A workaround for biden1 virus

Original link: https://www.codewoody.com/posts/47963/

This article describes the solution to the biden1 mining virus. The process of the cause investigation is not listed (mainly because the process is not recorded, and it is too lazy to reproduce), here is the conclusion.

1 Reason analysis

This virus creates a mining virus called biden1 that fills up all CPU cores. If the user tries to kill this process, this process will be pulled up automatically in a short time. This mechanism is implemented through the transient mode of the systemd-run command. We can view the status of the biden1 process through sudo systemctl status biden1-pid . We can see that the process is managed by systemd, but in the transient(abandon) state, which allows us to determine that this process is initiated by the systemd-run command .

2 Solutions

Looking at the documentation for system-run , we can find that the tool has an option --send-sighup , which is described as:

When terminating the scope or service unit, send a SIGHUP immediately after SIGTERM. This is useful to indicate to shells and shell-like processes that the connection has been severed. Also see SendSIGHUP= in systemd.kill(5).

It can be found that if this option is set, then if the process receives the SIGTERM signal, systemd-run will immediately send a SIGHUP signal to the process, pulling the process up again. At the same time, this means that if we send a signal other than SIGTERM that can kill the process, we can prevent the process from being pulled up again. We can choose the SIGKILL signal, the number of this signal is 9. Therefore, we can terminate the mining process biden1 with the following command:

 kill -9 biden1-pid

Note that biden1 also has a sibling process (forgot the name, you can see in systemctl status that both are in the same scope) that needs to be terminated in the same way.

3 Further questions

In addition to biden1 , you may find a sshd process that keeps 100% CPU usage for a long time, this process is actually a mining virus, but uses more advanced tricks to disguise. Note that the intruder did not actually replace the real sshd file. It may be that the attacker first moved the real sshd file of the system to another place, and then set up the sshd virus program with the same name in the same path, and called this process with systemd-run . Then delete the virus file and restore the original sshd file. At this point, you can find that the md5 of the sshd file is correct, but the running sshd is a virus program. In fact, looking at the virus’s sshd process with the lsof command shows that it opens an ESTABLISHED http link (pointing to an IP address in Germany), a behavior that a real sshd process does not have.

Since this sshd process is also initiated by systemd-run , we can terminate it in a similar way to the previous one. Note that there are three httpd processes in the same group as this sshd, which also need to be terminated.

4 Conclusion

The method given here can terminate the mining process, but it may not be completely clear about the relevant files. Whether the biden1 process will be activated again after the server restarts, this still needs to be further verified.

This article is reprinted from: https://www.codewoody.com/posts/47963/
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment