TROJ_BASHKAI.SM


 PLATFORM:

Linux, Unix

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

Other

Memory Resident:

No

Initial Samples Received Date:

02 Oct 2014

Payload:

Downloads files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

  • http://{BLOCKED}host.us/bots/regular.bot

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

  • http://www.{BLOCKED}er-services.name/b.c - compiled binary is detected as ELF_KAITEN.SM
  • http://{BLOCKED}host.us/bots/kaiten.c - compiled binary is detected as ELF_KAITEN.A
  • http://{BLOCKED}host.us/bots/darwin - detected as OSX_KAITEN.A
  • http://{BLOCKED}host.us/bots/pl - detected as PERL_SHELBOT.SMO
  • http://{BLOCKED}host.us/bots/regular.bot - detected as TROJ_BASHKAI.SM

It saves the files it downloads using the following names:

  • /tmp/b.c - ELF_KAITEN.SM source code
  • /tmp/d - OSX_KAITEN.A
  • /tmp/pl - PERL_SHELBOT.SMO
  • /tmp/sh - TROJ_BASHKAI.SM

NOTES:

The following downloaded files are C source codes:

  • /tmp/b.c
  • /tmp/a.c

The malware compiles the downloaded source codes using GNU C Compiler (GCC) and executes them

It performs self cleanup by deleting the following files:

  • /tmp/.a
  • /tmp/.b.c
  • /tmp/.c
  • /tmp/.d
  • /tmp/sh
  • /tmp/c
  • /tmp/a.c
  • /tmp/pl

It creates crontab file /tmp/c that schedules the weekly download and execution of regular.bot.

  SOLUTION

Minimum Scan Engine:

9.700

Scan your computer with your Trend Micro product to delete files detected as TROJ_BASHKAI.SM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.