ELF_SETAG.TNI
Backdoor:Linux/Setag!rfn (Microsoft), Linux/Setag.B.Gen trojan (ESET)
Linux
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
1,223,123 bytes
ELF
No
07 Apr 2016
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- /tmp/bill.lock
- /tmp/notify.file
- /proc/net/pktgen/kpktgend_{number}
- /proc/net/pktgen/pgctrl
It drops the following copies of itself into the affected system:
- /usr/lib/libamplify.so
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.189.10
- {BLOCKED}.{BLOCKED}.189.18
- {BLOCKED}.{BLOCKED}.100.100
- {BLOCKED}.{BLOCKED}.0.55
- {BLOCKED}.{BLOCKED}.211.22
- {BLOCKED}.{BLOCKED}.114.114
- {BLOCKED}.{BLOCKED}.115.115
- {BLOCKED}.{BLOCKED}.111.118
- {BLOCKED}.{BLOCKED}.249.50
- {BLOCKED}.{BLOCKED}.249.54
- {BLOCKED}.{BLOCKED}.255.228
- {BLOCKED}.{BLOCKED}.6.6
- {BLOCKED}.{BLOCKED}.33.240
- {BLOCKED}.{BLOCKED}.97.234
- {BLOCKED}.{BLOCKED}.97.238
- {BLOCKED}.{BLOCKED}.97.242
- {BLOCKED}.{BLOCKED}.160.110
- {BLOCKED}.{BLOCKED}.10.20
- {BLOCKED}.{BLOCKED}.150.20
- {BLOCKED}.{BLOCKED}.252.16
- {BLOCKED}.{BLOCKED}.55.244
- {BLOCKED}.{BLOCKED}.1.1
- {BLOCKED}.{BLOCKED}.192.1
- {BLOCKED}.{BLOCKED}.192.174
- {BLOCKED}.{BLOCKED}.255.18
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.199.8
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.107.85
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.226.68
- {BLOCKED}.{BLOCKED}.6.2
- {BLOCKED}.{BLOCKED}.98.55
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.134.68
- {BLOCKED}.{BLOCKED}.152.3
- {BLOCKED}.{BLOCKED}.154.3
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.199.68
- {BLOCKED}.{BLOCKED}.200.101
- {BLOCKED}.{BLOCKED}.213.68
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.227.68
- {BLOCKED}.{BLOCKED}.24.34
- {BLOCKED}.{BLOCKED}.3.141
- {BLOCKED}.{BLOCKED}.3.144
- {BLOCKED}.{BLOCKED}.7.90
- {BLOCKED}.{BLOCKED}.8.141
- {BLOCKED}.{BLOCKED}.9.141
- {BLOCKED}.{BLOCKED}.0.117
- {BLOCKED}.{BLOCKED}.0.68
- {BLOCKED}.{BLOCKED}.176.22
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.225.68
- {BLOCKED}.{BLOCKED}.24.68
- {BLOCKED}.{BLOCKED}.243.112
- {BLOCKED}.{BLOCKED}.44.150
- {BLOCKED}.{BLOCKED}.96.112
- {BLOCKED}.{BLOCKED}.0.20
- {BLOCKED}.{BLOCKED}.195.68
- {BLOCKED}.{BLOCKED}.196.115
- {BLOCKED}.{BLOCKED}.196.212
- {BLOCKED}.{BLOCKED}.196.228
- {BLOCKED}.{BLOCKED}.196.230
- {BLOCKED}.{BLOCKED}.196.232
- {BLOCKED}.{BLOCKED}.196.237
- {BLOCKED}.{BLOCKED}.46.151
- {BLOCKED}.{BLOCKED}.112.10
- {BLOCKED}.{BLOCKED}.144.30
- {BLOCKED}.{BLOCKED}.16.10
- {BLOCKED}.{BLOCKED}.16.11
- {BLOCKED}.{BLOCKED}.0.242
- {BLOCKED}.{BLOCKED}.240.6
- {BLOCKED}.{BLOCKED}.32.36
- {BLOCKED}.{BLOCKED}.32.39
- {BLOCKED}.{BLOCKED}.96.10
- {BLOCKED}.{BLOCKED}.96.5
- {BLOCKED}.{BLOCKED}.1.29
- {BLOCKED}.{BLOCKED}.1.53
- {BLOCKED}.{BLOCKED}.67.14
- {BLOCKED}.{BLOCKED}.67.4
- {BLOCKED}.{BLOCKED}.3.3
- {BLOCKED}.{BLOCKED}.3.8
- {BLOCKED}.{BLOCKED}.64.33
- {BLOCKED}.{BLOCKED}.64.1
- {BLOCKED}.{BLOCKED}.128.33
- {BLOCKED}.{BLOCKED}.144.33
- {BLOCKED}.{BLOCKED}.160.33
- {BLOCKED}.{BLOCKED}.192.33
- {BLOCKED}.{BLOCKED}.208.33
- {BLOCKED}.{BLOCKED}.224.33
- {BLOCKED}.{BLOCKED}.64.1
- {BLOCKED}.{BLOCKED}.84.58
- {BLOCKED}.{BLOCKED}.84.67
- {BLOCKED}.{BLOCKED}.252.8
- {BLOCKED}.{BLOCKED}.128.32
- {BLOCKED}.{BLOCKED}.103.36
- {BLOCKED}.{BLOCKED}.104.15
- {BLOCKED}.{BLOCKED}.104.26
- {BLOCKED}.{BLOCKED}.107.27
- {BLOCKED}.{BLOCKED}.128.166
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.128.86
- {BLOCKED}.{BLOCKED}.134.133
- {BLOCKED}.{BLOCKED}.134.33
- {BLOCKED}.{BLOCKED}.144.47
- {BLOCKED}.{BLOCKED}.154.15
- {BLOCKED}.{BLOCKED}.209.133
- {BLOCKED}.{BLOCKED}.209.5
- {BLOCKED}.{BLOCKED}.64.68
- {BLOCKED}.{BLOCKED}.69.38
- {BLOCKED}.{BLOCKED}.75.68
- {BLOCKED}.{BLOCKED}.86.18
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.7.17
- {BLOCKED}.{BLOCKED}.7.6
- {BLOCKED}.{BLOCKED}.0.68
- {BLOCKED}.{BLOCKED}.192.67
- {BLOCKED}.{BLOCKED}.198.167
- {BLOCKED}.{BLOCKED}.224.68
- {BLOCKED}.{BLOCKED}.5.68
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.104.68
- {BLOCKED}.{BLOCKED}.160.68
- {BLOCKED}.{BLOCKED}.166.4
- {BLOCKED}.{BLOCKED}.168.8
- {BLOCKED}.{BLOCKED}.192.66
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.224.67
- {BLOCKED}.{BLOCKED}.224.8
- {BLOCKED}.{BLOCKED}.96.68
- {BLOCKED}.{BLOCKED}.100.18
- {BLOCKED}.{BLOCKED}.100.21
- {BLOCKED}.{BLOCKED}.94.20
- {BLOCKED}.{BLOCKED}.94.241
- {BLOCKED}.{BLOCKED}.96.9
- {BLOCKED}.{BLOCKED}.211.193
- {BLOCKED}.{BLOCKED}.211.225
- {BLOCKED}.{BLOCKED}.196.6
- {BLOCKED}.{BLOCKED}.3.140
- {BLOCKED}.{BLOCKED}.4.130
- {BLOCKED}.{BLOCKED}.192.33
- {BLOCKED}.{BLOCKED}.241.1
- {BLOCKED}.{BLOCKED}.13.101
- {BLOCKED}.{BLOCKED}.112.50
- {BLOCKED}.{BLOCKED}.150.66
- {BLOCKED}.{BLOCKED}.17.107
- {BLOCKED}.{BLOCKED}.28.231
- {BLOCKED}.{BLOCKED}.28.234
- {BLOCKED}.{BLOCKED}.28.237
- {BLOCKED}.{BLOCKED}.160.185
- {BLOCKED}.{BLOCKED}.160.5
- {BLOCKED}.{BLOCKED}.241.34
- {BLOCKED}.{BLOCKED}.32.178
- {BLOCKED}.{BLOCKED}.106.19
- {BLOCKED}.{BLOCKED}.145.194
- {BLOCKED}.{BLOCKED}.151.161
- {BLOCKED}.{BLOCKED}.156.66
- {BLOCKED}.{BLOCKED}.164.6
- {BLOCKED}.{BLOCKED}.180.2
- {BLOCKED}.{BLOCKED}.200.69
- {BLOCKED}.{BLOCKED}.240.100
- {BLOCKED}.{BLOCKED}.242.18
- {BLOCKED}.{BLOCKED}.245.180
- {BLOCKED}.{BLOCKED}.75.123
- {BLOCKED}.{BLOCKED}.91.1
- {BLOCKED}.{BLOCKED}.1.3
- {BLOCKED}.{BLOCKED}.2.18
- {BLOCKED}.{BLOCKED}.29.150
- {BLOCKED}.{BLOCKED}.29.170
- {BLOCKED}.{BLOCKED}.29.68
- {BLOCKED}.{BLOCKED}.73.34
- {BLOCKED}.{BLOCKED}.197.58
- {BLOCKED}.{BLOCKED}.16.99
- {BLOCKED}.{BLOCKED}.90.68
- {BLOCKED}.{BLOCKED}.210.100
- {BLOCKED}.{BLOCKED}.210.98
- {BLOCKED}.{BLOCKED}.6.3
- {BLOCKED}.{BLOCKED}.158.11
- {BLOCKED}.{BLOCKED}.159.3
- {BLOCKED}.{BLOCKED}.61.225
- {BLOCKED}.{BLOCKED}.61.235
- {BLOCKED}.{BLOCKED}.61.255
- {BLOCKED}.{BLOCKED}.62.1
- {BLOCKED}.{BLOCKED}.62.60
- {BLOCKED}.{BLOCKED}.130.1
- {BLOCKED}.{BLOCKED}.72.65
- {BLOCKED}.{BLOCKED}.80.65
- {BLOCKED}.{BLOCKED}.88.129
- {BLOCKED}.{BLOCKED}.136.81
- {BLOCKED}.{BLOCKED}.144.161
- {BLOCKED}.{BLOCKED}.0.81
- {BLOCKED}.{BLOCKED}.24.129
- {BLOCKED}.{BLOCKED}.64.129
- {BLOCKED}.{BLOCKED}.1.97
- {BLOCKED}.{BLOCKED}.193.97
- {BLOCKED}.{BLOCKED}.72.1
- {BLOCKED}.{BLOCKED}.64.129
- {BLOCKED}.{BLOCKED}.96.65
- {BLOCKED}.{BLOCKED}.121.27
- {BLOCKED}.{BLOCKED}.2.4
- {BLOCKED}.{BLOCKED}.4.1
- {BLOCKED}.{BLOCKED}.72.7
- {BLOCKED}.{BLOCKED}.111.114
- {BLOCKED}.{BLOCKED}.111.122
- {BLOCKED}.{BLOCKED}.128.106
- {BLOCKED}.{BLOCKED}.32.106
- {BLOCKED}.{BLOCKED}.78.2
- {BLOCKED}.{BLOCKED}.127.114
- {BLOCKED}.{BLOCKED}.127.122
- {BLOCKED}.{BLOCKED}.248.219
- {BLOCKED}.{BLOCKED}.248.245
- {BLOCKED}.{BLOCKED}.135.1
- {BLOCKED}.{BLOCKED}.17.2
- {BLOCKED}.{BLOCKED}.152.130
- {BLOCKED}.{BLOCKED}.101.3
- {BLOCKED}.{BLOCKED}.160.194
- {BLOCKED}.{BLOCKED}.19.40
- {BLOCKED}.{BLOCKED}.19.50
- {BLOCKED}.{BLOCKED}.200.139
- {BLOCKED}.{BLOCKED}.192.100
- {BLOCKED}.{BLOCKED}.152.99
- {BLOCKED}.{BLOCKED}.157.99
- {BLOCKED}.{BLOCKED}.0.124
- {BLOCKED}.{BLOCKED}.136.10
- {BLOCKED}.{BLOCKED}.140.10
- {BLOCKED}.{BLOCKED}.148.37
- {BLOCKED}.{BLOCKED}.148.39
- {BLOCKED}.{BLOCKED}.1.66
- {BLOCKED}.{BLOCKED}.1.66
- {BLOCKED}.{BLOCKED}.198.230
- {BLOCKED}.{BLOCKED}.204.66
- {BLOCKED}.{BLOCKED}.194.55
- {BLOCKED}.{BLOCKED}.6.99
- {BLOCKED}.{BLOCKED}.32.132
- {BLOCKED}.{BLOCKED}.127.1
- {BLOCKED}.{BLOCKED}.26.42
- {BLOCKED}.{BLOCKED}.225.253
- {BLOCKED}.{BLOCKED}.208.3
- {BLOCKED}.{BLOCKED}.208.6
- {BLOCKED}.{BLOCKED}.64.68
- {BLOCKED}.{BLOCKED}.132.2
- {BLOCKED}.{BLOCKED}.1.227
- {BLOCKED}.{BLOCKED}.33.227
- {BLOCKED}.{BLOCKED}.252.200
- {BLOCKED}.{BLOCKED}.32.100
- {BLOCKED}.{BLOCKED}.32.103
- {BLOCKED}.{BLOCKED}.32.106
- {BLOCKED}.{BLOCKED}.32.109
- {BLOCKED}.{BLOCKED}.33.52
- {BLOCKED}.{BLOCKED}.33.60
- {BLOCKED}.{BLOCKED}.143.69
- {BLOCKED}.{BLOCKED}.3.70
- {BLOCKED}.{BLOCKED}.3.73
- {BLOCKED}.{BLOCKED}.3.76
- {BLOCKED}.{BLOCKED}.3.79
- {BLOCKED}.{BLOCKED}.3.83
- {BLOCKED}.{BLOCKED}.3.85
- {BLOCKED}.{BLOCKED}.4.12
- {BLOCKED}.{BLOCKED}.4.15
- {BLOCKED}.{BLOCKED}.4.18
- {BLOCKED}.{BLOCKED}.4.21
- {BLOCKED}.{BLOCKED}.4.6
- {BLOCKED}.{BLOCKED}.4.9
- {BLOCKED}.{BLOCKED}.255.1
- {BLOCKED}.{BLOCKED}.129.30
- {BLOCKED}.{BLOCKED}.131.11
- {BLOCKED}.{BLOCKED}.66.66
- {BLOCKED}.{BLOCKED}.203.86
- {BLOCKED}.{BLOCKED}.203.90
- {BLOCKED}.{BLOCKED}.203.98
- {BLOCKED}.{BLOCKED}.88.88
- {BLOCKED}.{BLOCKED}.4.66
- {BLOCKED}.{BLOCKED}.1.20
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.136.68
- {BLOCKED}.{BLOCKED}.34.10
- {BLOCKED}.{BLOCKED}.92.86
- {BLOCKED}.{BLOCKED}.92.98
- {BLOCKED}.{BLOCKED}.200.68
- {BLOCKED}.{BLOCKED}.5.240
- {BLOCKED}.{BLOCKED}.222.222
- {BLOCKED}.{BLOCKED}.129.81
- {BLOCKED}.{BLOCKED}.129.80
- {BLOCKED}.{BLOCKED}.0.110
- {BLOCKED}.{BLOCKED}.1.40
- {BLOCKED}.{BLOCKED}.120.5
- {BLOCKED}.{BLOCKED}.29.93
- {BLOCKED}.{BLOCKED}.62.142
- {BLOCKED}.{BLOCKED}.118.162
- {BLOCKED}.{BLOCKED}.152.129
- {BLOCKED}.{BLOCKED}.85.85
- {BLOCKED}.{BLOCKED}.88.88
- {BLOCKED}.{BLOCKED}.96.66
- {BLOCKED}.{BLOCKED}.57.33
- {BLOCKED}.{BLOCKED}.208.46
- {BLOCKED}.{BLOCKED}.2.2
- {BLOCKED}.{BLOCKED}.78.210
- {BLOCKED}.{BLOCKED}.244.5
- {BLOCKED}.{BLOCKED}.0.130
- {BLOCKED}.{BLOCKED}.1.130
- {BLOCKED}.{BLOCKED}.114.133
- {BLOCKED}.{BLOCKED}.114.166
- {BLOCKED}.{BLOCKED}.128.68
- {BLOCKED}.{BLOCKED}.192.68
- {BLOCKED}.{BLOCKED}.254.34
- {BLOCKED}.{BLOCKED}.163.68
- {BLOCKED}.{BLOCKED}.1.4
- {BLOCKED}.{BLOCKED}.2.69
- {BLOCKED}.{BLOCKED}.39.73
- {BLOCKED}.{BLOCKED}.54.66
- {BLOCKED}.{BLOCKED}.37.1
- {BLOCKED}.{BLOCKED}.150.101
- {BLOCKED}.{BLOCKED}.150.123
- {BLOCKED}.{BLOCKED}.150.139
- {BLOCKED}.{BLOCKED}.25.129
- {BLOCKED}.{BLOCKED}.7.1
- {BLOCKED}.{BLOCKED}.98.3
- {BLOCKED}.{BLOCKED}.98.6
- {BLOCKED}.{BLOCKED}.9.61
- {BLOCKED}.{BLOCKED}.9.9
- {BLOCKED}.{BLOCKED}.254.5
- {BLOCKED}.{BLOCKED}.164.13
- {BLOCKED}.{BLOCKED}.164.18
- {BLOCKED}.{BLOCKED}.70.98
- {BLOCKED}.{BLOCKED}.93.33
- {BLOCKED}.{BLOCKED}.1.1
- {BLOCKED}.{BLOCKED}.233.1
- {BLOCKED}.{BLOCKED}.224.3
- {BLOCKED}.{BLOCKED}.224.5
It does the following:
- It is capable of performing DDoS attacks
SOLUTION
9.800
12.470.03
16 Apr 2016
12.471.00
17 Apr 2016
Scan your computer with your Trend Micro product to delete files detected as ELF_SETAG.TNI. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.