Jump to content

Recommended Posts

Posted

a8e99bb87196e9824143dcc1e0108fa4.png

The DDoS tool's control panel.

 

Similar-looking malware targeting both Linux and Windows computers has been linked to a DDoSing toolkit sold by Chinese hackers via the ddos[.]tf service, Malware Must Die! reports.

 

The malware, codenamed Linux/DDOSTF (or Linux/MrBlack) targets mainly Linux machines running Elasticsearch servers, but it also attacks and infects Windows systems, particularly older Windows XP and Windows 2003 Server instances.

 

Malware Must Die! reports that Windows infections occur via a PHP-MySQ webshell that exploits the WMI (Windows Management Instrumentation) architecture, allowing it to infiltrate systems, upload the exploit, and later executing it, gaining system privileges over the infected machine.

The Windows version of this malware is detected as the Mr.Black trojan.

 

Security researchers are also claiming that the Linux variant of this malware, distributed as a malicious ELF executable, has lots of similarities with an older malware named JrLinux, to which it may be related.

Additionally, some of the code may have also been stolen from another famous Linux malware, Linux/BillGates.

 

Both malware samples link back to the ddos[.]tf service

 

Analyzing telemetry data from infected machines, researchers say that this malware is part of a bigger botnet, used mainly to launch DDoS attacks.

 

Using clues left behind by the Linux/DDOSTF author in the malware's source code, the researchers were able to link the infected computers with the ddos[.]tf Web service.

 

This website offers for sale the Wrath DDoS Cluster (or Curse DDoS Cluster, translated from 天罚DDoS集群). The website's Chinese owners advertise this as a pen-testing utility, but in fact, it's a control panel for DDoS attacks.

 

Further investigating the Linux/DDOSTF source code, Malware Must Die! researchers were able to link various of the malware's capabilities with features and buttons in the DDoS tool's control panel.

 

"This panel is really heavy loaded not only with malware but with webshell weapons & hacking tools. The ELF & Windows malware used are pointing to the ddos.tf," conclude the researchers. "Are these attackers [currently infecting systems and launching DDoS attacks] actually the actor behind ddos.tf site (owners/administrators)? Or maybe one of the 'customers' of the ddos.tf? It's still a question."

 

fa2d1d61b6f140d67fbaec4957f17523.png

The ddos.tf website, where the DDoS tool is sold.

 

 

Source:

http://news.softpedia.com/news/windows-and-linux-malware-linked-to-chinese-ddos-tool-498554.shtml

76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted
Thanks for this one. When I saw elasticsearch I had to do some checking. I run a FreeBSD server with elasticsearch for site search here. Wanted to make sure I had everything up to date and checked the security lists to see if there was any vulnerablities in it.
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...