Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Doctor Web warns about new Trojan for Linux

September 14, 2016

Distributed Denial of Service (DDoS) attacks are the most common way for cybercriminals to attack network resources. A server under attack receives so many in-coming requests that it cannot cope with the influx and shuts down. Cybercriminals often use special malware for such attacks. One of these programs, dubbed Linux.DDoS.93, was discovered by Doctor Web’s security researchers.

The Trojan Linux.DDoS.93 was created to attack computers running under the Linux operating system. Presumably, it is spread via a set of ShellShock vulnerabilities in GNU Bash.

Once launched, the Linux.DDoS.93 tries to alter the contents of system directories to ensure that it gets run automatically. After that, the Trojan checks whether other copies of Linux.DDoS.93 are present on the infected computer and shuts down any it finds.

When launched successfully, the Trojan creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, it launches it). The parent process then does the same for the child process—thus, the Trojan operates continuously on the infected machine.

The Linux.DDoS.93 can execute the following commands:

  • Update the malicious program
  • Download and run the file specified in the command
  • Remove itself
  • Launch a UDP flood attack on a specified port
  • Launch a UDP flood attack on a random port
  • Launch a Spoofed UDP flood attack
  • Launch a TCP flood attack
  • Launch a TCP flood attack (random data up to 4096 B long is added to the packages)
  • Launch an HTTP flood attack using GET requests
  • Launch an HTTP flood attack using POST requests
  • Launch an HTTP flood attack using HEAD requests
  • Send HTTP requests with the parameters specified to 255 random IP addresses
  • Terminate execution
  • Send a PING command

When the Trojan receives the command to launch a DDoS attack or send random requests, it first shuts down all the child processes and then launches 25 new ones which subsequently carry out criminal-ordered attacks. The signature of Linux.DDoS.93 has been added to the Dr.Web virus databases. Thus, users of Dr.Web for Linux are reliably protected.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040