Linux/Remaiten [Threat Name]

Detection created2016-03-01
Short description

Linux/Remaiten serves as a backdoor. It can be controlled remotely. It is able to spread according to instructions downloaded from the Internet.


The trojan does not create any copies of itself.

The trojan may create the following files:

  • /dev/shm/.kpid
  • /var/run/.kpid
  • /var/tmp/.kpid
  • /tmp/.kpid
  • /.kpid
  • ./.kpid

It is able to spread according to instructions downloaded from the Internet.

The trojan generates various IP addresses.

It tries to connect to the remote machine on port:

  • 23 (TCP, Telnet)

The trojan attempts to bruteforce login credentials.

If the trojan is succesful, it attempts to send the file/malware component to the remote computer.

The trojan usually contains within the main malware body another malware files.

The file is saved to one of the following folders:

  • /dev/netslink/
  • /var/tmp/
  • /tmp/
  • /
  • /home/

Its filename may be one of the following:

  • .t
  • retrieve
  • binary
  • retr
  • %variable%

A string with variable content is used instead of %variable% .

The file is then executed.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of IP/URL addresses. The IRC, HTTP, Telnet protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • execute shell commands
  • perform DoS/DDoS attacks
  • terminate running processes
  • send files to a remote computer
  • perform port scanning to detect presence of          Telnet          service

The trojan can rename its process name.

For further information follow the links below:

* Meet Remaiten, a Linux bot on steroids targeting routers and potentially other IoT devices

Please enable Javascript to ensure correct displaying of this content and refresh this page.