September 14, 2016
The Trojan Linux.DDoS.93 was created to attack computers running under the Linux operating system. Presumably, it is spread via a set of ShellShock vulnerabilities in GNU Bash.
Once launched, the Linux.DDoS.93 tries to alter the contents of system directories to ensure that it gets run automatically. After that, the Trojan checks whether other copies of Linux.DDoS.93 are present on the infected computer and shuts down any it finds.
When launched successfully, the Trojan creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, it launches it). The parent process then does the same for the child process—thus, the Trojan operates continuously on the infected machine.
The Linux.DDoS.93 can execute the following commands:
- Update the malicious program
- Download and run the file specified in the command
- Remove itself
- Launch a UDP flood attack on a specified port
- Launch a UDP flood attack on a random port
- Launch a Spoofed UDP flood attack
- Launch a TCP flood attack
- Launch a TCP flood attack (random data up to 4096 B long is added to the packages)
- Launch an HTTP flood attack using GET requests
- Launch an HTTP flood attack using POST requests
- Launch an HTTP flood attack using HEAD requests
- Send HTTP requests with the parameters specified to 255 random IP addresses
- Terminate execution
- Send a PING command
When the Trojan receives the command to launch a DDoS attack or send random requests, it first shuts down all the child processes and then launches 25 new ones which subsequently carry out criminal-ordered attacks. The signature of Linux.DDoS.93 has been added to the Dr.Web virus databases. Thus, users of Dr.Web for Linux are reliably protected.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.