Linux users are once again at risk as the Dr.Web researchers have discovered yet another Trojan targeting Linux running OSs.
As usual, the attackers behind the malware are using it primarily to hijack Linux devices and launch DDoS attacks. According to Dr.Web, the Trojan, going by the generic name of Linux.DDoS.93, relies on the Shellshock vulnerability to infect its victims, as this flaw is still unpatched in a large number of devices.
The very first thing the Trojan would do, once on the device, is to alter the /var/run/dhcpclient-eth0.pid file in such way that would allow its process to start with each boot of the PC. The Trojan would even create the file itself if it doesn’t find it on the machine.
The Linux.DDoS.93 uses two processes for its operation. The first is used for the communication with theC&C server and the second is to make sure the Trojan`s parent process is always up and running.
The Linux.DDoS.93 requires launching 25 child processes to carry out a DDoS attack.
At this point, the Trojan is able to start TCP floods (simple packets or with random data up to 4096 B added to each packet), HTTP floods (via POST, GET, or HEAD requests) and UDP floods (on a random port, on a specific port, or spoofed UDP floods).
Aside from that, it is also capable of self-updating, self-deleting, terminating its process, downloading and running files received from the C&C, and sending a ping.
Linux.DDoS.93 also includes a function that scans the computer’s memory and list of active processes, and shuts down itself if it finds any of the following strings:
“privmsg, getlocalip, kaiten, brian krebs, botnet, bitcoin mine, litecoin mine, rootkit, keylogger, ddosing, nulling, hackforums, skiddie, script kiddie, blackhat, whitehat, greyhat, doxing, malware, bootkit, ransomware, spyware, botkiller”
Other strings are also related to the infosec domain as their purpose is to prevent reverse engineering from security researchers, or for infecting the malware author’s computer.
Linux.DDoS.93 also checks the infected machine for other versions of itself and, if it finds any, it deletes them, always installing newer ones. This automatic update system makes sure that the newest version of the Trojan in always installed on the compromised PC.
The Linux.DDoS.92 is the sixth Trojan to be discovered in the last month alone, as before it security experts have stumbled across to five other Linux targeting Trojans. This includes PNScan, Mirai, LuaBot, Linux.BackDoor.Irc and Rex.