Backdoor:Linux/Tsunami.C!MTB - Windows Defender Threat Analysis

Backdoor:Linux/Tsunami.C is a Linux backdoor bot that connects to a command-and-control server to await instructions. Once active, it can be used to launch Distributed Denial of Service (DDoS) attacks, download and execute other malware, and establish persistence on the compromised system.

No specific strings found for this threat

rule Backdoor_Linux_Tsunami_C_2147763164_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Tsunami.C!MTB"
        threat_id = "2147763164"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Tsunami"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "shit.php?id=> <GET/HEAD/POST> = HTTP flood" ascii //weight: 1
        $x_1_2 = "Another non-spoof udp flooder" ascii //weight: 1
        $x_1_3 = "Downloads a file off the web and saves it onto the hd" ascii //weight: 1
        $x_1_4 = "crontab -l | grep %s | grep -v" ascii //weight: 1
        $x_1_5 = "Killing pid" ascii //weight: 1
        $x_1_6 = "advanced syn flooder that will kill most network" ascii //weight: 1
        $x_1_7 = "Kills all current packeting" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (3 of ($x*))
}

Isolate the affected Linux machine from the network. Identify and delete the malicious binary and any associated files. Remove persistence mechanisms, such as suspicious entries in 'crontab', and change all system credentials. Investigate the initial access vector to prevent reinfection.