Jump to content
Login new information ×
Login new information

Linux Computers Targeted by New Backdoor and DDoS Trojan

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

Threat level is not high, the virus requires users to give it root privileges in order to infect their computers

After being bombarded with new malware towards the end of last year, the Linux ecosystem is rocked again by the discovery of a new trojan family, identified by security researchers as Linux.BackDoor.Xudp.

The only detail that matters is that this new threat does not leverage automated scripts, vulnerabilities, or brute-force attacks to infect users and still relies on good ol' user stupidity in order to survive.

The infection scenario is simple, with users downloading malicious packages or applications from the Internet, and then giving them root privileges during the installation.

Linux.BackDoor.Xudp is installed via Linux.Downloader

Xudp is not distributed directly, but crooks lace these malicious packages with another malware called Linux.Downloader. This is what the infosec community calls a payload downloader, malware that's small enough to fit inside other apps, tasked only with downloading other malware.

In this particular case, after the user gives root privileges to an app laced with Linux.Downloader (version 77), this trojan will download an upgraded version of itself (version 116), which includes more features needed during Xudp's installation.

Version 116 will download and install Xudp in the "/lib/.socket1" or /lib/.loves" folders, add Xudp to the system's autorun scripts, and also wipe clean the local iptables firewall, if in use.

Xudp's server communications hidden from sight using encryption

Linux.Downloader then shuts down, and Xudp takes over. The first thing it does is to check a hardcoded configuration file for any of the attacker's preset instructions, and then gather information about the infected computer, sending it to its C&C (command and control) server, letting it know a new victim was successfully infected.

This first ping to the C&C server is sent in a cleartext HTTP request, but all subsequent communication operations are handled via HTTPS.

As for Xudp's main components, the trojan is split in three major threads. The first is responsible for handling C&C server communications via HTTPS, the second constantly listens to instructions coming from the C&C server, and the third periodically sends data from the infected machine to the attacker's server.

Technically, Dr.Web security experts say that Xudp can be used as a backdoor to execute commands on the local machine, or as a bot in coordinated DDoS attacks. At the time of writing, the antivirus maker had detected at least three different versions of Linux.BackDoor.Xudp.

Article source

Link to comment
Share on other sites
  • Replies 4
  • Views 531
  • Created
  • Last Reply
rudrax

rudrax

Posted
Posted

I think, these attackers are recruited by m$ft seeing linux's increasing popularity.

Link to comment
Share on other sites
pc71520

pc71520

Posted
Posted
7 hours ago, rudrax said:

I think, these attackers are recruited

by m$ft seeing linux's increasing popularity.

:o  :eekout:

Link to comment
Share on other sites
steven36

steven36

Posted
Posted
9 hours ago, rudrax said:

I think, these attackers are recruited by m$ft seeing linux's increasing popularity.

I think DR.Web makes malware for Linux  to  try to scare people in buying there software .  When ever you see a post about malware in Linux  90%  of the time it comes from DR.Web  finding it and not actuality  explaining  how do we catch it  . Because if they  explained it showed proof of concept, common sense is more effective than  any AV .  The reason i dont like AV in Linux you must give them root privileges all the time which is not safe at all , thats a good way to catch malware . Most things in Linux  dont require root  just updates  and putting passwords in so Im not going giving software programs root in Linux  very often its not required .  The  Linux Foundation are more worried about  being able to patch wide spread security holes like in the past they were Shellshock, Heartbleed and Poodle  they had to patch.  

 

DR.WEB  and Kaspersky  were both  caught making  fake malware/false positives before just  to see if other vendors would adopt there signatures . So really I dont trust DR.Web at all.

http://krebsonsecurity.com/2015/09/like-kaspersky-russian-antivirus-firm-dr-web-tested-rivals/

 

They charged people 35$  for software to unlock cryptolocker files  and Bitdefender  done it for free  DR.Web  is very shady. 

 

One time  they wanted universally MAC's unique ID's (UUIDs)  to check for virus.

http://www.democraticunderground.com/1096657

Link to comment
Share on other sites
pc71520

pc71520

Posted
Posted

" both companies experimented with ways to expose antivirus vendors

who blindly accepted malware intelligence shared by rival firms. "

 

" antivirus firms were merely aping the technology of

competitors instead of developing their own. "

 

" targeted antivirus products sold or given away by

AVG, Avast and Microsoft. "

 

-Dr. Web & Kaspersky had every right to stop competitors

from stealing  Dr. Web & Kaspersky technology.

 

-Just like Malwarebyte's defended their technology from the IObit stealing.

 

And Brian Krebs has not been impartial at all...;)

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...