December 3, 2015

Quantity and abilities of malware for Linux keep growing every day. Thus, Linux.Rekoobe.1, a Trojan examined by Doctor Web security researchers, is able to download files from the command and control server (C&C server) and upload them to it upon a command from cybercriminals. The Trojan can also interact with the Linux command interpreter on the compromised device.

It should be noted that the first modifications of Linux.Rekoobe.1 were intended to infect Linux devices with the SPARC architecture. However, virus makers have apparently decided to modify the Trojan in order to make it compatible with Intel-based computers. Doctor Web specialists registered the samples of Linux.Rekoobe.1 for 32-bit, as well as for 64-bit Intel-compatible Linux system.

Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server. The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.

To verify encrypted data from the C&C server, Linux.Rekoobe.1 applies a rather complicated procedure. Nevertheless, Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.

The signatures of all the known Linux.Rekoobe.1 samples have been added to Dr.Web virus databases. Therefore, users of Dr.Web for Linux are under reliable protection.

More about this Trojan