Home / malware Linux.Kaiten
First posted on 20 July 2014.
Source: SymantecAliases :
There are no other names known for Linux.Kaiten.
Explanation :
The Trojan must be manually installed and executed by the user.
When the Trojan is executed, it modifies the following file so it is executed every time a user logs in:
/etc/init.d/rc.local
The Trojan opens a back door on the compromised computer, and connects to the following location on the IRCU port (TCP 6667):
ich-hab.sytes.net
The Trojan may also connect to the following locations:
mumumu.duckdns.orgmummuu.prxy8080.comjappyupdate.servehttp.comlinuxupdatejappy.servepics.com
The Trojan then joins an IRC channel and listens for commands allowing a remote attacker to perform the following actions:
End Processes Download and execute files Change client nickname Change servers Enable or disable packeting Perform a distributed denial of service (DDoS) attack using SYN and UDP flooding methods Send UDP packets Spoof an IP addresses Terminate clientLast update 20 July 2014
