What does this perl malware do with changing "$0"?

Question

We had an intrusion into our server over the weekend and I'm trying to trace the tracks of the intruder. It seems they ran a perl script, causing a www-data process called init to run at 100%. Unfortunately I don't have perl expertise, so I have no clue what this is doing:

 6 my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");
# ...
24 use IO::Socket;
25 use Socket;
26 use IO::Select;
27 chdir("/tmp");
28 $servidor="$ARGV[0]" if $ARGV[0];
29 $0="$processo"."\0"x16;;
30 my $pid=fork;
31 exit if $pid;

It seems to me the instruction in line 29 is intended to hide the process somehow. What does it do exactly?

Answer 1

From perldoc perlvar:

On some (but not all) operating systems assigning to $0 modifies the argument area that the ps program sees. On some platforms you may have to use special ps options or a different ps to see the changes. Modifying the $0 is more useful as a way of indicating the current program state than it is for hiding the program you're running.

So yes, your assertion is correct. It's looking to mask how it shows up in ps.

Answer 2

This line appears to be intentionally obfuscated:

my $processo =("atd","sendmail: accepting connections","rpc.idmapd","syslogd -m 0","/sbin/udevd -d","/sbin/init");

It is equivalent to:

my $processo = "/sbin/init";