live casino online

arrow_back
search
close

ELF_KAITEN.SM

February 18, 2025
 Analysis by: Anthony Joe Melgarejo
 Modified by: Neljorn Nathaniel Aguas
 ALIASES:

Backdoor:Linux/Tsunami.C!MTB (MICROSOFT)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.

  TECHNICAL DETAILS

File Size:

37,848 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

17 Feb 2025

Payload:

Connects to URLs/IPs

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}.{BLOCKED}.{BLOCKED}.23:443

It joins any of the following Internet Relay Chat (IRC) channels:

  • #roots

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

  • PING ¡ú return "PONG"
  • NICK ¡ú change nickname
  • PRIVMSG:
    • TSUNAMI ¡ú TCP Flood Attack
    • PAN ¡ú SYN Flood Attack
    • UDP ¡ú UDP Flood Attack
    • UNKNOWN ¡ú UDP Flood Attack (Non-spoof)
    • NICK ¡ú change or set nickname
    • SERVER ¡ú change server
    • GETSPOOFS ¡ú create spoofing parameters
    • SPOOFS ¡ú change spoofing to subnet
    • DISABLE ¡ú stop bot
    • ENABLE ¡ú continue running bot
    • KILL ¡ú terminates running bot instance
    • KILLALL ¡ú terminates all running bot instances
    • GET ¡ú download file from a web address
    • VERSION ¡ú sends "Kaiten wa goraku"
    • HELP ¡ú list all commands
    • IRC ¡ú sends commands to the server
    • SH ¡ú executes a command
  • 376 ¡ú MODE, JOIN, WHO
  • 433 ¡ú set nickname
  • 352 ¡ú spoof request

Other Details

This Backdoor does the following:

  • It adds the line "/" to either of the following startup scripts to enable its automatic execution at every system startup:
    • /etc/rc.d/rc.local
    • /etc/rc.conf
  • It disguises itself as a legitimate process by executing using the following process name:
    • crond
  • It accesses the following file to generate random strings:
    • /usr/dict/words

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

11.214.05

FIRST VSAPI PATTERN DATE:

15 Oct 2014

VSAPI OPR PATTERN File:

11.215.00

VSAPI OPR PATTERN Date:

16 Oct 2014

Scan your computer with your live casino online product to delete files detected as ELF_KAITEN.SM. If the detected files have already been cleaned, deleted, or quarantined by your live casino online product, no further step is required. You may opt to simply delete the quarantined files. Please check the following live casino online Support pages for more information: