурсов: -

Последний: -

Моя библиотека

Поддержка
Круглосуточная поддержка | Правила обращения

Позвоните

Бесплатно по России:
8-800-333-79-32

ЧаВо | Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Свяжитесь с нами Незакрытые запросы: 

Профиль

Профиль

Android.Pandora.2

Добавлен в вирусную базу Dr.Web: 2023-03-10

Описание добавлено:

SHA1: 14215a93ed5d0a86f31aab0b2d7be6db8a45a371

Description

Android.Pandora.2 is a backdoor trojan designed to target Android devices. Its main functionality includes carrying out DDoS attacks and executing remote commands on a victim's device.

Operating routine

The Android.Pandora.2 malicious program was discovered during an investigation into cases of infection occurring in the system partition of an Android TV box model. The infection itself presumably occurred via an unpatched Android OS vulnerability exploitation.

The backdoor is installed into the system storage area with a number of additional components. During the infection analysis, the following files were identified:

  • /system/bin/pandoraspearrk;
  • /system/bin/supervisord;
  • /system/bin/rootsudaemon.sh (in some cases, the preinstall.sh file can be installed, instead of the rootsudaemon.sh);
  • /system/bin/s.conf;
  • /system/xbin/busybox;
  • /system/bin/curl.

The file pandoraspearrk is itself an Android.Pandora.2 trojan.

The file supervisoid is a supervisor tool that monitors the status of the targeted executable and launches it again if its operation was terminated. In this particular case, it monitors the backdoor’s status, and it uses the configuration from the s.conf file.

The busybox and curl files represent the non-malicious instruments BusyBox (a set of UNIX tools of various functionality) and curl (a utility for transferring data via different network protocols).

The rootsudaemon.sh and preinstall.sh files are scripts. The former launches the supervisoid file with root privileges and has the structure shown below:

    
    #!/system/bin/sh
    /system/xbin/daemonsu --auto-daemon &
    /system/bin/supervisord -c /system/bin/s.conf &
    

The latter creates a number of directories, installs APK packets, and launches the supervisoid file. It has the following structure.

  
    
    #!/system/bin/sh
    MARK=/sdcard/symbol_thirdpart_apks_installed
    PKGS=/system/preinstall/
    MARK1=/data/local/symbol_xbmc_file_coped
    ANDROID_DIR=/sdcard/Android
    DATA_DIR=/sdcard/Android/data
    if [ ! -e $MARK ]; then
    echo "booting the first time, so pre-install some APKs."
    busybox find $PKGS -name "*\.apk" -exec sh /system/bin/pm install {} \;
    touch $MARK
    echo "OK, installation complete."
    fi
    if [ ! -e $MARK1 ]; then
    echo "booting the first time, so pre-install some APKs."
    echo "lml in kodi.sh22!!!"
    if [ ! -e $ANDROID_DIR ];then
    echo "no android dir ,we need make android dir first."
    log -t cw "lml in kodi.sh33!!!"
    busybox mkdir /sdcard/Android
    fi
    log -t cw "lml in kodi.sh44!!!"
    if [ ! -e $DATA_DIR ];then
    echo "no android dir ,we need make data dir first."
    log -t cw "lml in kodi.sh55!!!"
    busybox mkdir /sdcard/Android/data
    fi
    log -t cw "lml in kodi.sh66!!!"
    rm /sdcard/Android/data/org.xbmc.kodi/ -rf
    busybox unzip -o /system/media/org.xbmc.kodi.zip -d /sdcard/Android/data/
    touch $MARK1
    echo "OK, installation complete."
    fi
    /system/bin/supervisord -c /system/bin/s.conf &
    

In particular, it installs Kodi® media center (org.xbmc.kodi), a media center app for Android TV.

Interaction with the C&C server

To connect to the C&C server, the backdoor reads its address from the command-line parameters or from the /data/.ms file, which has been encrypted with a Blowfish algorithm, or it uses a built-in list:

  • ok3[.]mflve[.]com
  • pcn[.]panddna[.]com
  • apz[.]bsaldo[.]com
  • abcr[.]ftsym1[.]com

Next, it verifies whether the /htv and /koocan directories are present. These directories are subsequently used to store a copy of the new version of the backdoor when the self-update command is executed.

The trojan connects to the server on the received address and forms a string with an id, as shown below:

1000@12.00-00.00-10000000@0002@

At the same time, the numerical contents of this line may vary, depending on whether the trojan has obtained access to /dev/block/hide, /dev/block/mtdblock5, or /dev/block/mtdblock4, and has gotten the particular data from there.

The resulting string is encoded with a Blowfish algorithm, using a zAw2xidjP3eHQ key; converted into a modified Base64; and transferred to the C&C server. In response, Android.Pandora.2 receives a command.

Commands executed

Commands received by the backdoor are sent in the <...>@<a command>@<an argument #1>@<an argument #2>@... format.

Command Name Aruments Description
11 addns tmpdnsip, tmpdns To add a record into /etc/hosts.
12 del_dns host To remove a record from /etc/hosts.
21 URL To perform an auto update of the trojan app.
31 syn host (and optionally a network port) To execute a DDoS attack on a targeted host through port 80, or through the port listed in the command’s arguments.
32 udp host To execute a DDoS attack via the UDP protocol.
33 icmp host To execute a DDoS attack via the ICMP protocol.
34 mix host To execute a DDoS attack via the ICMP, UDP, and SYN protocols simultaneously.
35 smurf host To execute a DDoS attack via the ICMP protocol.
36 tagr3 host (an IP address or a host name) To execute a DDoS attack.
37 сс Unknown To start a thread to execute a commanded task.
38 dnsflood Unknown To execute a DNS Query Flood-type attack.
88 shell host, port To open a Reverse Shell to host:port (or to /system/bin/sh, or to ksh).
110 stopall To stop all processes performing DDoS attacks (for each DDoS attack command received, 50 processes are created by default).
3000 lbs Unknown, IP To write a C&C server address into /data/.ms and connect to this server.
5000 URL To write a C&C server address into /data/.ms.
5555 Unknown To update a С&C server address in /data/.ms.
6269 A command To mount the /system partition in rw mode, to execute a command, to write the command output into the log, to mount the /system partition in ro mode.

Substitution of the /etc/hosts

Upon connecting to the C&C server, Android.Pandora.2 receives a link for downloading the hosts file the attackers need. This file is encoded with a Blowfish algorithm and encoded with a modified Base64.

The backdoor decrypts this hosts file and then uses it to replace the original system file located in /etc/hosts.

Рекомендации по лечению


Android

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке