ELF_IRCBOT.SPIN
DDoS:Linux/Lightaidra (Microsoft), Linux/IRCBot.N (NOD32)
Linux
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.
TECHNICAL DETAILS
40,228 bytes
ELF
Yes
28 Oct 2016
Connects to URLs/IPs
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Backdoor Routine
This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:
- {BLOCKED}.{BLOCKED}.42.218
It joins any of the following Internet Relay Chat (IRC) channels:
- ##war## (with channel key: FuckTheSystem)
It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:
- PING
- replies the following:
- PONG {host|master host}
- TOPIC ##war##
- 376 or 422
- Changes the mode of the current channel:
- invite only
- enable amsg command
- Joins the said channel
- 433
- Access the Bin Path
- change/use the nickname
- Joins the said channel
- STOP
- terminates itself
- sends private message:
- host mask:#xpl
- message:Terminate tutte le operazioni in corso(Translated as "Terminate all the ongoing operations")
- QUIT
- Terminate the client session
- Terminate itself
- SCAN
- sends private message:
- host mask:#xpl
- message:Scan Started Range {random}.{random}.0.0 Hosts:512)
- Tries to have a remote desktop connection to random IP and tries to login using the following credentials:
- root
- admin
- Admin
- user
- 1234
- D-Link
- root
- admin
- ttnet
- Admin
- password
- nokia
- XA1bac0MX
- 1234
- cobr4
- dreambox
- public
- 0987654321
- 1234567
- toor
- xj14p3r7
- home-modem
- D-Link
- user
- 12345
- 1111
- changeme2
- default
- administrator
- 1234567890
- private
- 654321
- 87654321
- 123456789
- admin1234567890
- changeme
- admin1234
- 123456
- 4321
- 54321
- 1234admin
- 2222
- 1q2w3e
- qwerty
- 7654321
- 987654321
- 12345678
- 3333
- 6666
- 8888
- 0000
- 4444
- 5555
- 7777
- 9999
- 12345Admin
- 56789Admin
- 1234Admin
- does the following to the remote machine:
- create directory:/var/...
- delete files under /var/
- connects to the following URL to download file http://{BLOCKED}.{BLOCKED}.42.218/dn.sh
- saves the downloaded file as: /var/.../dn.sh
- stops firewall
- sends the following private message when logged in successfully:
- host mask:#xpl
- message:Scan Accesso Effettutato Indirizzo:{ip} User:{username} Pass:{password}
- Username:
- sends private message:
- host mask:#xpl
- message:Messaggi attivati(Translated as "Messages Activated")
- read the following path and send the content as private message: Path:
- /bin/{filename}
- /sbin/{filename}
- /usr/bin/{filename}
- /usr/local/bin/{filename}
- /usr/sbin/{filename}
Other Details
This Backdoor does the following:
- perform DDOS flooding and using XMAS packets.
- Uses the IRC nickname with the following format:
- [NU|LNX|{composed of either F,T,H or U}]{random digit}
- Register itself in IRC using the following:
- username: {nodename} or d3x
- realname: " ."
- Tries to access the following Bin Path:
- /bin
- /sbin
- /usr/bin
- /usr/local/bin
- /usr/sbin
It uses the following credentials when accessing its IRC server:
- we.own.your.ass (server password)
SOLUTION
9.800
12.872.06
01 Nov 2016
12.873.00
02 Nov 2016
Scan your computer with your Trend Micro product and note files detected as ELF_IRCBOT.SPIN
NOTES:
Step 2:
Terminating the malware process
To terminate the malware process:
- Open a Terminal window and list all running processes by typing the following command: ps -A
- In the list of processes, look for the file detected earlier. Note the process ID of the malware process.
- Type the following command:
- kill {malware process ID}
- Close the Terminal window.
Step 3:
Scan your computer with your Trend Micro product to delete files detected as ELF_IRCBOT.SPIN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.