Similar to most Root Kit Trojans, this malware appears as a normal ELF program. It is a Trojan version of TOP, a normal program that is used to view network traffic and all running processes on a system.
Composed of two components, an actual executable and its library, this malware grants a remote user administrator privileges to an affected system. Administrator priveleges allow a remote user to perform the following on an affected system:
- The command chfn opens a root shell when the root-kit password is typed as a username;
- chsh opens a root shell when the root-kit password is typed as a new shell;
- passwd opens a root shell when the root-kit password is typed as a password;
- login allows the remote user�s login as any identity when the root-kit password is typed (then disables history); and
- su will be the same as login
Once installed on the affected system, the remote user can then install a sniffer and other backdoor programs. In addition, it conceals its running process in the background.
While this malware runs the normal program TOP, it runs in the background.
The malware also opens a random port through which a remote user may gain access to its affected system.