minimal-minimal

Linux/DDoS-Kaiten

Linux/DDoS-Kaiten

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Denial Of Svc
  • Protection Added: 2002-10-01

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5400.1158

File Length

37,237 bytes

Description Added

2002-10-01

Description Modified

2002-10-01

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee
This is an IRC based distributed denial of service client. It connects to a hardcoded list of servers and accepts commands via a specific IRC channel.

Each client is identified by a nickname so it is possible for the attacker to issue commands to a specific client, to a group of clients or broadcast to all clients connected to the specified servers. It is able to execute various commands transmitted through the IRC channel:
  • PUSH+ACK flooder
  • SYN flooderUDP flooder
  • non-spoof udp flooder
  • Downloads files off the web
  • Sends commands to the irc server
  • Executes commands on the target
Note: A variant of this trojan is carried by the Slapper worm. This variant tries to connect to the IRC server irc.zyclonicz.net channel #devnull.

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

It is installed by a variant of Linux/Slapper, which itself is installed by an OpenSSL exploit.
Computer connected to this IRC channel.