Linux DDoS Trojan Found
Monday, September 19, 2016 @ 09:09 AM gHale
As far as bad guys go, Linux is on a roll. That is because there is another Trojan floating around targeting Linux users in an effort to hijack devices and then use them to launch DDoS attacks.
The Trojan infects Linux machines via the Shellshock vulnerability, which remains unpatched in a large number of devices, said researchers at Dr.Web.
The Trojan, going by the generic name of Linux.DDoS.93, will modify the /var/run/dhcpclient-eth0.pid file so its process starts with every computer boot. If the file doesn’t exist, the Trojan will create it itself, researchers said in a post.
Once the Trojan initiates after a boot-up, it operates using two processes. One is used to talk to the C&C server, while the second makes sure its parent process is always up and running.
When the attacker in control of the Trojan’s botnet issues an attack command, it launches processes that carry out the DDoS attack.
Currently, the Trojan starts UDP floods (on a random port, on a specific port, or spoofed UDP floods), TCP floods (simple packets or with random data up to 4096 B added to each packet), and HTTP floods (via POST, GET, or HEAD requests).
The Trojan can also update itself, delete itself, terminate its process, send a ping, and download and run a file received from the C&C server.
Linux.DDoS.93 also includes a function that scans the computer’s memory and list of active processes, and shuts down itself if it finds a list of strings.
Most strings relate to the infosec domain and are likely there to prevent reverse engineering from security researchers, or for infecting the malware author’s computer.
During the infection process, the Trojan also scans the compromised machine for other versions of itself and shuts them down, always installing the fresher version.
This doubles as an automatic update system, with the latest version of the Trojan always surviving on the infected machine.