Backdoor.Linux.MTMBOT.ANU

 Analysis by: Patrick Angelo Roderno

 ALIASES:

HEUR:Backdoor.Linux.Gafgyt.a (KASPERSKY); Trojan.Linux.Tsunami (IKARUS); Linux/DDoS-CIA (SOPHOS)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.

It performs denial of service (DoS) attacks on affected systems using specific flooding method(s).

It takes advantage of software vulnerabilities to allow a remote user or malware/grayware to download files.

  TECHNICAL DETAILS

File Size:

160,360 bytes

File Type:

ELF

File Compression:

UPX

Memory Resident:

No

Initial Samples Received Date:

23 Oct 2019

Payload:

Connects to URLs/IPs, Launches DoS/DDoS attacks, Exploits vulnerabilities, Terminates processes

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

  • http://{BLOCKED}.{BLOCKED}.197.109/eBxUk

Backdoor Routine

This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}.{BLOCKED}.212.123

It joins any of the following Internet Relay Chat (IRC) channels:

  • #HellRoom

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

  • PING - return pong
  • NICK - change nickname
  • 352 - SPOOF REQUEST
  • 376 - MODE, JOIN, WHO
  • 433 - set nickname
  • PRIVMSG :
    • GETIP - gets the IP address from an interface
    • FASTFLUX - starts a proxy to a port on another ip to an interface (same port)
    • RNDNICK - Randomizes the knights nick
    • NICK - Changes the nick of the client
    • SERVER - Changes servers
    • DISABLE - Disables all packeting from this client
    • ENABLE - Enables all packeting from this client
    • KILL - Kills the knight
    • GET - Downloads a file off the web and saves it onto the hd
    • VERSION - Requests version of client
    • KILLALL - Kills all current packeting
    • HELP - Displays this
    • IRC - Sends this command to the server
    • SH - Executes a command
    • ISH - SH, interactive, sends to channel
    • SHD - Executes a psuedo-daemonized command
    • INSTALL - Download & install a binary to /var/bin
    • BASH - Execute commands using bash.
    • LOCKUP - Kill telnet, d/l aes backdoor from , run that instead.
    • BINUPDATE - Update a binary in /var/bin via wget

Denial of Service (DoS) Attack

This Backdoor performs denial of service (DoS) attacks on affected systems using the following flooding method(s):

  • STUDP - Custom STD flooder v2
  • HOLD - TCP connect flooder(frag)
  • JUNK - TCP flooder (frag)
  • UNKNOWN - Advanced UDP flooder
  • HTTP - Custom HTTP flooder
  • DNS - DNS amplification flooder
  • VSE - Valve Source Engine amplification
  • RTCP - Random TCP flooder
  • ESSYN - TCP ESSYN flooder
  • VOLT-UDP - Advanced Spoofed UDP flooder
  • FRAG-TCP - Spoofed TCP Fragmentation Flooder
  • BLACKNURSE - ICMP packet flooder

Download Routine

This Backdoor takes advantage of the following software vulnerabilities to allow a remote user or malware/grayware to download files:

Other Details

This Backdoor does the following:

  • Capable of performing brute-force attack on FTP and TFTP servers using the following credentials:
    • Username:
      • super
      • ubnt
      • IntraStack
      • nsroot
      • cisco
      • adminlvjh
      • Alphanetworks
      • admin
      • dbadmin
      • root
      • guest
      • default
      • user
      • daemon
      • adm
      • telnet
      • Administrator
      • mg3500
      • admin1
      • support
      • login
      • CISCO
      • oracle
      • tim
    • Password:
      • super
      • ubnt
      • Asante
      • nsroot
      • cisco
      • adminlvjh123
      • wrgg15_di524
      • diamond
      • sq!us3r
      • root
      • password
      • Zte521
      • vizxv
      • 000000
      • 14567
      • hi3518
      • user
      • pass
      • admin14
      • 7ujMko0admin
      • 00000000
      • <>
      • klv1
      • klv14
      • oelinux1
      • realtek
      • 1111
      • 54321
      • antslq
      • zte9x15
      • system
      • 1456
      • 888888
      • ikwb
      • default
      • juantech
      • xc3511
      • support
      • 1111111
      • service
      • 145
      • 4321
      • tech
      • abc1
      • switch
      • meinsm
      • smcadmin
      • 14567890
      • 14
      • admin1
      • admin
      • anko
      • guest
      • telnet
      • merlin
      • zlxx.
      • toor
      • login
      • changeme
      • 1234
      • 12345
      • 123456
      • netgear1
      • oracle
      • tim
      • xmhdipc
      • klv123
      • ivdev
      • GM8182
      • uClinux
      • 7ujMko0vizxv
      • fidel123
      • OxhlwSG8
      • tlJwpbo6
      • S2fGqNFs
  • Capable of terminating processes whose name is any of the following:
    • vbrxmr.mips
    • VB*
    • vbrxmr.*
    • loligang*
    • frosty*dvrHelper
    • 902i13
    • BzSxLxBxeY
    • HOHO-LUGO7
    • HOHO-U79OL
    • JuYfouyf87
    • NiGGeR69xd
    • So190Ij1X
    • dvrhelper
    • dvrsupport
    • mirai
    • blade
    • demon
    • Demon
    • smd
    • smd*
    • fuck
    • un5
    • kowai
    • hoho
    • hakai
    • armv4l
    • cron
    • sshd
    • ntpd
    • hoho*
    • ps23e
    • tron
    • nut
    • sbot*
    • sbot
    • sora
    • sora*
    • MilkTheseHoesUasFABw
    • MilkTheseHoesUasFABw*
    • satori
    • messiah
    • mips
    • sh4
    • superh
    • x86
    • armv7
    • armv6
    • i686
    • powerpc
    • ppc
    • i586
    • m68k
    • sparc
    • armv4
    • armv5
    • 440fp
    • miori
    • nigger
    • kowai
    • storm
    • LOLKIKEEEDDE
    • ekjheory98e
    • scansh4
    • MDMA
    • fdevalvex
    • scanspc
    • MELTEDNINJAREALZ
    • flexsonskids
    • scanx86
    • MISAKI-U79OL
    • foAxi102kxe
    • swodjwodjwoj
    • MmKiy7f87l
    • freecookiex86
    • sysgpu
    • NiGGeR69xd
    • frgege
    • sysupdater
    • 0DnAzepd
    • NiGGeRD0nks69
    • frgreu
    • telnetd
    • TwoFacearmv61
    • TwoFacei586
    • TwoFacei686
    • TwoFacem86k
    • TwoFacemips
    • TwoFacemipsel
    • TwoFacepowerpc
    • TwoFacesh4
    • wget
    • TwoFacesparc
    • TwoFacex86_64
    • 0x766f6964
    • NiGGeRd0nks1337
    • gaft
    • urasgbsigboa
    • 120i3UI49
    • OaF3
    • geae
    • vaiolmao
    • 123123a
    • Ofurain0n4H34D
    • ggTrex
    • wasads
    • 1293194hjXD
    • OthLaLosn
    • ggt
    • wget-log
    • 1337SoraLOADER
    • SAIAKINA
    • ggtq
    • 1378bfp919GRB1Q2
    • SAIAKUSO
    • ggtr
    • 14Fa
    • SEXSLAVE1337
    • ggtt
    • 1902a3u912u3u4
    • So190Ij1X
    • haetrghbr
    • 19ju3d
    • SORAojkf120
    • hehahejeje92
    • 2U2JDJA901F91
    • SlaVLav12
    • helpmedaddthhhhh
    • 2wgg9qphbq
    • Slav3Th3seD3vices
    • hzSmYZjYMQ
    • 5Gbf
    • SoRAxD123LOL
    • iaGv
    • 5aA3
    • SoRAxD420LOL
    • insomni
    • 640277
    • SoraBeReppin1337
    • ipcamCache
    • 66tlGg9Q
    • T
    • jUYfouyf87
    • 6ke3
    • TOKYO3
    • lyEeaXul2dULCVxh
    • 93OfjHZ2z
    • TY2gD6MZvKc7KU6r
    • mMkiy6f87l
    • A023UU4U24UIU
    • TheWeeknd
    • mioribitches
    • A5p9
    • TheWeeknds
    • mnblkjpoi
    • AbAd
    • Tokyos
    • neb
    • Akiru
    • U8inTz
    • netstats
    • Alex
    • W9RCAKM20T
    • newnetword
    • Ayo215
    • Word
    • nloads
    • BAdAsV
    • Wordmane
    • notyakuzaa
    • owari*
    • assailant.*
    • Belch
    • Wordnets
    • obp
    • BigN0gg0r420
    • X0102I34f
    • ofhasfhiafhoi
    • BzSxLxBxeY
    • X19I239124UIU
    • oism
    • Deported
    • XSHJEHHEIIHWO
    • olsVNwo12
    • DeportedDeported
    • XkTer0GbA1
    • onry0v03
    • FortniteDownLOLZ
    • Y0urM0mGay
    • pussyfartlmaojk
    • GrAcEnIgGeRaNn
    • YvdGkqndCO
    • qGeoRBe6BE
    • GuiltyCrown
    • ZEuS69
    • s4beBsEQhd
    • HOHO-KSNDO
    • ZEuz69
    • sat1234
    • HOHO-LUGO7
    • aj93hJ23
    • scanHA
    • HOHO-U79OL
    • alie293z0k2L
    • scanJoshoARM
    • HellInSide
    • ayyyGangShit
    • scanJoshoARM5
    • HighFry
    • b1gl
    • scanJoshoARM6
    • IWhPyucDbJ
    • boatnetz
    • scanJoshoARM7
    • IuYgujeIqn
    • btbatrtah
    • scanJoshoM68K
    • JJDUHEWBBBIB
    • c
    • scanJoshoMIPS
    • JSDGIEVIVAVIG
    • cKbVkzGOPa
    • scanJoshoMPSL
    • JuYfouyf87
    • ccAD
    • scanJoshoPPC
    • KAZEN-OIU97
    • chickenxings
    • scanJoshoSH4
    • yakuskzm8
    • KAZEN-PO78H
    • cleaner
    • scanJoshoSPC
    • yakuv4vxc
    • KAZEN-U79OL
    • dbeef
    • scanJoshoX86
    • yakuz4c24
    • KETASHI32
    • ddrwelper
    • scanarm5
    • zPnr6HpQj2
    • Kaishi-Iz90Y
    • deexec
    • scanarm6
    • zdrtfxcgy
    • Katrina32
    • doCP3fVj
    • scanarm7
    • zxcfhuio
    • Ksif91je39
    • scanm68k
    • Kuasa
    • dvrpelper
    • scanmips
    • KuasaBinsMate
    • eQnOhRk85r
    • scanmpsl
    • LOLHHHOHOHBUI
    • eXK20CL12Z
    • scanppc
    • mirai.*
    • dlr.*mips
    • mpsel
    • mpsl
    • arm6
    • arm7
    • spc
    • arm
    • mips64
    • mipsel
    • sh2eb
    • sh2elf
    • sh4
    • x86
    • arm
    • armv5
    • armv4tl
    • armv4
    • armv6
    • i686
    • powerpc
    • powerpc440fp
    • i586
    • m68k
    • sparc
    • x86_64
    • jackmy*
    • hackmy*
    • b1
    • b2
    • b3
    • b4
    • b5
    • b6
    • b7
    • b8
    • b9
    • b10
    • b11
    • b12
    • b13
    • b14
    • b15
    • b16
    • b17
    • b18
    • b19
    • b20
    • busyboxterrorist
    • dvrHelper
    • kmy*
    • lol*
    • telmips
    • telmips64
    • telmipsel
    • telsh2eb
    • telsh2elf
    • telsh4
    • telx86
    • telarmv5
    • telarmv4tl
    • telarmv4
    • telarmv6
    • teli686
    • telpowerpc
    • telpowerpc440fp
    • teli586
    • telm68k
    • telsparc
    • telx86_64
    • TwoFace*
    • xxb*
    • bb
    • busybotnet
    • busybox
    • badbox
    • B1
    • B2
    • B3
    • B4
    • B5
    • B6
    • B7
    • B8
    • B9
    • B10
    • B11
    • B12
    • B13
    • B14
    • B15
    • B16
    • B17
    • B18
    • B20
    • gaybot
    • hackz
    • bin*
    • gtop
    • botnet
    • swatnet
    • ballpit
    • fucknet
    • cracknet
    • weednet
    • gaynet
    • queernet
    • ballnet
    • unet
    • yougay
    • sttftp
    • sstftp
    • sbtftp
    • btftp
    • y0u1sg3y
    • bruv*
    • IoT*
    • botmips
    • botmipsel
    • botsh4
    • botx86_64
    • botarmv6l
    • boti686
    • botpowerpc
    • boti586
    • botm68k
    • botsparc
    • botarmv4l
    • botarmv5l
    • botpowerpc440fpbotmipsfinal
    • botmipselfinal
    • botsh4final
    • botx86_64final
    • botarmv6lfinal
    • boti686final
    • botpowerpcfinal
    • boti586final
    • botm68kfinal
    • botsparcfinal
    • botarmv4lfinal
    • botarmv5lfinal
    • botpowerpc440fpfinal
    • mirai.x86
    • mirai.mips
    • mirai.mpsl
    • mirai.arm
    • mirai.arm5n
    • mirai.arm7
    • mirai.ppc
    • mirai.spc
    • mirai.m68k
    • mirai.sh4
    • miraint.x86
    • miraint.mips
    • miraint.mpsl
    • miraint.arm
    • miraint.arm5n
    • miraint.arm7
    • miraint.ppc
    • miraint.spc
    • miraint.m68k
    • miraint.sh4bot.x86
    • bot.mips
    • bot.mpsl
    • bot.arm
    • bot.arm5n
    • bot.arm7
    • bot.ppc
    • bot.spc
    • bot.m68k
    • bot.sh4
    • botnt.x86
    • botnt.mips
    • botnt.mpsl
    • botnt.arm
    • botnt.arm5n
    • botnt.arm7
    • botnt.ppc
    • botnt.spc
    • botnt.m68k
    • botnt.sh4
    • bot.x86
    • vbrxmr.mips
    • vbrxmr.mpsl
    • vbrxmr.arm
    • vbrxmr.arm5
    • vbrxmr.arm7
    • vbrxmr.ppc
    • vbrxmr.spc
    • vbrxmr.m68k
    • vbrxmr.sh4
  • Scans the network for exploitable devices with the following vulnerabilities:

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.458.04

FIRST VSAPI PATTERN DATE:

28 Oct 2019

VSAPI OPR PATTERN File:

15.459.00

VSAPI OPR PATTERN Date:

29 Oct 2019

Scan your computer with your Trend Micro product to delete files detected as Backdoor.Linux.MTMBOT.ANU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.