The sixth Trojan for Linux this month has been identified as Linux.DDos.93, the threat hijacks the victim computers and performs DDOS attacks.
Linux.DdoS.93 Is the Latest Linux Trojan
Security researchers from Dr. Web have identified the latest Linux Trojan known as Linux.DDOS.93. This malware infects computer using the Shellshock vulnerability, which has remained unpatched to this date in a lot of devices.
The Trojan upon successful infiltration modifies the /var/run/dhcpclient-eth0.pid file so that the malware process will run at every computer boot. If the rule file has not been created, the Trojan will craft one for the system.
This particular Trojan uses 25 child processes to launch DDOS attacks when such a command is issued from the remote C&C server. The discovered iteration shows that the capabilities of Linux.DDOS.93 are the following:
- UDP Floods – These can be against random ports, specific targets or spoofed UDP floods
- TCP Floods – sequence of packets or random data up to 4096 Bytes
- HTTP Floods – Using the commonly used POST, GET and HEAD requests
The developers have added a function that scans the host’s memory for a list of processes that matches a list of strings. If they are detected then the Trojan shuts itself down:
privmsg
getlocalip
kaiten
brian krebs
botnet
bitcoin mine
litecoin mine
rootkit
keylogger
ddosing
nulling
hackforums
skiddie
script kiddie
blackhat
whitehat
greyhat
grayhat
doxing
malware
bootkit
ransomware
spyware
botkiller
The initiation phase of the virus operates with the help of two processes. The first one is used for communication with the remote malicious C&C server. The second one is responsible for keeping the parent process running.
