Linux DDOS Trojan Installs Rootkit

DDOS Trojan

Researchers have identified a Linux Trojan dubbed XOR.DDoS forming a botnet for distributed denial of service attacks by brute-forcing SSH login credentials of the root user.

If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. Then a script decrypts and selects the C&C server based on the architecture of the system and also runs a rootkit to avoid detection.

Avast said in a blog post, "The persistence of the Trojan is achieved in multiple ways. First, it is installed into the /boot/ directory with a random 10-character string. Then a script with the identical name as the Trojan is created in the /etc/init.d directory. It is together with five symbolic links pointing to the script created in /etc/rc%u.d/S90%s, where %u runs from 1 to 5 and %s is substitute with the random."

Malware analyst Peter Kálnai told SCMagazine, "It's very hard to set a rootkit component within a Linux boundary because it needs to agree with the versions of the victims operating systems."

"The rootkit hides all the files that are indicators of compromise, so the victims could not see those indicators," Kálnai said. "It also hides processes and other indicators of compromise."

The trojan and its variants can infect 32-bit and 64-bit Linux web servers and desktops, as well as ARM architecture, which could indicate that routers, Internet of Things (IoT) devices, NAS storages and 32-bit ARM servers could be also be affected.

No comments

Powered by Blogger.