The developer of the LuaBot Linux DDOS Trojan has answered some questions about the malware in an email interview.
LuaBot Developer Talks About His Creation
The LuaBot was one of the latest threats to the Linux Gnu/Linux operating system. The malware is written in the Lua programming language which makes it both portable and extensive. One of the key distinctive features of the Trojan is that it mainly targets Internet of Things (IoT) machines, recruit them in botnets and launch distributed denial of service attacks against predefined targets.
Security experts have also revealed that it might contain a function that bypasses DDOS protection mechanisms offered by the Sucuri web security vendor. A French researcher known as x0rz contacted LuaBot’s author and asked him a few questions. The developer responded and his responses reveal details about the threat’s nature.
The author (who doesn’t reveal his identity) says that his creation does not have any binary modules and hackers usually use several bots at once to launch attacks. The developer says that he is not a member of any hacking group.
According to his statement, the bot is not designed to be harmful to router owners, and it doesn’t steal any passwords by design. LuaBot is not intended to run any booter services like vDOS.
The bot operations are protected by using several mechanisms:
- VPN and TOR connections to stealth the network traffic to and from the operator.
- The use of the BitCoin crypto currency so that the financial transactions cannot be traced
- Covert identity using nick names and made up emails. The router vulnerabilities that were used as exploits were public or half public. The bot was written in several years, and the author is considering several improvements such as a P2P based C&C server that works via DHT.
So far there are no major attack campaigns with LuaBot reported. You can read the whole interview on Medium.