OSX_TSUNAMI.A

This backdoor connects to specific IRC server and joins a particular IRC channel.

It is capable of receiving and executing specific commands from the IRC server.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This backdoor connects to any of the following IRC server(s):

• {BLOCKED}u.anonops.li

It joins any of the following IRC channel(s):

• #tarapia

NOTES:

This backdoor is capable of receiving and executing the following commands from an IRC server:

• DISABLE - this disables all packeting from the client
• ENABLE - this enables all packeting from the client
• GET {HTTP address} {save as} - this downloads and saves a file
• GETSPOOFS - this gets the current spoofing
• HELP - this displays the help menu
• IRC {command} - this sends commands to the IRC server
• KILL - this kills the client
• KILLALL - this kills all current packeting
• NICK {nick} - this changes the nick of the client
• PAN {target} {port} {secs} - this performs an advanced SYN flood to a specific target at n seconds interval
• SERVER {server} - this changes the server
• SH {command} - this executes commands
• SPOOFS {subnet} - this changes spoofing to a subnet
• TSUNAMI {target} {secs} - this triggers the bot to perform a denial of service (DoS) attack on a specific target by sending packets at n seconds interval
• UDP {target} {port} {secs} - this performs a UDP flood to a specific target at n seconds interval
• UNKNOWN {target} {secs} - this performs a non-spoof UDP flood to a specific target at n seconds interval
• VERSION - this retrieves the version of the client