September 13, 2016
DDoS (. English Distributed Denial of Service, distributed attack, leading to a denial of service) - the most common method of attacks on network resources. Attackers sent to the target server a large flow of requests, which he is unable to cope, causing its failure. Often such attacks using special malware. One of them, called Linux.DDoS.93, examined analysts 'Doctor Web'.
Linux.DDoS.93 Trojan created by virus writers to infect devices running the Linux operating systems. Presumably, this malware is distributed by means of a set of ShellShock vulnerabilities in GNU Bash program.
Linux.DDoS.93 When you start trying to change the contents of a number of Linux system folders, to ensure their own startup. The Trojan then searches for the target machine other instances Linux.DDoS.93 and, if found, cease their work.
Successfully launched in the infected system, Linux.DDoS.93 creates two child processes. First communicates with the management server, and the second in a continuous loop checks if the parent process is running and restarts when it stops. In turn, the parent process also monitors the child and restart it if necessary - so the Trojan maintains its continuous work on the infected machine.
Linux.DDoS.93 able to perform the following commands:
- update malware;
- download and run the file specified in the command;
- samoudalitsya;
- launch an attack by UDP flood on the specified port;
- launch an attack by UDP flood on a random port;
- launch an attack by Spoofed UDP flood;
- TCP flood attack start method;
- TCP flood attack start method (in the packages are recorded random data length of 4096 bytes);
- start HTTP flood attack by using the GET-requests;
- start HTTP flood attack by using a POST-request;
- start HTTP flood attack by using HEAD-requests;
- send to 255 random HTTP-requests with the specified parameters IP-addresses;
- to complete;
- to send the command "Ping".
When the Trojan is instructed to start a DDoS-attack, or send random queries, he first stops all child processes and then runs 25 new processes and carry out the attack indicated by intruders. Linux.DDoS.93 signature is added to the virus database Dr.Web, so it does not pose a risk to our users.
Sources:
Russian : http://news.drweb.ru/show/?i=10198&lng=ru&c=5
English : as soon as possible!
