Linux-based devices are again under the radar. This time, cyber criminals are infecting them with Linux.Mirai Trojan to carry large-scale DDoS attacks.

The IT security researchers at Russian firm Doctor Web have discovered yet another trojan that is specifically developed to target Linux-based devices and conduct Distributed Denial of Service (DDoS) attacks.

Dubbed Linux.Mirai by researchers; the trojan works with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers.

An important fact about Linux.Mirai is that it was previously found by Doctor Web in May 2016 under the name of Linux.DDoS.87. It has similar features as Linux.BackDoor.Fgt, a backdoor that was found infecting Linux operating system back in 2014. But Linux.DDoS.87 targets Linux operating system by killing old and existing trojans. In order to avoid removing itself, the trojan creates a file named .shinigami, (Shinigami means “god of death” or “death spirit” in the Japanese language), in its folder and check its presence time by time.

Furthermore, the trojan connects back to a command-and-control server to get more instructions and also sends the MAC addresses and the architecture of the infected system. If commanded to run a DDoS it can launch attacks like UDP flood; UDP flood over GRE; DNS flood; TCP flood (several types); HTTP flood.

According to Doctor Web:

The maximum uptime of Linux.DDoS.87 on an infected computer is one week, after which the Trojan terminates its operation.

When it comes to Linux.Mirai, the trojan has a few more features than its predecessors, for example, it can turn off Linux Watchdog timer (WDT), a hardware circuit that can reset the computer system in case of a software fault.

Linux was once considered as the most secure operating system to use, but with a passage of time, they have become a prime target for cyber criminals. Recently, Bashlite or Lizkebab and LuaBot malware were also found targeting Linux devices.

[fullsquaread][/fullsquaread]

Investigation of Linux.mirai Trojan Family by Waqas Amir on Scribd

We highly recommend checking Doctor Web’s findings on Linux.BackDoor.Fgt.1 and Linux.DDoS.87.