April 13, 2016
The infection begins with the ELF file, which is detected by Dr.Web as Linux.Downloader.77. It is noteworthy that this application is initially designed to send out UDP packets to a specified address. Linux.Downloader.77 is a trojanized version of this program. A potential victim downloads this utility and runs it on their computer by themselves. Then it prompts the user to grant it root privileges, without which its operation is impossible. Such flood programs are often able to execute additional covert functions—for example, download other dangerous applications from the Internet. Linux.Downloader.77 is not an exception.
Once Linux.Downloader.77 gets root access to the system, it downloads another script, Linux.Downloader.116, from the server and runs it. This script, in turn, downloads the main module of Linux.BackDoor.Xudp.1, saves it as /lib/.socket1 or /lib/.loves, locate the autorun script in the /etc/ folder under the name of rc.local, and enables the Trojan’s autorun in the cron job scheduler. In addition, while the Trojan is being installed to the system, the contents of the iptables utility is cleared.
Once launched, Linux.BackDoor.Xudp.1 decrypts configuration data, which is hard-coded in its body and is necessary for its correct operation, and sends a detailed information about the infected computer to the server. Then it runs three separate threads. In the first one, the backdoor uses HTTP protocol. The Trojan informs the server that it has been launched. The server sends an encryption key, information about the server to which requests should be sent, and a port number. After that, Linux.BackDoor.Xudp.1 periodically sends requests to the specified server, expecting to get a command. Supposedly, the Trojan can use this feature to update itself. All incoming instructions are encrypted. To decrypt them, the Trojan generates a special key.
In the second thread, Linux.BackDoor.Xudp.1 also waits for instructions from the server but uses UDP protocol. In the third one, the Trojan periodically sends a specific datagram to the server in order to inform that it is still active.
Security researchers registered that Linux.BackDoor.Xudp.1 can continuously send various requests to the specified remote server, carry out DDoS attacks, and execute arbitrary commands. In addition, it can scan ports within a specified range of IP addresses, run certain files, send any file to cybercriminals, and execute other functions. According to Doctor Web analytics, this Trojan is presumably in process of development, because its new modifications appear on a regular basis.
Its counterparts, Linux.BackDoor.Xudp.2 and Linux.BackDoor.Xudp.3, are, in fact, improved versions of Linux.BackDoor.Xudp.1. However, they can differ from each other by the name under which the Trojans are saved to the system, amount of information about the computer they send to the server, or by a set of commands they can execute. Dr.Web for Linux successfully detects all these malicious programs, so they do not pose any threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.