Rekoobe Trojan threatens Linux users
December 3, 2015
It should be noted that the first modifications of Linux.Rekoobe.1 were intended to infect Linux devices with the SPARC architecture. However, virus makers have apparently decided to modify the Trojan in order to make it compatible with Intel-based computers. Doctor Web specialists registered the samples of Linux.Rekoobe.1 for 32-bit, as well as for 64-bit Intel-compatible Linux system.
Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server. The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.
To verify encrypted data from the C&C server, Linux.Rekoobe.1 applies a rather complicated procedure. Nevertheless, Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.
The signatures of all the known Linux.Rekoobe.1 samples have been added to Dr.Web virus databases. Therefore, users of Dr.Web for Linux are under reliable protection.
Your opinion counts
Sign in or register to comment on our news posts and take advantage of other benefits available to registered users. You will be awarded one Dr.Webling per comment. You can exchange your Dr.Weblings for gift certificates that can be used to purchase Dr.Web at a discount.