Malware News Sixth Linux DDoS Trojan Discovered in the Last 30 Days

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Linux users have yet another trojan to worry about, and as always, crooks are deploying it mostly to hijack devices running Linux-based operating systems and use them to launch DDoS attacks at their behest.

Dr.Web security researchers, the ones that have discovered this threat, say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.

The trojan, going by the generic name of Linux.DDoS.93, will first and foremost modify the /var/run/dhcpclient-eth0.pid file in such a way that its process is started with every computer boot. If the file doesn't exist, the trojan will create it itself.

Once the trojan is initiated after a boot-up, it operates using two processes. One is used to talk to the C&C server, while the second makes sure that the trojan's parent process is always up and running.

Trojan uses 25 child processes to launch the DDoS attacks
When the attacker in control of the trojan's botnet issues an attack command, the trojan launches 25 child processes that carry out the DDoS attack.

Currently, the trojan can start UDP floods (on a random port, on a specific port, or spoofed UDP floods), TCP floods (simple packets or with random data up to 4096 B added to each packet), and HTTP floods (via POST, GET, or HEAD requests).
Furthermore, the trojan can also update itself, delete itself, terminate its process, send a ping, and download and run a file received from the C&C server.

The trojan shuts down when it finds Brian Krebs' name
Linux.DDoS.93 also includes a function that scans the computer's memory and list of active processes, and shuts down itself if it finds any of the following strings:

privmsg
getlocalip
kaiten
brian krebs
botnet
bitcoin mine
litecoin mine
rootkit
keylogger
ddosing
nulling
hackforums
skiddie
script kiddie
blackhat
whitehat
greyhat
grayhat
doxing
malware
bootkit
ransomware
spyware
botkiller
Most strings are related to the infosec domain and are likely there to prevent reverse engineering from security researchers, or for infecting the malware author's computer.

During the infection process, the trojan also scans the compromised machine for other versions of itself and shuts them down, always installing the fresher version.

This doubles as an automatic update system, with the latest version of the trojan always surviving on the infected machine.

Linux has been a very hot platform for developing malware in the past month. In the last 30 days, security researchers have discovered, analyzed, and brought to light five other Linux trojans, such as Rex, PNScan, Mirai, LuaBot, and Linux.BackDoor.Irc.
Click to expand...
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign
Replies
0
Views
1,279
News Archive
silversurfer
silversurfer
[correlate]
    • Like
    • +Reputation
Who and What is Behind the Malware Proxy Service SocksEscort?
Replies
0
Views
1,036
News Archive
[correlate]
[correlate]
silversurfer
    • +Reputation
    • Like
Malware News New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion
Replies
0
Views
1,262
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top