September 14, 2016
Linux users have yet another trojan to worry about, and as always, crooks are deploying it mostly to hijack devices running Linux-based operating systems and use them to launch DDoS attacks at their behest.
Dr.Web security researchers, the ones who have discovered this threat, say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.
The trojan, going by the generic name of Linux.DDoS.93, will first and foremost modify the /var/run/dhcpclient-eth0.pid file in such a way that its process is started with every computer boot. If the file doesn’t exist, the trojan will create it itself.
Once the trojan is initiated after a boot-up, it operates using two processes. One is used to talk to the C&C server, while the second makes sure the trojan’s parent process is always up and running.
Trojan uses 25 child processes to launch the DDoS attacks
When the attacker in control of the trojan’s botnet issues an attack command, the trojan launches 25 child processes that carry out the DDoS attack.
Currently, the trojan can start UDP floods (on a random port, on a specific port, or spoofed UDP floods), TCP floods (simple packets or with random data up to 4096 B added to each packet), and HTTP floods (via POST, GET, or HEAD requests).
Furthermore, the trojan can also update itself, delete itself, terminate its process, send a ping, and download and run a file received from the C&C server.