Senif trojan summary

by Albert Bendicho (bendi#at#redestb.es). Student at the "honeyp.edu" university.

At the technical department of "Honeyp.edu" we have recently discovered the presence of a new kind of trojan that affects Linux servers. The trojan allows a backdoor entry to the systems where it runs and allow extra capabilities to be exploited by a remote user.

A trojan is an application that opens holes in your computer in a way that anyone can remotely access your computer. Unlike virus, they usually don't cause harm on your computer by themselves, but require an external actor to use the capabilities that it provides.

In the case of the Senif trojan we have found it to allow a remote user to open a remote connection to the server and execute any arbitrary command from a shell prompt. This means that if the trojan is installed on a server someone can get full control over that server.

Measures have been taken in the campus network to detect the traffic generated by this trojan or the users that try to control it. In spite the fact that the trojan uses encoding techniques to hide the contents of it's activity, it is possible to identify the traffic it generates. An advisory has been released documenting the technical details.  

How to tell if you have a trojaned server

The best way to tell if the trojan is installed is to check if any process is listening in a "raw" socket for packets with the "nvp" protocol. To do that execute the following comand

[usr@server directory] netstat -naw

if you get an output similar to this one

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
raw        0      0 0.0.0.0:11              0.0.0.0:*               7       

then it's almost sure that you are trojaned. The line "raw" with the value "0.0.0.0:11" shows that the trojan is up and running and waiting for commands from a remote user.

If your server is infected contact your systems administrator immediately. If you are the person that has to maintain this sever, take a look at our advisory for a more detailed technical discussion and to find instructions on how to remove it.