Analysis by: Christopher Daniel So
 PLATFORM:

Linux, UNIX, Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: Varies
File Type: Script
Memory Resident: No
Initial Samples Received Date: 06 Oct 2014
Payload: Terminates processes, Connects to URLs/IPs

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

This malware appends the line nameserver 4.2.2.2 to /etc/resolve.conf.

It downloads a file from the URL http://{BLOCKED}.{BLOCKED}.100.171/manual/a.c and saves it as /tmp/a.c. The downloaded file is detected as TROJ_KAITEN.A. Using the installed GNU compiler, it compiles /tmp/a.c to /tmp/.a.

If a.c cannot be downloaded, it downloads from http://{BLOCKED}.{BLOCKED}.100.171/manual/b and saves it as /tmp/.a. The downloaded file is detected as ELF_KAITEN.SM.

It executes the file /tmp/.a and then deletes /tmp/a.c and /tmp/.a.

It schedules the download and execution of the file in http://{BLOCKED}host.us/bots/regular.bot weekly by installing a cron table. It sets the read-only attribute of the file /var/spool/cron/tabs/root.

It drops the file /etc/cron.weekly/00logrotate to download and execute the file in http://{BLOCKED}host.us/bots/regular.bot. It sets the read-only attribute of the file /etc/cron.weekly/00logrotate.

It terminates all Perl processes.

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 11.194.04
FIRST VSAPI PATTERN DATE: 06 Oct 2014

Step 1

Remove malware/grayware files dropped/downloaded by UNIX_BASHKAI.A. (Note: Please skip this step if the threats listed below have already been removed.)

Step 2

Scan your computer with your Trend Micro product to delete files detected as UNIX_BASHKAI.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

In the system's terminal, type the following commands:

crontab -r
chattr -isa /var/spool/cron/tabs/root
chattr -isa /etc/cron.weekly/00logrotate
rm /tmp/.a
rm /tmp/a.c
rm /tmp/c
rm /etc/cron.weekly/00logrotate

Using a text editor, open the file /etc/resolve.conf. In the file, find and remove the following line:

nameserver 4.2.2.2


Did this description help? Tell us how we did.