Linux Computers Targeted by New Backdoor and DDoS Trojan

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
After being bombarded with new malware towards the end of last year, the Linux ecosystem is rocked again by the discovery of a new trojan family, identified by security researchers as Linux.BackDoor.Xudp.

The only detail that matters is that this new threat does not leverage automated scripts, vulnerabilities, or brute-force attacks to infect users and still relies on good ol' user stupidity in order to survive.

The infection scenario is simple, with users downloading malicious packages or applications from the Internet, and then giving them root privileges during the installation.

Linux.BackDoor.Xudp is installed via Linux.Downloader

Xudp is not distributed directly, but crooks lace these malicious packages with another malware called Linux.Downloader. This is what the infosec community calls a payload downloader, malware that's small enough to fit inside other apps, tasked only with downloading other malware.

In this particular case, after the user gives root privileges to an app laced with Linux.Downloader (version 77), this trojan will download an upgraded version of itself (version 116), which includes more features needed during Xudp's installation.

Version 116 will download and install Xudp in the "/lib/.socket1" or /lib/.loves" folders, add Xudp to the system's autorun scripts, and also wipe clean the local iptables firewall, if in use.

Read more: Linux Computers Targeted by New Backdoor and DDoS Trojan
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
The emergence of new Trojans—especially for Linux—that execute cybercriminals’ commands and provide remote control over the infected machine is always a remarkable event in terms of information security. In April, Doctor Web security researchers detected at once several such-like Trojans, which were named Linux.BackDoor.Xudp.1, Linux.BackDoor.Xudp.2, and Linux.BackDoor.Xudp.3 respectively.

The infection begins with the ELF file, which is detected by Dr.Web as Linux.Downloader.77. It is noteworthy that this application is initially designed to send out UDP packets to a specified address. Linux.Downloader.77 is a trojanized version of this program. A potential victim downloads this utility and runs it on their computer by themselves. Then it prompts the user to grant it root privileges, without which its operation is impossible. Such flood programs are often able to execute additional covert functions—for example, download other dangerous applications from the Internet. Linux.Downloader.77 is not an exception.

Once Linux.Downloader.77 gets root access to the system, it downloads another script, Linux.Downloader.116, from the server and runs it. This script, in turn, downloads the main module of Linux.BackDoor.Xudp.1, saves it as /lib/.socket1 or /lib/.loves, locate the autorun script in the /etc/ folder under the name of rc.local, and enables the Trojan’s autorun in the cron job scheduler. In addition, while the Trojan is being installed to the system, the contents of the iptables utility is cleared.

Once launched, Linux.BackDoor.Xudp.1 decrypts configuration data, which is hard-coded in its body and is necessary for its correct operation, and sends a detailed information about the infected computer to the server. Then it runs three separate threads. In the first one, the backdoor uses HTTP protocol. The Trojan informs the server that it has been launched. The server sends an encryption key, information about the server to which requests should be sent, and a port number. After that, Linux.BackDoor.Xudp.1 periodically sends requests to the specified server, expecting to get a command. Supposedly, the Trojan can use this feature to update itself. All incoming instructions are encrypted. To decrypt them, the Trojan generates a special key.

In the second thread, Linux.BackDoor.Xudp.1 also waits for instructions from the server but uses UDP protocol. In the third one, the Trojan periodically sends a specific datagram to the server in order to inform that it is still active.

Security researchers registered that Linux.BackDoor.Xudp.1 can continuously send various requests to the specified remote server, carry out DDoS attacks, and execute arbitrary commands. In addition, it can scan ports within a specified range of IP addresses, run certain files, send any file to cybercriminals, and execute other functions. According to Doctor Web analytics, this Trojan is presumably in process of development, because its new modifications appear on a regular basis.

Its counterparts, Linux.BackDoor.Xudp.2 and Linux.BackDoor.Xudp.3, are, in fact, improved versions of Linux.BackDoor.Xudp.1. However, they can differ from each other by the name under which the Trojans are saved to the system, amount of information about the computer they send to the server, or by a set of commands they can execute. Dr.Web for Linux successfully detects all these malicious programs, so they do not pose any threat to our users.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top