April 13, 2015
The malware that acquired the name Linux.BackDoor.Sessox.1 registers itself in the autorun of the infected computer. Then the Trojan connects to the command and control server, which has a chat supporting the text-messaging protocol IRC (Internet Relay Chat) running on. Cybercriminals’ commands are received by the bot operating in this chat. The Trojan can execute the following commands:
- Log in the IRC chat with the specified username and password.
- Forward the information about the computer’s working time (uptime) to the IRC channel.
- Change the nickname to a specified one.
- Send the server the PONG message (in reply to the PING command).
- Execute one of the following special functions:
- Launch an attack on a specified website using repeating GET requests (HTTP Flooder).
- Start scanning for the ShellShock vulnerability (ShellShock Scanner).
- Start scanning PHP scripts (PHP Scanner).
- Start the proxy server (SOCKS5 Proxy).
By sending repeating GET requests to the website specified by cybercriminals, the Trojan can launch an attack. Moreover, upon the cybercriminals’ command, Linux.BackDoor.Sessox.1 can scan the attacked server for the ShellShock vulnerability which allows to execute arbitrary code on the server. Using specifically created POST requests, the malware can execute a scan of PHP scripts to launch a third-party script on the compromised server. Thus, cybercriminals can incorporate a copy of Linux.BackDoor.Sessox.1 into the compromised system ensuring the Trojan’s further distribution.
The signature of the Trojan Linux.BackDoor.Sessox.1 has been added to the Dr.Web virus database, and, therefore, this malicious program no longer poses a threat to computers protected with Dr.Web.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.