1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Linux Computers Targeted by New Backdoor and DDoS Trojan

Discussion in 'Apple, Linux & Unix Security Alerts/News' started by starbuck, May 11, 2016.

  1. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Sep 26, 2009
    Midlands, UK
    Operating System:
    Windows 10
    AMD Athlon II x2 250 Processor 3.00GHz
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper

    After being bombarded with new malware towards the end of last year, the Linux ecosystem is rocked again by the discovery of a new trojan family, identified by security researchers as Linux.BackDoor.Xudp.

    The only detail that matters is that this new threat does not leverage automated scripts, vulnerabilities, or brute-force attacks to infect users and still relies on good ol' user stupidity in order to survive.

    The infection scenario is simple, with users downloading malicious packages or applications from the Internet, and then giving them root privileges during the installation.

    Linux.BackDoor.Xudp is installed via Linux.Downloader

    Xudp is not distributed directly, but crooks lace these malicious packages with another malware called Linux.Downloader.
    This is what the infosec community calls a payload downloader, malware that's small enough to fit inside other apps, tasked only with downloading other malware.

    In this particular case, after the user gives root privileges to an app laced with Linux.Downloader (version 77), this trojan will download an upgraded version of itself (version 116), which includes more features needed during Xudp's installation.

    Version 116 will download and install Xudp in the "/lib/.socket1" or /lib/.loves" folders, add Xudp to the system's autorun scripts, and also wipe clean the local iptables firewall, if in use.

    Xudp's server communications hidden from sight using encryption

    Linux.Downloader then shuts down, and Xudp takes over.
    The first thing it does is to check a hardcoded configuration file for any of the attacker's preset instructions, and then gather information about the infected computer, sending it to its C&C (command and control) server, letting it know a new victim was successfully infected.

    This first ping to the C&C server is sent in a cleartext HTTP request, but all subsequent communication operations are handled via HTTPS.

    As for Xudp's main components, the trojan is split in three major threads.
    The first is responsible for handling C&C server communications via HTTPS, the second constantly listens to instructions coming from the C&C server, and the third periodically sends data from the infected machine to the attacker's server.

    Technically, Dr.Web security experts say that Xudp can be used as a backdoor to execute commands on the local machine, or as a bot in coordinated DDoS attacks. At the time of writing, the antivirus maker had detected at least three different versions of Linux.BackDoor.Xudp.


Share This Page