Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

Doctor Web warns of website hacking using the “Internet of things”

December 7, 2017

Doctor Web has already published an article on the Trojan Linux.ProxyM capable of infecting “smart” Linux devices. In September, cybercriminals used it to send spam, and lately they have been using it to hack websites.

Linux.ProxyM is a malicious program for Linux which launches a SOCKS proxy server on an infected device. Cybercriminals can use it to anonymously perform destructive actions. The known assembly of this Trojan exists for devices possessing the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. It means Linux.ProxyM can infect almost any Linux device, including routers, set-top boxes, and other similar equipment.

In September, Doctor Web security researchers learned cybercriminals used Linux.ProxyM to send over 400 spam messages per day from each infected device. Emails advertised adult content resources and questionable financial services. Soon cybercriminals began using the “Internet of things” to distribute phishing messages. The emails were supposedly sent on behalf of DocuSign—a service that allows users to download, view, sign and track the status of electronic documents.

screenshot Linux.ProxyM #drweb

If a user followed a link in an email, they would land on a fake DocuSign website with an authorization form. After entering a password, a victim would be redirected to the real DocuSign authorization page, and the contents of the phishing form were then sent to the cybercriminals.

screenshot Linux.ProxyM #drweb

In December, cybercriminals found another use for devices infected with Linux.ProxyM: they used the Trojan’s proxy server to preserve anonymity and made numerous attempts at hacking websites. Cybercriminals use various hacking methods. They are SQL injections (an injection of a malicious SQL code into a request to a website database), XSS (Cross-Site Scripting)—an attack method that involves adding a malicious script to a webpage, which is then executed on a computer when this page is opened, and Local File Inclusion (LFI). This kind of attack allows attackers to remotely read files on an attacked server using specially crafted commands. Among the attacked websites were game severs, forums and resources on other topics, including Russian websites.

Doctor Web security analysts continue to monitor the Linux.ProxyM botnet activity. The chart with the number of registered Trojan attacks is presented below.

The chart with the number of the registered ProxyM attacks #drweb

Although Linux.ProxyM has only one function—a proxy server—cybercriminals continue finding new opportunities to use it for illegal actions and showing increasing interest in the “Internet of things”.

More about the Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040