Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

Rekoobe Trojan threatens Linux users

December 3, 2015

Quantity and abilities of malware for Linux keep growing every day. Thus, Linux.Rekoobe.1, a Trojan examined by Doctor Web security researchers, is able to download files from the command and control server (C&C server) and upload them to it upon a command from cybercriminals. The Trojan can also interact with the Linux command interpreter on the compromised device.

It should be noted that the first modifications of Linux.Rekoobe.1 were intended to infect Linux devices with the SPARC architecture. However, virus makers have apparently decided to modify the Trojan in order to make it compatible with Intel-based computers. Doctor Web specialists registered the samples of Linux.Rekoobe.1 for 32-bit, as well as for 64-bit Intel-compatible Linux system.

Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server. The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.

To verify encrypted data from the C&C server, Linux.Rekoobe.1 applies a rather complicated procedure. Nevertheless, Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.

The signatures of all the known Linux.Rekoobe.1 samples have been added to Dr.Web virus databases. Therefore, users of Dr.Web for Linux are under reliable protection.

More about this Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124