Linux/Typot
Analysis
- Trojan is an Elf binary and may have been created
on a Mandrake Linux system – one variant of
the Trojan is 116,580 bytes while another is 456,321
bytes
- Trojan may be installed onto Linux systems by a
hacker or group of hackers as the folder and file
“tmp/…/a”
- Trojan runs memory resident running frequent and
persistent scans across the Internet, sending SYN
packets with a TCP window size of 55808 and a size
of 44 bytes – the target IP addresses are chosen
using a randomizing technique
- Trojan is believed to be mapping IP addresses in
a possible precursor to another attack
- Trojan periodically checks for Internet connectivity
by attempting to locate the IP address 12.108.65.76
– this IP address does not appear to be associated
with the Trojan in any other way
- Trojan contains the string “XegypT”
and “Typot” in its body