sha1
- 61586a0c47e3ae120bb53d73e47515da4deaefbb
Description
Linux.BackDoor.Tsunami.1395 is a trojan capable of infecting Linux computers. It is designed to create a botnet and perform DoS attacks, for which it has remote control capabilities. It is implemented as an ELF64 executable file written in C and packed by the UPX packer. During packing, the “magic” byte sequence in the UPX header was replaced with “\x0a\x00\x00\x00\x00”.
Operating routine
Initialization
During initialization, the trojan checks the list of processes in the system for the strace and tcpdump tools. If either of these is detected, the Trojan stops working. Otherwise, the Trojan starts and replaces its process name with a random string of 12 to 32 characters to hide its activity.
It then checks for access to the directories /dev/shm/, /var/tmp/, /var/lock/, /var/run/, /tmp/, creates a hidden .bawtz file and places an advisory lock on it in one of these directories that the trojan has access to, thus ensuring that only one instance of the program can run.
Next, the trojan opens a listening socket at 127.0.0.1:59000, checks for the presence of the cron utility and adds the line “nameserver 8.8.8.8.8” to the /etc/resolv.conf file.
Anchoring in the system
The trojan copies itself to the following directories: /dev/shm, /var/tmp, /var/lock, /var/run, and the user's home directory.It creates a cron task:
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Wed May 24 18:18:13 2023)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * /root/pty3.elf > /dev/null 2>&1 &
* * * * * /dev/shm/pty3.elf > /dev/null 2>&1 &
* * * * * /var/tmp/pty3.elf > /dev/null 2>&1 &
* * * * * /var/lock/pty3.elf > /dev/null 2>&1 &
* * * * * /var/run/pty3.elf > /dev/null 2>&1 &It adds a trojan startup process via /etc/inittab:
0:2345:respawn:/root/pty3.elf
0:2345:respawn:/dev/shm/pty3.elf
0:2345:respawn:/var/tmp/pty3.elf
0:2345:respawn:/var/lock/pty3.elf
0:2345:respawn:/var/run/pty3.elfConnecting to the server
The trojan randomly selects one of the following servers and connects to it on port 8080:
185[.]62[.]137[.]56
162[.]249[.]2[.]189
165[.]22[.]217[.]181
68[.]66[.]253[.]100
46[.]149[.]233[.]35
185[.]61[.]149[.]22
45[.]132[.]242[.]233
i.l33t-ppl[.]info
i[.]de-zahlung[.]eu
i.deutschland-zahlung[.]net
i.shadow-mods[.]net
i.deutschland-zahlung[.]eu
173[.]255[.]240[.]191
31[.]131[.]24[.]229The trojan interacts with the C&C server via the IRC protocol. When connecting to the server, it sends the following packet: NICK <bot name>\nUSER 0x1 localhost localhost :muhstik-11052018\n. The <bot name> parameter is formed as follows: <arch>h<username><rand><isRoot>. The result from executing one of the following commands is used as the <username> value:
nvram get router_name
cat /etc/ISP_name
/bin/uname –n
cat /etc/Model_nameProcessing input data
The Trojan receives two types of commands from its C&C server:
- <special> <command> <params>\n
- <command> <params>\n</pre>
| Name | Description |
|---|---|
| 376 |
Sends 3 messages to the server
|
| 422 | Does the same thing as command 376 |
| 433 | Updates <user name and privilege information> |
| NICK | Copies to the <username and privilege information> variable the data transmitted in the parameter |
| PING | Sends a packet to the server: PONG <params>\n |
| PRIVMSG | Executes additional commands |
The last command has the following parameters, with the field <params> having the value #ex86 +OK !<command> <args> and the field <special> having the value <data>!:
| Name | Description | Arguments |
|---|---|---|
| CBACK | Creates a reverse shell connection | Server IP address and port number |
| GET | Downloads a file | The URL for downloading the file and the file name under which it will be saved |
| HELP | Sends command descriptions to the server | |
| HTTP | Initiates a DoS attack by sending HTTP packets | IP address, port, duration of attack, number of threads, attack route, request type |
| IRC | Sends <params> to the server | |
| KILL | Terminates the program | |
| KILL_PORT | Closes the socket | Open socket port |
| KILLALL | Destroys all child subprocesses | |
| PAN | Initiates a DoS attack with a maximum number of threads | IP address, port, duration of attack |
| SH | Executes the command in /bin/sh; adds the program to the PATH | Command is passed in the parameter |
| SHS | Runs the command twice through the execve call | Command is passed in the parameter |
| STD | Initiates a DoS attack by sending a string to the server | IP address, port, duration of attack, string sent |
| UDP | Initiates a DoS attack by sending UDP packets | IP address, port, duration of attack |
| UNKNOWN | Initiates a DoS attack | IP address, duration of attack |
