ELF_PNSCAN.SPIN

 Analysis by: Jennifer Gumban

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Backdoor may arrive bundled with malware packages as a malware component.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size:

1,069,817 bytes

File Type:

ELF

Initial Samples Received Date:

28 Apr 2017

Arrival Details

This Backdoor may arrive bundled with malware packages as a malware component.

Propagation

This Backdoor scans networks for random IP addresses to search for systems to target. It then attempts to drop copies of itself into the following networks the systems are attached to:

  • Scans IP format {random ip}.{random ip}.{1 to 256}.{1 to 256} via port 22

Backdoor Routine

This Backdoor opens the following ports:

  • 9000

Other Details

This Backdoor connects to the following website to send and receive information:

  • https://{BLOCKED}r.com/search?f=realtime&q={value}
  • https://{BLOCKED}r.com/{value}
  • https://my.{BLOCKED}l.ru/mail/{value}/
  • https://{BLOCKED}t.com/search?q={value}

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

13.368.03

FIRST VSAPI PATTERN DATE:

09 Dec 2015

VSAPI OPR PATTERN File:

13.369.00

VSAPI OPR PATTERN Date:

10 Dec 2015

Scan your computer with your Trend Micro product to delete files detected as ELF_PNSCAN.SPIN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.