ELF_KAITEN.SME

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.23:443

It joins any of the following Internet Relay Chat (IRC) channels:

• #roots

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• PING → return "PONG"
• NICK → change nickname
• PRIVMSG:
  • TSUNAMI → TCP Flood Attack
  • PAN → SYN Flood Attack
  • UDP → UDP Flood Attack
  • UNKNOWN → UDP Flood Attack (Non-spoof)
  • NICK → change or set nickname
  • SERVER → change server
  • GETSPOOFS → create spoofing parameters
  • SPOOFS → change spoofing to subnet
  • DISABLE → stop bot
  • ENABLE → continue running bot
  • KILL → terminates running bot instance
  • KILLALL → terminates all running bot instances
  • GET → download file from a web address
  • VERSION → sends "Kaiten wa goraku"
  • HELP → list all commands
  • IRC → sends commands to the server
  • SH → executes a command
• 376 → MODE, JOIN, WHO
• 433 → set nickname
• 352 → spoof request

Other Details

This Backdoor does the following:

• It adds the line "/" to either of the following startup scripts to enable its automatic execution at every system startup:
  • /etc/rc.d/rc.local
  • /etc/rc.conf
• It disguises itself as a legitimate process by executing using the following process names:
  • master
  • crond
  • -bash
• It accesses the following file to generate random strings:
  • /usr/dict/words