Analysis by: Jeanne Jocson
ALIASES:

DDoS:Linux/Lightaidra (Microsoft), Linux/IRCBot.N (NOD32)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.

  TECHNICAL DETAILS

File Size: 40,228 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 28 Oct 2016
Payload: Connects to URLs/IPs

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}.{BLOCKED}.42.218

It joins any of the following Internet Relay Chat (IRC) channels:

  • ##war## (with channel key: FuckTheSystem)

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

  • PING
    • replies the following:
      • PONG {host|master host}
      • TOPIC ##war##
  • 376 or 422
    • Changes the mode of the current channel:
      • invite only
      • enable amsg command
    • Joins the said channel
  • 433
    • Access the Bin Path
    • change/use the nickname
    • Joins the said channel
  • STOP
    • terminates itself
    • sends private message:
      • host mask:#xpl
      • message:Terminate tutte le operazioni in corso(Translated as "Terminate all the ongoing operations")
  • QUIT
    • Terminate the client session
    • Terminate itself
  • SCAN
      • sends private message:
    • host mask:#xpl
    • message:Scan Started Range {random}.{random}.0.0 Hosts:512)
  • Tries to have a remote desktop connection to random IP and tries to login using the following credentials:
      • Username:
      • root
      • admin
      • Admin
      • user
      • 1234
      • D-Link
      Password:
      • root
      • admin
      • ttnet
      • Admin
      • password
      • nokia
      • XA1bac0MX
      • 1234
      • cobr4
      • dreambox
      • public
      • 0987654321
      • 1234567
      • toor
      • xj14p3r7
      • home-modem
      • D-Link
      • user
      • 12345
      • 1111
      • changeme2
      • default
      • administrator
      • 1234567890
      • private
      • 654321
      • 87654321
      • 123456789
      • admin1234567890
      • changeme
      • admin1234
      • 123456
      • 4321
      • 54321
      • 1234admin
      • 2222
      • 1q2w3e
      • qwerty
      • 7654321
      • 987654321
      • 12345678
      • 3333
      • 6666
      • 8888
      • 0000
      • 4444
      • 5555
      • 7777
      • 9999
      • 12345Admin
      • 56789Admin
      • 1234Admin
    • does the following to the remote machine:
      • create directory:/var/...
      • delete files under /var/
      • connects to the following URL to download file http://{BLOCKED}.{BLOCKED}.42.218/dn.sh
      • saves the downloaded file as: /var/.../dn.sh
      • stops firewall
    • sends the following private message when logged in successfully:
      • host mask:#xpl
      • message:Scan Accesso Effettutato Indirizzo:{ip} User:{username} Pass:{password}
  • SILENCE(turn off)
    • sends private message:
      • host mask:#xpl
      • message:Messaggi attivati(Translated as "Messages Activated")
  • EXEC
    • read the following path and send the content as private message:
      • Path:
      • /bin/{filename}
      • /sbin/{filename}
      • /usr/bin/{filename}
      • /usr/local/bin/{filename}
      • /usr/sbin/{filename}
      host mask:#xpl

    • Other Details

    This Backdoor does the following:

    • perform DDOS flooding and using XMAS packets.
    • Uses the IRC nickname with the following format:
      • [NU|LNX|{composed of either F,T,H or U}]{random digit}
    • Register itself in IRC using the following:
      • username: {nodename} or d3x
      • realname: " ."
    • Tries to access the following Bin Path:
      • /bin
      • /sbin
      • /usr/bin
      • /usr/local/bin
      • /usr/sbin

    It uses the following credentials when accessing its IRC server:

    • we.own.your.ass (server password)

      SOLUTION

    Minimum Scan Engine: 9.800
    FIRST VSAPI PATTERN FILE: 12.872.06
    FIRST VSAPI PATTERN DATE: 01 Nov 2016
    VSAPI OPR PATTERN File: 12.873.00
    VSAPI OPR PATTERN Date: 02 Nov 2016

    Scan your computer with your Trend Micro product and note files detected as ELF_IRCBOT.SPIN

    NOTES:

    Step 2:

    Terminating the malware process

    To terminate the malware process:

    • Open a Terminal window and list all running processes by typing the following command: ps -A
    • In the list of processes, look for the file detected earlier. Note the process ID of the malware process.
    • Type the following command:
    • kill {malware process ID}
    • Close the Terminal window.

    Step 3:

    Scan your computer with your Trend Micro product to delete files detected as ELF_IRCBOT.SPIN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


    Did this description help? Tell us how we did.