ELF_TSUNAMI.DFI

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to any of the following IRC server(s):

• {BLOCKED}.{BLOCKED}.18.114
• {BLOCKED}.{BLOCKED}.18.119
• {BLOCKED}.{BLOCKED}.18.121
• {BLOCKED}.{BLOCKED}.220.124
• {BLOCKED}.{BLOCKED}.15.55
• {BLOCKED}.{BLOCKED}.125.36
• {BLOCKED}.{BLOCKED}.199.94
• {BLOCKED}.{BLOCKED}.199.98
• {BLOCKED}.{BLOCKED}.32.30

It joins any of the following IRC channel(s):

• #{Architecture} (or #0x86)

It executes the following commands from a remote malicious user:

• UNKNOWN {target} {secs} - this performs a non-spoof UDP flood to a specific target at n seconds interval
• PAN {target} {port} {secs} - this performs an advanced SYN flood to a specific target at n seconds interval
• UDP {target} {port} {secs} - this performs a UDP flood to a specific target at n seconds interval
• GETSPOOFS - this prevents anyone from tracking the source of the DoS attack
• SPOOFS {subnet} - changes spoofing to a subnet
• GET {HTTP address} {save as} - this downloads and saves a file
• IRC {command} - this sends commands to the IRC server
• SH {command} - this executes shell commands
• XMAS {target} {port} {secs} {packet} {random/not} - sends an packet attack to specified target and port this generates packets.
• CBACK {ip} {port} -connects back to shell 2_9062015
• KILLALL - terminate background threads or current packetings
• DNS {Domain} - translates domain to ip
• JUNK {target} {port} {time} {threads} - tcp flooder sends 1 byte of garbage data
• STD {target} {port} {secs} - This triggers the bot to perform a denial of service (DoS) attack on a specific target by sending packets at n seconds interval
• STD2 {target} {port} {secs} {trash_data} - Triggers the bot to perform a denial of service (DoS) attack and also allows user to specify garbage data

Other Details

This Backdoor does the following:

• Adds the following entries to the crontab to enable its automatic execution at every minute:
  • crontab * * * * * /{Malware path}/{Malware Filename}> /dev/null 2>&1 &
• Executes the following command to steal information:
  • /bin/uname - user name
  • /bin/nvram or /usr/sbin/nvram - show NVRAM
  • /etc/ISP_name - ISP name
  • /etc/Model_name - model name of router
• The backdoor does not proceed with its intended routine if it finds the following strings as one of its arguments:
  • strace
  • ltrace