This Linux backdoor has increased potential for damage, propagation, or both, that it possesses. Specifically, it is capable of carrying brute force attacks or exploit on the D-Link Internet router.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It connects to Internet Relay Chat (IRC) servers.
This backdoor may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
This backdoor connects to any of the following Internet Relay Chat (IRC) servers:
It joins any of the following IRC channel(s):
This backdoor downloads updated copies of itself from the following websites:
This backdoor is capable of receiving and executing the following commands from an IRC server:
Other variants have been noted to use the following commands:
Based on this backdoor's code, it has the ability to check if an Internet router is using a standard password by using a brute force attack. It is found, however, that there is no list of user names and passwords that it uses for the attack. Furthermore, it can check if the router is vulnerable to the following vulnerability:
Scan your computer with your Trend Micro product to delete files detected as ELF_TSUNAMI.R. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.