SHA1:
- 04c467b82ee5f06ed6987849e7b32a15c087b9c3 (unpacked)
- 4ef259d95dc0b1bc52edb79aff661876b4f4be84 (packed)
A Trojan designed to infect routers running Linux. It serves the only purpose—to brute-force router access passwords. If the hacking attempt is successful, the Trojan uploads a malicious script that, in turn, downloads and installs backdoors based on the router architecture (ARM, MIPS, or PowerPC).
Once launched, the Trojan receives operating parameters that determine the attack type and the range of IP addresses to scan. The following User-Agent value is used for the attack:
User-Agent: x00_-gawa.sa.pilipinas.2015The malicious program can carry out the following attacks:
- Attack on Linksys routers exploiting a vulnerability in HNAP (Home Network Administration Protocol)
- Attack on Linksys routers exploiting the CVE-2013-2678 vulnerability
- Attack exploiting the ShellShock vulnerability (CVE-2014-6271)
- Attack exploiting a vulnerability in the Fritz!Box routers' subsystem of remote command call
Files uploaded by malicious scripts to the infected device are detected by Dr.Web as Linux.BackDoor.Tsunami.133 and Linux.BackDoor.Tsunami.144.
