Backdoor.Linux.MTMBOT.ANU
HEUR:Backdoor.Linux.Gafgyt.a (KASPERSKY); Trojan.Linux.Tsunami (IKARUS); Linux/DDoS-CIA (SOPHOS)
Linux
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.
It performs denial of service (DoS) attacks on affected systems using specific flooding method(s).
It takes advantage of software vulnerabilities to allow a remote user or malware/grayware to download files.
TECHNICAL DETAILS
160,360 bytes
ELF
UPX
No
23 Oct 2019
Connects to URLs/IPs, Launches DoS/DDoS attacks, Exploits vulnerabilities, Terminates processes
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be downloaded from the following remote site(s):
- http://{BLOCKED}.{BLOCKED}.197.109/eBxUk
Backdoor Routine
This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:
- {BLOCKED}.{BLOCKED}.212.123
It joins any of the following Internet Relay Chat (IRC) channels:
- #HellRoom
It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:
- PING - return pong
- NICK - change nickname
- 352 - SPOOF REQUEST
- 376 - MODE, JOIN, WHO
- 433 - set nickname
- PRIVMSG
: - GETIP
- gets the IP address from an interface - FASTFLUX
- starts a proxy to a port on another ip to an interface (same port) - RNDNICK - Randomizes the knights nick
- NICK
- Changes the nick of the client - SERVER
- Changes servers - DISABLE - Disables all packeting from this client
- ENABLE - Enables all packeting from this client
- KILL - Kills the knight
- GET
- Downloads a file off the web and saves it onto the hd - VERSION - Requests version of client
- KILLALL - Kills all current packeting
- HELP - Displays this
- IRC
- Sends this command to the server - SH
- Executes a command - ISH
- SH, interactive, sends to channel - SHD
- Executes a psuedo-daemonized command - INSTALL
- Download & install a binary to /var/bin - BASH
- Execute commands using bash. - LOCKUP
, run that instead. - BINUPDATE
- GETIP
Denial of Service (DoS) Attack
This Backdoor performs denial of service (DoS) attacks on affected systems using the following flooding method(s):
- STUDP - Custom STD flooder v2
- HOLD - TCP connect flooder(frag)
- JUNK - TCP flooder (frag)
- UNKNOWN - Advanced UDP flooder
- HTTP - Custom HTTP flooder
- DNS - DNS amplification flooder
- VSE - Valve Source Engine amplification
- RTCP - Random TCP flooder
- ESSYN - TCP ESSYN flooder
- VOLT-UDP - Advanced Spoofed UDP flooder
- FRAG-TCP - Spoofed TCP Fragmentation Flooder
- BLACKNURSE - ICMP packet flooder
Download Routine
This Backdoor takes advantage of the following software vulnerabilities to allow a remote user or malware/grayware to download files:
- D-Link DSL-2750B - OS Command Injection
- GPON Routers - Authentication Bypass / Command Injection
- D-Link DIR-8xx Routers - Root Remote Code Execution
- Huawei Router HG532 - Arbitrary Command Execution
- MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution
- MikroTik RouterOS < 6.38.4 (MIPSBE) - 'Chimay Red' Stack Clash Remote Code Execution
- Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection
- Realtek SDK - Miniigd UPnP SOAP Command Execution
- Hootoo HT-05 - Remote Code Execution
- Vacron NVR Remote Code Execution Vulnerability
Other Details
This Backdoor does the following:
- Capable of performing brute-force attack on FTP and TFTP servers using the following credentials:
- Username:
- super
- ubnt
- IntraStack
- nsroot
- cisco
- adminlvjh
- Alphanetworks
- admin
- dbadmin
- root
- guest
- default
- user
- daemon
- adm
- telnet
- Administrator
- mg3500
- admin1
- support
- login
- CISCO
- oracle
- tim
- Password:
- super
- ubnt
- Asante
- nsroot
- cisco
- adminlvjh123
- wrgg15_di524
- diamond
- sq!us3r
- root
- password
- Zte521
- vizxv
- 000000
- 14567
- hi3518
- user
- pass
- admin14
- 7ujMko0admin
- 00000000
- <>
- klv1
- klv14
- oelinux1
- realtek
- 1111
- 54321
- antslq
- zte9x15
- system
- 1456
- 888888
- ikwb
- default
- juantech
- xc3511
- support
- 1111111
- service
- 145
- 4321
- tech
- abc1
- switch
- meinsm
- smcadmin
- 14567890
- 14
- admin1
- admin
- anko
- guest
- telnet
- merlin
- zlxx.
- toor
- login
- changeme
- 1234
- 12345
- 123456
- netgear1
- oracle
- tim
- xmhdipc
- klv123
- ivdev
- GM8182
- uClinux
- 7ujMko0vizxv
- fidel123
- OxhlwSG8
- tlJwpbo6
- S2fGqNFs
- Username:
- Capable of terminating processes whose name is any of the following:
- vbrxmr.mips
- VB*
- vbrxmr.*
- loligang*
- frosty*dvrHelper
- 902i13
- BzSxLxBxeY
- HOHO-LUGO7
- HOHO-U79OL
- JuYfouyf87
- NiGGeR69xd
- So190Ij1X
- dvrhelper
- dvrsupport
- mirai
- blade
- demon
- Demon
- smd
- smd*
- fuck
- un5
- kowai
- hoho
- hakai
- armv4l
- cron
- sshd
- ntpd
- hoho*
- ps23e
- tron
- nut
- sbot*
- sbot
- sora
- sora*
- MilkTheseHoesUasFABw
- MilkTheseHoesUasFABw*
- satori
- messiah
- mips
- sh4
- superh
- x86
- armv7
- armv6
- i686
- powerpc
- ppc
- i586
- m68k
- sparc
- armv4
- armv5
- 440fp
- miori
- nigger
- kowai
- storm
- LOLKIKEEEDDE
- ekjheory98e
- scansh4
- MDMA
- fdevalvex
- scanspc
- MELTEDNINJAREALZ
- flexsonskids
- scanx86
- MISAKI-U79OL
- foAxi102kxe
- swodjwodjwoj
- MmKiy7f87l
- freecookiex86
- sysgpu
- NiGGeR69xd
- frgege
- sysupdater
- 0DnAzepd
- NiGGeRD0nks69
- frgreu
- telnetd
- TwoFacearmv61
- TwoFacei586
- TwoFacei686
- TwoFacem86k
- TwoFacemips
- TwoFacemipsel
- TwoFacepowerpc
- TwoFacesh4
- wget
- TwoFacesparc
- TwoFacex86_64
- 0x766f6964
- NiGGeRd0nks1337
- gaft
- urasgbsigboa
- 120i3UI49
- OaF3
- geae
- vaiolmao
- 123123a
- Ofurain0n4H34D
- ggTrex
- wasads
- 1293194hjXD
- OthLaLosn
- ggt
- wget-log
- 1337SoraLOADER
- SAIAKINA
- ggtq
- 1378bfp919GRB1Q2
- SAIAKUSO
- ggtr
- 14Fa
- SEXSLAVE1337
- ggtt
- 1902a3u912u3u4
- So190Ij1X
- haetrghbr
- 19ju3d
- SORAojkf120
- hehahejeje92
- 2U2JDJA901F91
- SlaVLav12
- helpmedaddthhhhh
- 2wgg9qphbq
- Slav3Th3seD3vices
- hzSmYZjYMQ
- 5Gbf
- SoRAxD123LOL
- iaGv
- 5aA3
- SoRAxD420LOL
- insomni
- 640277
- SoraBeReppin1337
- ipcamCache
- 66tlGg9Q
- T
- jUYfouyf87
- 6ke3
- TOKYO3
- lyEeaXul2dULCVxh
- 93OfjHZ2z
- TY2gD6MZvKc7KU6r
- mMkiy6f87l
- A023UU4U24UIU
- TheWeeknd
- mioribitches
- A5p9
- TheWeeknds
- mnblkjpoi
- AbAd
- Tokyos
- neb
- Akiru
- U8inTz
- netstats
- Alex
- W9RCAKM20T
- newnetword
- Ayo215
- Word
- nloads
- BAdAsV
- Wordmane
- notyakuzaa
- owari*
- assailant.*
- Belch
- Wordnets
- obp
- BigN0gg0r420
- X0102I34f
- ofhasfhiafhoi
- BzSxLxBxeY
- X19I239124UIU
- oism
- Deported
- XSHJEHHEIIHWO
- olsVNwo12
- DeportedDeported
- XkTer0GbA1
- onry0v03
- FortniteDownLOLZ
- Y0urM0mGay
- pussyfartlmaojk
- GrAcEnIgGeRaNn
- YvdGkqndCO
- qGeoRBe6BE
- GuiltyCrown
- ZEuS69
- s4beBsEQhd
- HOHO-KSNDO
- ZEuz69
- sat1234
- HOHO-LUGO7
- aj93hJ23
- scanHA
- HOHO-U79OL
- alie293z0k2L
- scanJoshoARM
- HellInSide
- ayyyGangShit
- scanJoshoARM5
- HighFry
- b1gl
- scanJoshoARM6
- IWhPyucDbJ
- boatnetz
- scanJoshoARM7
- IuYgujeIqn
- btbatrtah
- scanJoshoM68K
- JJDUHEWBBBIB
- c
- scanJoshoMIPS
- JSDGIEVIVAVIG
- cKbVkzGOPa
- scanJoshoMPSL
- JuYfouyf87
- ccAD
- scanJoshoPPC
- KAZEN-OIU97
- chickenxings
- scanJoshoSH4
- yakuskzm8
- KAZEN-PO78H
- cleaner
- scanJoshoSPC
- yakuv4vxc
- KAZEN-U79OL
- dbeef
- scanJoshoX86
- yakuz4c24
- KETASHI32
- ddrwelper
- scanarm5
- zPnr6HpQj2
- Kaishi-Iz90Y
- deexec
- scanarm6
- zdrtfxcgy
- Katrina32
- doCP3fVj
- scanarm7
- zxcfhuio
- Ksif91je39
- scanm68k
- Kuasa
- dvrpelper
- scanmips
- KuasaBinsMate
- eQnOhRk85r
- scanmpsl
- LOLHHHOHOHBUI
- eXK20CL12Z
- scanppc
- mirai.*
- dlr.*mips
- mpsel
- mpsl
- arm6
- arm7
- spc
- arm
- mips64
- mipsel
- sh2eb
- sh2elf
- sh4
- x86
- arm
- armv5
- armv4tl
- armv4
- armv6
- i686
- powerpc
- powerpc440fp
- i586
- m68k
- sparc
- x86_64
- jackmy*
- hackmy*
- b1
- b2
- b3
- b4
- b5
- b6
- b7
- b8
- b9
- b10
- b11
- b12
- b13
- b14
- b15
- b16
- b17
- b18
- b19
- b20
- busyboxterrorist
- dvrHelper
- kmy*
- lol*
- telmips
- telmips64
- telmipsel
- telsh2eb
- telsh2elf
- telsh4
- telx86
- telarmv5
- telarmv4tl
- telarmv4
- telarmv6
- teli686
- telpowerpc
- telpowerpc440fp
- teli586
- telm68k
- telsparc
- telx86_64
- TwoFace*
- xxb*
- bb
- busybotnet
- busybox
- badbox
- B1
- B2
- B3
- B4
- B5
- B6
- B7
- B8
- B9
- B10
- B11
- B12
- B13
- B14
- B15
- B16
- B17
- B18
- B20
- gaybot
- hackz
- bin*
- gtop
- botnet
- swatnet
- ballpit
- fucknet
- cracknet
- weednet
- gaynet
- queernet
- ballnet
- unet
- yougay
- sttftp
- sstftp
- sbtftp
- btftp
- y0u1sg3y
- bruv*
- IoT*
- botmips
- botmipsel
- botsh4
- botx86_64
- botarmv6l
- boti686
- botpowerpc
- boti586
- botm68k
- botsparc
- botarmv4l
- botarmv5l
- botpowerpc440fpbotmipsfinal
- botmipselfinal
- botsh4final
- botx86_64final
- botarmv6lfinal
- boti686final
- botpowerpcfinal
- boti586final
- botm68kfinal
- botsparcfinal
- botarmv4lfinal
- botarmv5lfinal
- botpowerpc440fpfinal
- mirai.x86
- mirai.mips
- mirai.mpsl
- mirai.arm
- mirai.arm5n
- mirai.arm7
- mirai.ppc
- mirai.spc
- mirai.m68k
- mirai.sh4
- miraint.x86
- miraint.mips
- miraint.mpsl
- miraint.arm
- miraint.arm5n
- miraint.arm7
- miraint.ppc
- miraint.spc
- miraint.m68k
- miraint.sh4bot.x86
- bot.mips
- bot.mpsl
- bot.arm
- bot.arm5n
- bot.arm7
- bot.ppc
- bot.spc
- bot.m68k
- bot.sh4
- botnt.x86
- botnt.mips
- botnt.mpsl
- botnt.arm
- botnt.arm5n
- botnt.arm7
- botnt.ppc
- botnt.spc
- botnt.m68k
- botnt.sh4
- bot.x86
- vbrxmr.mips
- vbrxmr.mpsl
- vbrxmr.arm
- vbrxmr.arm5
- vbrxmr.arm7
- vbrxmr.ppc
- vbrxmr.spc
- vbrxmr.m68k
- vbrxmr.sh4
- Scans the network for exploitable devices with the following vulnerabilities:
- GPON Routers - Authentication Bypass / Command Injection
- Realtek SDK - Miniigd UPnP SOAP Command Execution
- Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Remote Code Execution
- Huawei Router HG532 - Arbitrary Command Execution
- Eir D1000 Wireless Router - WAN Side Remote Command Injection
- D-Link Devices - HNAP SOAPAction-Header Command Execution
- Multiple CCTV-DVR Vendors - Remote Code Execution
- MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution
- D-Link - OS-Command Injection via UPnP
- NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection
- Vacron NVR Remote Code Execution Vulnerability
SOLUTION
9.850
15.458.04
28 Oct 2019
15.459.00
29 Oct 2019
Scan your computer with your Trend Micro product to delete files detected as Backdoor.Linux.MTMBOT.ANU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.