The backdoor allows access to the following host:
In response, the backdoor recieves the following commands from the attacker:
TSUNAMI UNKNOWN NICK SERVER GETSPOOFS SPOOFS DISABLE ENABLE KILL VERSION KILLALL HELP IRC SH PAN MOVE UDP GET
Pending on the command inputted by the attacker, the backdoor may perform the following actions.
- Download and execute files from the Internet
- Execute shell commands
- Communicate via HTTP and IRC channels.
- Organise and execute Denial of Service Attacks.
The actions thusfar allow full access to the computer, allowing the computer to become part of a BotNet.
As of February 20th 2016, the official Linux Mint website has been hacked with ISO images containing this trojan. The website is taken offline because of this as investigations are still underway. Source
Further technical informationEdit
Securelist (Kaspersky Labs), Backdoor.Linux.Tsunami.gen