New Backdoor and DDoS Trojan Targeted To The Linux Computers
Towards the end of the last year, after being attacked by the new malware the Linux ecosystem is stunned again through the discovery of a new family of Trojan which is determined through the researchers of security as Linux.BackDoor.Xudp.
There is only required those details that matter in this new threat that does not automatically influenced the scripts, vulnerabilities, or brute-force attacks that affect the users as well as still relies on the stupidity of good old' user in order to stay alive.
Whereas the infection scenario is easy, with users that downloaded the malicious packages as well as the applications from the Internet and then providing them root privileges throughout the installation.
Linux.BackDoor.Xudp is installed through the Linux.Downloader.Xudp is not directly dispersed, but attackers tie up these malicious packages with another malware that is known as Linux.Downloader.
That’s why the community of infosec that is known as a payload downloader which is also a malware that is little-bit enough to fit inside the other apps, that performed only with downloading other malware.
In this specific case, after the user gives the basic rights to an app tie up with Linux.Downloader (version 77). This new trojan will download an updated version of itself(version 116), that involves the mostly new features that will be required during the installation of Xudp.
Even the version 116 will install as well as downloaded the Xudp in the "/lib/.socket1" or /lib/.loves" folders. As well as it adds the Xudp to the autorun scripts of system, and also wipe clean the local firewall of iptables firewall, if in use.
The server communication of Xudp that hidden from sight that uses the encryption Linux.Downloader then shuts down as well as the Xudp takes over.
The first thing is that it could verify a file that configured by hardcoded for any kind of the preset instructions of the attacker, and then collects the information about the affected computer by sending it to its C&C (command and control) server. But let it be known as a new wounded which was successfully affected.
The first ping sent in a cleartext HTTP request to the C&C server. But all consequent communication operations that are handled through HTTPS.
As for the main components of Xudp, the trojan is opening in three major threads. The first is dependable for conducting the communications with C&C server through HTTPS.
The second is that it listens continuously to the coming instructions from the C&C server.
As well as the third occasionally sends data from the affected machine to the server of the attacker.
Even the technical security expert, Dr.Web say that Xudp can be used as a backdoor to execute commands on the local machine, or as a bot in coordinated DDoS attacks. At the time of writing, the antivirus maker had detected at least three different versions of Linux.BackDoor.Xudp.
After analyzing the source code of trojan, Dr.Web security researchers said that Linux.BackDoor.Xunpes can implement some of the following commands:
• Download other files
• Launch files into execution
• Copy files
• Rename files
• Delete files
• Create folders
• Delete folders
• Run bash commands
• Simulate keystrokes
• Log keystrokes
• Upload keylogger files to a server
• Take a screenshot of the desktop
• Upload screenshots to a server
• Snoop on the status of open sockets
• End communications
• Turn itself off