My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

New Trojan for Linux attacks websites

April 13, 2015

Doctor Web security researchers have examined a new Trojan that can infect computers with Linux operating system. This malicious program possesses the ability to scan remote websites for vulnerabilities and to attack resources with the specified addresses over HTTP protocol. Cybercriminals can control the Trojan using the IRC (Internet Relay Chat) text-messaging protocol.

The malware that acquired the name Linux.BackDoor.Sessox.1 registers itself in the autorun of the infected computer. Then the Trojan connects to the command and control server, which has a chat supporting the text-messaging protocol IRC (Internet Relay Chat) running on. Cybercriminals’ commands are received by the bot operating in this chat. The Trojan can execute the following commands:

  • Log in the IRC chat with the specified username and password.
  • Forward the information about the computer’s working time (uptime) to the IRC channel.
  • Change the nickname to a specified one.
  • Send the server the PONG message (in reply to the PING command).
  • Execute one of the following special functions:
    • Launch an attack on a specified website using repeating GET requests (HTTP Flooder).
    • Start scanning for the ShellShock vulnerability (ShellShock Scanner).
    • Start scanning PHP scripts (PHP Scanner).
    • Start the proxy server (SOCKS5 Proxy).

    By sending repeating GET requests to the website specified by cybercriminals, the Trojan can launch an attack. Moreover, upon the cybercriminals’ command, Linux.BackDoor.Sessox.1 can scan the attacked server for the ShellShock vulnerability which allows to execute arbitrary code on the server. Using specifically created POST requests, the malware can execute a scan of PHP scripts to launch a third-party script on the compromised server. Thus, cybercriminals can incorporate a copy of Linux.BackDoor.Sessox.1 into the compromised system ensuring the Trojan’s further distribution.

    The signature of the Trojan Linux.BackDoor.Sessox.1 has been added to the Dr.Web virus database, and, therefore, this malicious program no longer poses a threat to computers protected with Dr.Web.

    More about this Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments