Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

Rekoobe Trojan threatens Linux users

December 3, 2015

Quantity and abilities of malware for Linux keep growing every day. Thus, Linux.Rekoobe.1, a Trojan examined by Doctor Web security researchers, is able to download files from the command and control server (C&C server) and upload them to it upon a command from cybercriminals. The Trojan can also interact with the Linux command interpreter on the compromised device.

It should be noted that the first modifications of Linux.Rekoobe.1 were intended to infect Linux devices with the SPARC architecture. However, virus makers have apparently decided to modify the Trojan in order to make it compatible with Intel-based computers. Doctor Web specialists registered the samples of Linux.Rekoobe.1 for 32-bit, as well as for 64-bit Intel-compatible Linux system.

Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server. The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.

To verify encrypted data from the C&C server, Linux.Rekoobe.1 applies a rather complicated procedure. Nevertheless, Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.

The signatures of all the known Linux.Rekoobe.1 samples have been added to Dr.Web virus databases. Therefore, users of Dr.Web for Linux are under reliable protection.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040