- Oct 23, 2012
- 12,527
Linux users have yet another trojan to worry about, and as always, crooks are deploying it mostly to hijack devices running Linux-based operating systems and use them to launch DDoS attacks at their behest.
Dr.Web security researchers, the ones that have discovered this threat, say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.
The trojan, going by the generic name of Linux.DDoS.93, will first and foremost modify the /var/run/dhcpclient-eth0.pid file in such a way that its process is started with every computer boot. If the file doesn't exist, the trojan will create it itself.
Once the trojan is initiated after a boot-up, it operates using two processes. One is used to talk to the C&C server, while the second makes sure that the trojan's parent process is always up and running.
Trojan uses 25 child processes to launch the DDoS attacks
When the attacker in control of the trojan's botnet issues an attack command, the trojan launches 25 child processes that carry out the DDoS attack.
Currently, the trojan can start UDP floods (on a random port, on a specific port, or spoofed UDP floods), TCP floods (simple packets or with random data up to 4096 B added to each packet), and HTTP floods (via POST, GET, or HEAD requests).
Dr.Web security researchers, the ones that have discovered this threat, say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.
The trojan, going by the generic name of Linux.DDoS.93, will first and foremost modify the /var/run/dhcpclient-eth0.pid file in such a way that its process is started with every computer boot. If the file doesn't exist, the trojan will create it itself.
Once the trojan is initiated after a boot-up, it operates using two processes. One is used to talk to the C&C server, while the second makes sure that the trojan's parent process is always up and running.
Trojan uses 25 child processes to launch the DDoS attacks
When the attacker in control of the trojan's botnet issues an attack command, the trojan launches 25 child processes that carry out the DDoS attack.
Currently, the trojan can start UDP floods (on a random port, on a specific port, or spoofed UDP floods), TCP floods (simple packets or with random data up to 4096 B added to each packet), and HTTP floods (via POST, GET, or HEAD requests).
Furthermore, the trojan can also update itself, delete itself, terminate its process, send a ping, and download and run a file received from the C&C server.
The trojan shuts down when it finds Brian Krebs' name
Linux.DDoS.93 also includes a function that scans the computer's memory and list of active processes, and shuts down itself if it finds any of the following strings:
privmsg
getlocalip
kaiten
brian krebs
botnet
bitcoin mine
litecoin mine
rootkit
keylogger
ddosing
nulling
hackforums
skiddie
script kiddie
blackhat
whitehat
greyhat
grayhat
doxing
malware
bootkit
ransomware
spyware
botkiller
Most strings are related to the infosec domain and are likely there to prevent reverse engineering from security researchers, or for infecting the malware author's computer.
During the infection process, the trojan also scans the compromised machine for other versions of itself and shuts them down, always installing the fresher version.
This doubles as an automatic update system, with the latest version of the trojan always surviving on the infected machine.
Linux has been a very hot platform for developing malware in the past month. In the last 30 days, security researchers have discovered, analyzed, and brought to light five other Linux trojans, such as Rex, PNScan, Mirai, LuaBot, and Linux.BackDoor.Irc.