Security researchers have discovered that thousands of Gnu/Linux users are getting infected by a new malware known as the Linux Proxy Trojan.
Linux Proxy Trojan Is Dangerous and Wild
Computer security experts discovered a wave of new infections that affects Linux users – the Linux Proxy Trojan. The first samples of the virus were detected by Dr. Web experts at the end of 2016. At that time several thousand computers were already compromised. As it turns out the malware infections have not stopped.
Upon infection with it the virus runs a SOCKS5 proxy server using the freeware source code of Satanic Socks Server, a popular tool. The researchers note that infected machines use this tactic to remain anonymous. It is likely that the infected machines are used for spreading further malware. The running service typically runs on the following ports: 18902, 27891, 28910, 33922, 37912, 39012, 48944, 49082, 49098, 56494, 61092, 31301.
The virus is primarily distributed by using direct software exploits. The Trojan is a secondary payload, meaning that the initial attacks are done by other trojans or viruses.
The hacking attacks can also be initiated using automated exploit kits that scan a range of IP addresses and look for outdated versions. The weak spot that Linux Proxy Trojan uses to break into a system is the SSH protocol. Most software implementations (servers) can have default or bad configurations. If the hackers break into them they can effectively get control of the host system. An easy way of breaking into such systems is to use dictionary attacks. Computers that exhibit prior infections are also vulnerable to Linux Proxy Trojan attacks.
Control servers that are responsible for distributing the infections contain an elaborate administrative panel. The researchers uncovered that the operators of the virus are also in control of a Windows Trojan known as the Teamviewer Backdoor.
Linux Proxy Trojan Defense
System administrators can remedy their systems by turning off any remote administration servers if they do not need them. Any running services should be secured by using a comprehensive security policy and updated security configuration files.