ELF_TSUNAMI.DFI

 Analysis by: Kiyoshi Obuchi

 ALIASES:

a variant of Linux/Tsunami.NCD (ESET-NOD32) ; Trojan:Win32/Skeeyah.A!rfn (Mircosoft); HEUR:Backdoor.Linux.Tsunami.bj (Kaspersky)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

File Size:

37,552 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

12 May 2018

Payload:

Launches DoS/DDoS attacks

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to any of the following IRC server(s):

  • {BLOCKED}.{BLOCKED}.18.114
  • {BLOCKED}.{BLOCKED}.18.119
  • {BLOCKED}.{BLOCKED}.18.121
  • {BLOCKED}.{BLOCKED}.220.124
  • {BLOCKED}.{BLOCKED}.15.55
  • {BLOCKED}.{BLOCKED}.125.36
  • {BLOCKED}.{BLOCKED}.199.94
  • {BLOCKED}.{BLOCKED}.199.98
  • {BLOCKED}.{BLOCKED}.32.30

It joins any of the following IRC channel(s):

  • #{Architecture} (or #0x86)

It executes the following commands from a remote malicious user:

  • UNKNOWN {target} {secs} - this performs a non-spoof UDP flood to a specific target at n seconds interval
  • PAN {target} {port} {secs} - this performs an advanced SYN flood to a specific target at n seconds interval
  • UDP {target} {port} {secs} - this performs a UDP flood to a specific target at n seconds interval
  • GETSPOOFS - this prevents anyone from tracking the source of the DoS attack
  • SPOOFS {subnet} - changes spoofing to a subnet
  • GET {HTTP address} {save as} - this downloads and saves a file
  • IRC {command} - this sends commands to the IRC server
  • SH {command} - this executes shell commands
  • XMAS {target} {port} {secs} {packet} {random/not} - sends an packet attack to specified target and port this generates packets.
  • CBACK {ip} {port} -connects back to shell 2_9062015
  • KILLALL - terminate background threads or current packetings
  • DNS {Domain} - translates domain to ip
  • JUNK {target} {port} {time} {threads} - tcp flooder sends 1 byte of garbage data
  • STD {target} {port} {secs} - This triggers the bot to perform a denial of service (DoS) attack on a specific target by sending packets at n seconds interval
  • STD2 {target} {port} {secs} {trash_data} - Triggers the bot to perform a denial of service (DoS) attack and also allows user to specify garbage data

Other Details

This Backdoor does the following:

  • Adds the following entries to the crontab to enable its automatic execution at every minute:
    • crontab * * * * * /{Malware path}/{Malware Filename}> /dev/null 2>&1 &
  • Executes the following command to steal information:
    • /bin/uname - user name
    • /bin/nvram or /usr/sbin/nvram - show NVRAM
    • /etc/ISP_name - ISP name
    • /etc/Model_name - model name of router
  • The backdoor does not proceed with its intended routine if it finds the following strings as one of its arguments:
    • strace
    • ltrace

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

14.476.03

VSAPI OPR PATTERN File:

14.477.00

Scan your computer with your Trend Micro product to delete files detected as ELF_TSUNAMI.DFI. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.