ELF_MANUST.A

This is involved in an exploit attack targeting a critical vulnerability of Ruby on Rails. It connects to an IRC server where it can receive and perform commands from remote malicious attackers, as well as make the affected system part of its botnet. Affected users may find the security of their systems compromised.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It connects to Internet Relay Chat (IRC) servers.

Arrival Details

This backdoor may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Backdoor Routine

This backdoor connects to any of the following Internet Relay Chat (IRC) servers:

• {BLOCKED}u.ru
• {BLOCKED}.{BLOCKED}.124.120

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• NICK {nick} - change IRC nick
• SERVER {server} - change IRC Server
• KILL - terminate itself
• GET {http address} {save as} - download files on the compromised system
• HELP - show Help Info (set of commands accepted)
• IRC {command} - send message to IRC Server
• SH {command} - execute command on the compromised system