Share

tweet







A detailed analysis of the new Linux Trojan

Linux users have yet another trojan to worry about, and as always, crooks are deploying it mostly to hijack devices running Linux-based operating systems. This malicious program, dubbed Linux.DDoS.93, was discovered by Doctor Web’s security researchers.

Distributed Denial of Service (DDoS) attacks are the most common way for cybercriminals to attack network resources. A server under attack receives so many in-coming requests that it cannot cope with the influx and shuts down. Cybercriminals often use special malware for such attacks.

The Trojan Linux.DDoS.93 was created to attack computers running under the Linux operating system. Presumably, it is spread via a set of ShellShock vulnerabilities in GNU Bash.

Once launched, the Linux.DDoS.93 tries to alter the contents of system directories to ensure that it gets run automatically. After that, the Trojan checks whether other copies of Linux.DDoS.93 are present on the infected computer and shuts down any it finds.

When launched successfully, the Trojan creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, it launches it). The parent process then does the same for the child process—thus, the Trojan operates continuously on the infected machine.

The Linux.DDoS.93 can execute the following commands:

Update the malicious program

Download and run the file specified in the command

Remove itself

Launch a UDP flood attack on a specified port

Launch a UDP flood attack on a random port

Launch a Spoofed UDP flood attack

Launch a TCP flood attack

Launch a TCP flood attack (random data up to 4096 B long is added to the packages)

Launch an HTTP flood attack using GET requests

Launch an HTTP flood attack using POST requests

Launch an HTTP flood attack using HEAD requests

Send HTTP requests with the parameters specified to 255 random IP addresses

Terminate execution

Send a PING command



When the Trojan receives the command to launch a DDoS attack or send random requests, it first shuts down all the child processes and then launches 25 new ones which subsequently carry out criminal-ordered attacks. The signature of Linux.DDoS.93 has been added to the Dr.Web virus databases. Thus, users of Dr.Web for Linux are reliably protected.

Linux.DDoS.93

Added to Dr.Web virus database: 2016-09-07 Virus description was added: 2016-09-14

SHA1:

f164721acd2e5dabaa2b802946162cbaac48aa5e (x64)

(x64) 76d7a2f1fcc3eeb398bba416ac5cc78072780367 (x64)

(x64) c3b5310eca6dce452c42e5db14a852d42b08f559 (armv6l)

The Trojan for Linux designed to carry out DDoS attacks. It is spread presumably via ShellShock vulnerabilities.

At launching, it checks for the presence of /var/run/dhcpclient-eth0.pid. file. If the Trojan cannot find this file, it attempts to register itself in autorun.

void __cdecl startup() { char self_path[ 1023 ]; // [sp+0h] [bp- 414 h] @1 int v1; // [sp+ 400 h] [bp- 14 h] @1 FILE *stream ; // [sp+ 404 h] [bp- 10 h] @3 char v3[ 12 ]; // [sp+ 408 h] [bp-Ch] @2 v1 = readlink ( "/proc/self/exe" , self_path, 0x3FF u); if ( v1 != - 1 ) { v3[v1 - 0x408 ] = 0 ; if ( geteuid() ) goto LABEL_16; stream = fopen( "/etc/rc.local" , "w" ); if ( stream ) { fprintf(stream, "#!/bin/sh -e

%s

exit 0" , self_path); fclose(stream); return ; } if ( !access( "/etc/init.d" , 0 ) ) { rename (self_path, "/etc/init.d/dhcpclient-eth0" ); system ( "update-rc.d dhcpclient-eth0 defaults" ); return ; } if ( !access( "/etc/init" , 0 ) ) { stream = fopen( "/etc/init/dhcpclient-eth0.conf" , "w" ); if ( stream ) { fprintf(stream, "description \"dhcp client\"

start on startup

task

exec %s " , self_path); fclose(stream); return ; } } stream = fopen( "/etc/crontab" , "a" ); if ( !stream ) { LABEL_16: system ( "crontab -l > tempcrontab" ); stream = fopen( "tempcrontab" , "a" ); if ( stream ) { fprintf(stream, "

@reboot %s

" , self_path); fclose(stream); system ( "crontab tempcrontab" ); remove( "tempcrontab" ); } } else { fprintf(stream, "

@reboot root %s

" , self_path); fclose(stream); } } }

After that, the Trojan write-protects the /var/run/dhcpclient-eth0.pid file and disguises its own name under “-sha”. Then the Linux.DDoS.93 reads the process’s memory contents and lists executable files of the processes, using /proc, in order to find other Trojan copies. The process terminates if it matches one of the strings below.

signatures dq offset aPrivmsg ; DATA XREF: dump_memory+1A0r .data:00000000006066C0 ; dump_file+ABr .data:00000000006066C0 ; "privmsg" .data:00000000006066C8 dq offset aGetlocalip ; "getlocalip" .data:00000000006066D0 dq offset aKaiten ; "kaiten" .data:00000000006066D8 dq offset aBrianKrebs ; "brian krebs" .data:00000000006066E0 dq offset aBotnet ; "botnet" .data:00000000006066E8 dq offset aBitcoinMine ; "bitcoin mine" .data:00000000006066F0 dq offset aLitecoinMine ; "litecoin mine" .data:00000000006066F8 dq offset aRootkit ; "rootkit" .data:0000000000606700 dq offset aKeylogger ; "keylogger" .data:0000000000606708 dq offset aDdosing ; "ddosing" .data:0000000000606710 dq offset aNulling ; "nulling" .data:0000000000606718 dq offset aHackforums ; "hackforums" .data:0000000000606720 dq offset aSkiddie ; "skiddie" .data:0000000000606728 dq offset aScriptKiddie ; "script kiddie" .data:0000000000606730 dq offset aBlackhat ; "blackhat" .data:0000000000606738 dq offset aWhitehat ; "whitehat" .data:0000000000606740 dq offset aGreyhat ; "greyhat" .data:0000000000606748 dq offset aGrayhat ; "grayhat" .data:0000000000606750 dq offset aDoxing ; "doxing" .data:0000000000606758 dq offset aMalware ; "malware" .data:0000000000606760 dq offset aBootkit ; "bootkit" .data:0000000000606768 dq offset aRansomware ; "ransomware" .data:0000000000606770 dq offset aSpyware ; "spyware" .data:0000000000606778 dq offset aBotkiller ; "botkiller"

The Trojan generates its identifier that looks as follows: [A-Z0-9]{20}.

After that the Linux.DDoS.93 creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, launches it). The parent process then does the same for the child process—thus the Trojan works continuously on the infected computer.

The module executes the following commands:

Command Parameters Purpose DNX Host URL Download and run the file. It is saved with the name getbinaries GET Host port page time Launch a HTTP flood attack using GET requests HEAD Host port page time Launch a HTTP flood attack using HEAD requests PING Send a PING command POST Host port page time postparams Launch a HTTP flood attack using POST requests RCD Host port time Launch a TCP flood attack (random data up to 4096 B long is added to the packages) RUDP Host time Launch a UDP flood attack on a random port SCANNER Method port page params useragent Send HTTP requests with the specified parameters to 255 random IP addresses SUDP Host port time Launched a Spoofed UDP flood attack TCP Host port time Launch a TCP flood attack TERMINATE Terminate execution UDP Host port time Launch a UDP flood attack on a specified port UNINSTALL Remove itself UPDATE Host URL Download and run the file. It is saved with the name getbinaries

When the Trojan receives the command to launch a DDoS attack or a SCANNER, command, it first stops all the child processes and then launches 25 new ones which perform a scan or an attack in a way chosen by the cybercriminals.