Analysis by: Francis Xavier Antazo

ALIASES:

Backdoor:Linux/Tsunami.gen!A (Microsoft); a variant of Linux/Tsunami.NAT (ESET); HEUR:Backdoor.Linux.Tsunami.bh(Kaspersky); Linux.Backdoor.Kaiten (Symantec); Linux/Tsunami.A (AVG); ELF:Tsunami-A (Avast);

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This malware is involved in the February 2016 compromise of an open-source Linux OS distribution website. It may find its way into users' systems by being embedded in a downloaded Linux Mint ISO file. Users affected by this malware may find the security of their system compromised.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

File Size: 31816 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 21 Feb 2016
Payload: Connects to URLs/IPs, Compromises system security

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor joins any of the following IRC channel(s):

  • #{BLOCKED}t

It executes the following commands from a remote malicious user:

  • execute shell command
  • send arbitrary irc command to server
  • send help instructions
  • terminates current process
  • send "Kaiten wa goraku" via NOTICE command
  • download arbitrary file from arbitrary url
  • enables packeting
  • disables packeting
  • change spoofing
  • get current spoofing
  • set server
  • set nickname
  • send non-spoof udp flood on arbitrary site
  • send udp flood on arbitrary site
  • send syn flood on arbitrary site
  • send push - ack flood on arbitrary site

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}s.{BLOCKED}vodka.com
  • {BLOCKED}.{BLOCKED}nux.com
  • {BLOCKED}awdinarry.{BLOCKED}lerepo.com
  • {BLOCKED}int.{BLOCKED}-org.org

  SOLUTION

Minimum Scan Engine: 9.800

Scan your computer with your Trend Micro product to delete files detected as ELF64_KAITEN.AA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.