Security Experts:

Kaspersky Lab Details 'Versatile' DDoS Trojan for Linux Systems

Researchers at Kaspersky Lab have published a detailed analysis of a "versatile" Linux DDoS Trojan available online.

In a blog post, Kaspersky Lab's Mikhail Kuzin explained that the firm came across an article published in February on a Russian IT website titled 'Studying the BillGates Linux Botnet' that described a Trojan with DDoS functionality. 

"The capability that we found the most interesting was the Trojan's ability to conduct DNS Amplification-type attacks," wrote Kuzin, a junior malware analyst at Kaspersky Lab. "In addition, it followed from the article that the Trojan had a sophisticated modular structure, something we had not seen in the world of Linux malware before."

The article provided a link to download all of the Trojan's files. The archive contained a number of files that were all modules of the same Trojan: atddd; cupsdd; cupsddh; ksapdd; kysapdd; skysapdd; and xfsdxd. The files cupsdd and cupsddh are detected by Kaspersky Lab as Backdoor.Linux.Ganiw.a, while atddd and the remaining files are detected as Backdoor.Linux.Mayday.f. The archive with the files also contained a configuration file for cron - the Linux task scheduler. In this case, Kuzin stated, the utility is used to get a foothold on the system.

Trojan uses cron to perform a number of tests. Once a minute it terminates the processes of all applications that can interfere with its operation: .IptabLes, nfsd4, profild.key, nfsd, DDosl, lengchao32, b26, codelove and node24. In addition, roughly once every 90 minutes it terminates all of its processes, and every two hours or so it downloads all of its components to the /etc folder from http://www.dgnfd564sdf.com:8080/[module_name] (module_name = name of the Trojan's module, e.g., cupsdd), after deleting these files from the /etc folder. It also re-launches all of its modules every 90 minutes and purges system logs and bash command history and execute chmod 7777 [module_name] every minute.

"During subsequent analysis of the files, we did not find any code responsible for saving the config file for cron," the researcher noted. "Most likely, the file was manually downloaded to the victim machine by a cybercriminal after gaining remote access to the system."

The file atddd is a backdoor designed to conduct various types of DDoS attacks against the servers specified. The backdoor begins by calling the function daemon(1, 0), continuing to run in the background and redirecting standard input, output and errors to /dev/null, the researcher explained. Next it collects information about the system, and then decrypts strings defining the command and control server's IP address and port number.

Eventually, the C&C passes along commands to attack using UDP floods, TCP floods, ICMP floods and DNS flood attacks.

Cupsdd (Backdoor.Linux.Ganiw.a) is also designed to carry out various types of DDoS attacks, but is more feature-rich and sophisticated, Kuzin blogged. In the case of Cupsddh, also detected as Backdoor.Linux.Ganiw.a, includes an attack that allows for DNS amplification.

"The last attack type on the list above is different in that packets are sent to vulnerable DNS servers, with the attack target specified as the sender's IP address," Kuzin blogged. "As a result, the cybercriminal sends a small packet with a DNS request and the DNS server responds to the attack target with a significantly larger packet. The list of vulnerable DNS servers is stored in the file libamplify.so, which is written to disk following the relevant command from the C&C."

Recently, an updated a version of the Trojan has appeared with new functions. The most significant changes were made to the Gates module - cupsdd. It now has three modes - the installation and update mode; the monitoring mode, where it writes the PID of the current process to the file /tmp/moni.lock and starts threads to monitor the Bill module and the Gates module in controlling the Bill module. The final mode is for controlling the Bill module and operates the exact same way as it did in the previous version of the Trojan.

"To summarize, in the new version of the Trojan its authors have added a little 'robustness' without making any significant functionality changes," Kuzin blogged. "It is also worth noting that the hard-coded IP address of the C&C server has remained the same (116.10.189.246) in this version, but the port number has changed - it is now 36008 instead of 30000 in the previous version."

More detail can be found here.