linux users have yet another trojan to worry about, and as always, crooks are deploying it mostly to hijack devices running Linux-based operating systems and use them to launch DDoS attacks at their behest.
Dr.Web security researchers, the ones that have discovered this threat, say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.
The trojan, going by the generic name of Linux.DDoS.93 , will first and foremost modify the /var/run/dhcpclient-eth0.pid file in such a way that its process is started with every computer boot. If the file doesn't exist, the trojan will create it itself.
Once the trojan is initiated after a boot-up, it operates using two processes. One is used to talk to the C&C server, while the second makes sure that the trojan's parent process is always up and running.
Trojan uses 25 child processes to launch the DDoS attacksWhen the attacker in control of the trojan's botnet issues an attack command, the trojan launches 25 child processes that carry out the DDoS attack.
Currently, the trojan can start UDP floods (on a random port, on a specific port, or spoofed UDP floods), TCP floods (simple packets or with random data up to 4096 B added to each packet), and HTTP floods (via POST, GET, or HEAD requests).
Furthermore, the trojan can also update itself, delete itself, terminate its process, send a ping, and download and run a file received from the C&C server.
The trojan shuts down when it finds Brian Krebs' nameLinux.DDoS.93 also includes a function that scans the computer's memory and list of active processes, and shuts down itself if it finds any of the following strings:
privmsg getlocalip kaiten brian krebs botnet bitcoin mine litecoin mine rootkit keylogger ddosing nulling hackforums skiddie script kiddie blackhat whitehat greyhat grayhat doxing malware bootkit ransomware spyware botkillerMost strings are related to the infosec domain and are likely there to prevent reverse engineering from security researchers, or for infecting the malware author's computer.
During the infection process, the trojan also scans the compromised machine for other versions of itself and shuts them down, always installing the fresher version.
This doubles as an automatic update system, with the latest version of the trojan always surviving on the infected machine.
Linux has been a very hot platform for developing malware in the past month. In the last 30 days, security researchers have discovered, analyzed, and brought to light five other Linux trojans, such as Rex , PNScan , Mirai , LuaBot , and Linux.BackDoor.Irc .