ELF_MANUST.A

 Analysis by: Alvin Bacani

 ALIASES:

Kaspersky: Backoor.Linux.Tsunami.gen

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

This is involved in an exploit attack targeting a critical vulnerability of Ruby on Rails. It connects to an IRC server where it can receive and perform commands from remote malicious attackers, as well as make the affected system part of its botnet. Affected users may find the security of their systems compromised.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It connects to Internet Relay Chat (IRC) servers.

  TECHNICAL DETAILS

Ports:

TCP port 6667 (IRCU)

File Size:

Varies

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

31 May 2013

Payload:

Connects to URLs/IPs, Compromises system security

Arrival Details

This backdoor may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Backdoor Routine

This backdoor connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}u.ru
  • {BLOCKED}.{BLOCKED}.124.120

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

  • NICK {nick} - change IRC nick
  • SERVER {server} - change IRC Server
  • KILL - terminate itself
  • GET {http address} {save as} - download files on the compromised system
  • HELP - show Help Info (set of commands accepted)
  • IRC {command} - send message to IRC Server
  • SH {command} - execute command on the compromised system

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.952.01

FIRST VSAPI PATTERN DATE:

31 May 2013

VSAPI OPR PATTERN File:

9.953.00

VSAPI OPR PATTERN Date:

31 May 2013

Scan your computer with your Trend Micro product to delete files detected as ELF_MANUST.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.