My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web presents overview of IoT-oriented Linux Trojans

October 17, 2016

Many different consumer devices—set-top boxes, network repositories, routers, and surveillance cameras—run the Linux operating system. And, many of these devices use default settings, which makes them very vulnerable to hacking. Doctor Web’s specialists have collected statistics on the most frequently detected Linux Trojans, including ones designed to attack the Internet of Things (IoT). This research shows that the Trojans installed most often on compromised devices are those that carry out DDoS attacks.

Currently, the virus makers spreading Trojans for the IoT are mostly concerned with creating botnets to carry out DDoS attacks. Nevertheless, some Trojans are implemented to make a proxy server from an infected device. Since mid-September 2016, Doctor Web’s specialists have registered 11,636 attacks by Linux Trojans—9,582 of them were performed over the SSH protocol; and 2,054—over the Telnet protocol. Cybercriminals installed 15 different malware programs, the majority of which belong to the Linux.DownLoader, Linux.DDoS, and Linux.BackDoor.Fgt families. The round diagram below shows the proportional relationship between the most frequently detected Linux Trojans.

graph #drweb

Judging from these statistics, Linux.Downloader.37 is the most popular malware program designed to perform DDoS attacks. Among other Linux Trojans, there are representatives of the Linux.Mrblack, Linux.BackDoor.Gates, Linux.Mirai, Linux.Nyadrop, Perl.Flood, and Perl.DDoS families, which are also intended to carry out DDoS attacks. A large number of different modifications of Linux.BackDoor.Fgt were registered on infected devices as well. In addition, versions of these Trojans exist for the MIPS, SPARC, m68k, SuperH, PowerPC, and other architectures. Linux.BackDoor.Fgt can also perform DDoS attacks.

Cybercriminals download all these Trojans to devices after they have cracked the login credentials and established a connection over the Telnet or SSH protocol. Attackers use the login “root” if they want to establish a connection via the Telnet protocol; and the login “admin” if they are using the SSH protocol:

graph #drweb

graph #drweb

The table below shows some standard combinations of the logins and passwords used by attackers to hack Linux devices.

LoginPasswordDevice/application (presumably)
InformixInformixFamily of the Informix relational database management system (RDBMS) developed by IBM
PiRaspberryRaspberry Pi
RootNagiosxiNagios Server and Network Monitoring Software
nagiosNagiosNagios software
cactiuserCactiCacti software
rootSynopassSynology software
adminArticonProxySG - Secure Web Gateway by Blue Coat Systems
Rootxc3511Surveillance cameras
RootVizxvDahua surveillance cameras
RootAnkoAnko surveillance cameras
Root5upTP-Link routers
RootXA1bac0MXCNB surveillance cameras

The average number of IP addresses from which cybercriminals attack Linux devices monitored by Doctor Web is 100:

graph #drweb

The number of unique malicious files downloaded by cybercriminals to hacked devices varies from just a few to several dozen:

graph #drweb

Worth noting are the statistics pertaining to Linux.Mirai downloads to vulnerable devices: once the source code of this Trojan became public, Linux.Mirai’s popularity with virus makers increased dramatically. This fact is illustrated by the growing number of IP addresses from which the malware program is downloaded onto devices:

graph #drweb

In October, a Trojan belonging to the Linux.Luabot family was used to spread Linux.Mirai. In the end of September, Doctor Web’s specialists registered attacks involving Linux.Nyadrop.1, which was first spotted by the authors of the MalwareMustDie blog. Judging by the combinations of logins and passwords used during the attacks, we can conclude that the criminals behind the Trojan were partly targeting TP-Link routers. The executable file of Linux.Nyadrop.1 is only 621 bytes in size and is used to install other malware programs on an infected device.

Below you can see the geographical spread of the IP addresses from which malware programs were installed onto Linux devices:

map #drweb

Doctor Web’s specialists are keeping a close watch on the Linux malware landscape and will inform users about new threats in a timely manner.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments