My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web warns about new Trojan for Linux

September 14, 2016

Distributed Denial of Service (DDoS) attacks are the most common way for cybercriminals to attack network resources. A server under attack receives so many in-coming requests that it cannot cope with the influx and shuts down. Cybercriminals often use special malware for such attacks. One of these programs, dubbed Linux.DDoS.93, was discovered by Doctor Web’s security researchers.

The Trojan Linux.DDoS.93 was created to attack computers running under the Linux operating system. Presumably, it is spread via a set of ShellShock vulnerabilities in GNU Bash.

Once launched, the Linux.DDoS.93 tries to alter the contents of system directories to ensure that it gets run automatically. After that, the Trojan checks whether other copies of Linux.DDoS.93 are present on the infected computer and shuts down any it finds.

When launched successfully, the Trojan creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, it launches it). The parent process then does the same for the child process—thus, the Trojan operates continuously on the infected machine.

The Linux.DDoS.93 can execute the following commands:

  • Update the malicious program
  • Download and run the file specified in the command
  • Remove itself
  • Launch a UDP flood attack on a specified port
  • Launch a UDP flood attack on a random port
  • Launch a Spoofed UDP flood attack
  • Launch a TCP flood attack
  • Launch a TCP flood attack (random data up to 4096 B long is added to the packages)
  • Launch an HTTP flood attack using GET requests
  • Launch an HTTP flood attack using POST requests
  • Launch an HTTP flood attack using HEAD requests
  • Send HTTP requests with the parameters specified to 255 random IP addresses
  • Terminate execution
  • Send a PING command

When the Trojan receives the command to launch a DDoS attack or send random requests, it first shuts down all the child processes and then launches 25 new ones which subsequently carry out criminal-ordered attacks. The signature of Linux.DDoS.93 has been added to the Dr.Web virus databases. Thus, users of Dr.Web for Linux are reliably protected.

More about this Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments