Backdoor.Linux.Tsunami

Publication Date 05/24/2010
Class Backdoor
Platform Linux
Description

The backdoor provides networking with the following hosts:

80.***.54.131

In response, the backdoor receives the following commands from an attacker:




TSUNAMI



UNKNOWN



NICK



SERVER



GETSPOOFS



SPOOFS



DISABLE



ENABLE



KILL



VERSION



KILLALL



HELP



IRC



SH



PAN



MOVE



UDP



GET



Depending on the command, the backdoor can perform the following actions:

  • downloads files from the Internet to save them with the specified name and run (GET);
  • executes shell commands (SH);
  • communicates via HTTP and IRC channels (SERVER, NICK, IRC, VERSION, HELP, MOVE, KILL);
  • organizes DDoS attacks on the specified IP address (TSUNAMI, GETSPOOFS, SPOOFS, DISABLE, ENABLE, PAN, UDP, KILLALL).

Thus, the backdoor provides an attacker with full access to an infected computer, which becomes a part of a botnet.