Library
My library

+ Add to library

Profile

Linux.BackDoor.Tsunami.1395

Added to the Dr.Web virus database: 2023-08-30

Virus description added:

sha1

  • 61586a0c47e3ae120bb53d73e47515da4deaefbb

Description

Linux.BackDoor.Tsunami.1395 is a trojan capable of infecting Linux computers. It is designed to create a botnet and perform DoS attacks, for which it has remote control capabilities. It is implemented as an ELF64 executable file written in C and packed by the UPX packer. During packing, the “magic” byte sequence in the UPX header was replaced with “\x0a\x00\x00\x00\x00”.

Operating routine

Initialization

During initialization, the trojan checks the list of processes in the system for the strace and tcpdump tools. If either of these is detected, the Trojan stops working. Otherwise, the Trojan starts and replaces its process name with a random string of 12 to 32 characters to hide its activity.

It then checks for access to the directories /dev/shm/, /var/tmp/, /var/lock/, /var/run/, /tmp/, creates a hidden .bawtz file and places an advisory lock on it in one of these directories that the trojan has access to, thus ensuring that only one instance of the program can run.

Next, the trojan opens a listening socket at 127.0.0.1:59000, checks for the presence of the cron utility and adds the line “nameserver 8.8.8.8.8” to the /etc/resolv.conf file.

Anchoring in the system

The trojan copies itself to the following directories: /dev/shm, /var/tmp, /var/lock, /var/run, and the user's home directory.

It creates a cron task:

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Wed May 24 18:18:13 2023)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * /root/pty3.elf > /dev/null 2>&1 &
* * * * * /dev/shm/pty3.elf > /dev/null 2>&1 &
* * * * * /var/tmp/pty3.elf > /dev/null 2>&1 &
* * * * * /var/lock/pty3.elf > /dev/null 2>&1 &
* * * * * /var/run/pty3.elf > /dev/null 2>&1 &

It adds a trojan startup process via /etc/inittab:

0:2345:respawn:/root/pty3.elf
0:2345:respawn:/dev/shm/pty3.elf
0:2345:respawn:/var/tmp/pty3.elf
0:2345:respawn:/var/lock/pty3.elf
0:2345:respawn:/var/run/pty3.elf

Connecting to the server

The trojan randomly selects one of the following servers and connects to it on port 8080:

185[.]62[.]137[.]56
162[.]249[.]2[.]189
165[.]22[.]217[.]181
68[.]66[.]253[.]100
46[.]149[.]233[.]35
185[.]61[.]149[.]22
45[.]132[.]242[.]233
i.l33t-ppl[.]info
i[.]de-zahlung[.]eu
i.deutschland-zahlung[.]net
i.shadow-mods[.]net
i.deutschland-zahlung[.]eu
173[.]255[.]240[.]191
31[.]131[.]24[.]229

The trojan interacts with the C&C server via the IRC protocol. When connecting to the server, it sends the following packet: NICK <bot name>\nUSER 0x1 localhost localhost :muhstik-11052018\n. The <bot name> parameter is formed as follows: <arch>h<username><rand><isRoot>. The result from executing one of the following commands is used as the <username> value:

nvram get router_name
cat /etc/ISP_name
/bin/uname –n
cat /etc/Model_name

Processing input data

The Trojan receives two types of commands from its C&C server:

  1. <special> <command> <params>\n
  2. <command> <params>\n</pre>
Name Description
376 Sends 3 messages to the server
  1. MODE <user name> -xi\n
  2. JOIN #ex86 :8974\n
  3. WHO <user name and privilege information>\n
422 Does the same thing as command 376
433 Updates <user name and privilege information>
NICK Copies to the <username and privilege information> variable the data transmitted in the parameter
PING Sends a packet to the server: PONG <params>\n
PRIVMSG Executes additional commands

The last command has the following parameters, with the field <params> having the value #ex86 +OK !<command> <args> and the field <special> having the value <data>!:

Name Description Arguments
CBACK Creates a reverse shell connection Server IP address and port number
GET Downloads a file The URL for downloading the file and the file name under which it will be saved
HELP Sends command descriptions to the server
HTTP Initiates a DoS attack by sending HTTP packets IP address, port, duration of attack, number of threads, attack route, request type
IRC Sends <params> to the server
KILL Terminates the program
KILL_PORT Closes the socket Open socket port
KILLALL Destroys all child subprocesses
PAN Initiates a DoS attack with a maximum number of threads IP address, port, duration of attack
SH Executes the command in /bin/sh; adds the program to the PATH Command is passed in the parameter
SHS Runs the command twice through the execve call Command is passed in the parameter
STD Initiates a DoS attack by sending a string to the server IP address, port, duration of attack, string sent
UDP Initiates a DoS attack by sending UDP packets IP address, port, duration of attack
UNKNOWN Initiates a DoS attack IP address, duration of attack
The <special> field is sent to the server if there are not enough arguments for the command.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number