Jump to content

Recommended Posts

Posted

9a7731e7c75dfbd013fa8a99404231b8.jpg

 

After being bombarded with new malware towards the end of last year, the Linux ecosystem is rocked again by the discovery of a new trojan family, identified by security researchers as Linux.BackDoor.Xudp.

 

The only detail that matters is that this new threat does not leverage automated scripts, vulnerabilities, or brute-force attacks to infect users and still relies on good ol' user stupidity in order to survive.

 

The infection scenario is simple, with users downloading malicious packages or applications from the Internet, and then giving them root privileges during the installation.

 

Linux.BackDoor.Xudp is installed via Linux.Downloader

 

Xudp is not distributed directly, but crooks lace these malicious packages with another malware called Linux.Downloader.

This is what the infosec community calls a payload downloader, malware that's small enough to fit inside other apps, tasked only with downloading other malware.

 

In this particular case, after the user gives root privileges to an app laced with Linux.Downloader (version 77), this trojan will download an upgraded version of itself (version 116), which includes more features needed during Xudp's installation.

 

Version 116 will download and install Xudp in the "/lib/.socket1" or /lib/.loves" folders, add Xudp to the system's autorun scripts, and also wipe clean the local iptables firewall, if in use.

 

Xudp's server communications hidden from sight using encryption

 

Linux.Downloader then shuts down, and Xudp takes over.

The first thing it does is to check a hardcoded configuration file for any of the attacker's preset instructions, and then gather information about the infected computer, sending it to its C&C (command and control) server, letting it know a new victim was successfully infected.

 

This first ping to the C&C server is sent in a cleartext HTTP request, but all subsequent communication operations are handled via HTTPS.

 

As for Xudp's main components, the trojan is split in three major threads.

The first is responsible for handling C&C server communications via HTTPS, the second constantly listens to instructions coming from the C&C server, and the third periodically sends data from the infected machine to the attacker's server.

 

Technically, Dr.Web security experts say that Xudp can be used as a backdoor to execute commands on the local machine, or as a bot in coordinated DDoS attacks. At the time of writing, the antivirus maker had detected at least three different versions of Linux.BackDoor.Xudp.

 

 

Source:

http://news.softpedia.com/news/linux-machines-targeted-by-new-backdoor-and-ddos-trojan-502915.shtml

76c90dd0e79a714317a8daeecc1584d2.png

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...