Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

  • Total:
  • Active:
  • Latest: -

Call us

+7 (495) 789-45-86

Profile

Back to news

Doctor Web examines two Linux Trojans

June 5, 2017

Doctor Web security researchers have examined two malicious programs for Linux. One of them installs a cryptocurrency-mining application on the devices it infects, and the other runs a proxy server.

The first of the two was added to the Dr.Web virus databases under the name Linux.MulDrop.14. This malicious program attacks only Raspberry Pi minicomputers. Criminals started distributing Linux.MulDrop.14 in the second half of May. The Trojan is a script that contains a compressed and encrypted application designed to mine cryptocurrency. Linux.MulDrop.14 changes the password on the devices it infects, unpacks and launches a miner, and then, in an infinite loop, starts searching for network nodes with an open port 22. After establishing a connection with them via the SSH protocol, the Trojan attempts to run a copy of itself on them.

The other Trojan was named Linux.ProxyM. Attacks involving this Trojan have been noted since February 2017 but peaked in late May. The below chart shows how many Linux.ProxyM attacks Doctor Web specialists have pinpointed:

graph #drweb

A significant portion of the attacked IP addresses is located in Russia. In second place is China, and in third place—Taiwan. The below illustration shows the geographical locations from which Linux.ProxyM attacks have been launched:

graph #drweb

The Trojan uses a special range of methods to detect honeypots—special decoy servers used by digital security specialists to examine malicious software. Once launched, it connects to its command and control server and, after getting confirmation from it, runs a SOCKS proxy server on the infected device. Cybercriminals can use this Trojan to ensure that they remain anonymous online.

Both of these Trojans are successfully detected and removed by Dr.Web products for Linux, and, therefore, they pose no threat to our users.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040