A new Linux Trojan has been detected that is capable of spreading through infected websites. Its name is Linux.Rex.1 and it can cause infected machines to participate in peer-to-peer botnets.
Linux.Rex.1 Can Spread Itself and Create P2P Botnets
The new Trojan that targets the Gnu/Linux systems is written in the Go programming language. It’s capabilities include targeting web servers that utilize various content management systems. Linux.Rex.1 uses distributed denial of service (DDOS) attacks, spreads spam messages and can even spread itself onto a network once it has infiltrated a target host. The first attacks made were against Drupal sites, and it has since demonstrated more of its capabilities.
What’s more interesting is the ability to create peer-to-peer (P2P) botnets from the infected computers. The Trojan uses a protocol that makes sharing information possible between targets and thus makes each system a node in a big botnet.
The developers of Linux.Rex.1 have integrated HTTPS compatibility to receive and send commands and control the botnets. The virus also possesses a special module that scans content management systems for security vulnerabilities. The Trojan’s behavior is to search for network hardware and exploit known exploits. It then harvests information such as user lists, private SSH keys and account credentials stored in the system.
Website owners also can get spammed by email messages crafted by the Trojan. These messages threaten the administrators with DDOS attacks. The botnets insert malicious redirection links in the messages to extort the victims. Targets are pressured to pay ransom in Bitcoin to avoid attacks by infected computers worldwide.
As Linux.Rex.1 has the potent ability to scan and exploit SQL vulnerabilities in Drupal installations, all owners of websites that run this content management system should secure their sites. All attacks are automated and do not require criminal input from their creators.