UNIX_BASHKAI.SM0

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

• http://{BLOCKED}host.us/bots/regular.bot

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://www.{BLOCKED}er-services.name/b.c - compiled binary is detected as ELF_KAITEN.SM
• http://{BLOCKED}host.us/bots/kaiten.c - compiled binary is detected as ELF_KAITEN.A
• http://{BLOCKED}host.us/bots/darwin - detected as OSX_KAITEN.A
• http://{BLOCKED}host.us/bots/pl - detected as PERL_SHELBOT.SMO
• http://{BLOCKED}host.us/bots/regular.bot - detected as TROJ_BASHKAI.SM

It saves the files it downloads using the following names:

• /tmp/b.c - ELF_KAITEN.SM source code
• /tmp/d - OSX_KAITEN.A
• /tmp/pl - PERL_SHELBOT.SMO
• /tmp/sh - TROJ_BASHKAI.SM

NOTES:

The following downloaded files are C source codes:

• /tmp/b.c
• /tmp/a.c

The malware compiles the downloaded source codes using GNU C Compiler (GCC) and executes them

It performs self cleanup by deleting the following files:

• /tmp/.a
• /tmp/.b.c
• /tmp/.c
• /tmp/.d
• /tmp/sh
• /tmp/c
• /tmp/a.c
• /tmp/pl

It creates the file /tmp/c that schedules the weekly download and execution of regular.bot.