Linux.DDoS.93

Linux.DDoS.93 is a trojan which infects Linux machines through the Shellshock vulnerability which remains widely unpatched in a number of devices. This trojan then hijacks the device and uses it to launch DDoS attacks. The file /var/run/dhcpclient-eth0.pid is modified by this malware and allows this process to start every time the system boots. If this file is not available, Linux.DDos.93 will then create it. After boot-up, two processes occur: one that allows the trojan to talk to the C2 server and the other that verifies and ensures the parent process is constantly running on the device. This trojan uses 25 child processes to cause UDP floods, TCP floods, and HTTP floods. Linux.DDoS.93 also scans the computer’s memory and a list of all the active process. During this scan, if certain strings related to information security are found, the trojan will terminate itself in order to prevent cross-infection of the attacker’s device and reverse engineering of the Linux.DDoS.93 by security researchers. The computer is also scanned for other versions of this same malware and, if found, terminates them and installs the newest version of itself.

Reporting

  • September 2016: Security researchers discover Linux.DDoS.93 infecting unpatched Linux systems. (Softpedia)