Backdoor.Linux.Tsunami

The backdoor provides networking with the following hosts:

80.***.54.131

In response, the backdoor receives next commands from an attacker:

TSUNAMI



UNKNOWN



NICK



SERVER



GETSPOOFS



SPOOFS



DISABLE



ENABLE



KILL



VERSION



KILLALL



HELP



IRC



SH



PAN



MOVE



UDP



GET

Depending on command backdoor can perform the following actions:

• downloads files from the Internet to save them with the specified name and run (GET);
• executes shell commands (SH);
• communicates via HTTP and IRC channels (SERVER, NICK, IRC, VERSION, HELP, MOVE, KILL);
• organizes DDoS-attacks on the specified IP-address (TSUNAMI, GETSPOOFS, SPOOFS, DISABLE, ENABLE, PAN, UDP, KILLALL);

Thus backdoor provides an attacker a full access to an infected computer, which becomes a part of a botnet.