Linux Computers Targeted by New Backdoor and DDoS Trojan

Share this…

Threat level is not high, the virus requires users to give it root privileges in order to infect their computers.

After being bombarded with new malware towards the end of last year, the Linux ecosystem is rocked again by the discovery of a new trojan family, identified by security researchers as Linux.BackDoor.Xudp.

The only detail that matters is that this new threat does not leverage automated scripts, vulnerabilities, or brute-force attacks to infect users and still relies on good ol’ user stupidity in order to survive.

The infection scenario is simple, with users downloading malicious packages or applications from the Internet, and then giving them root privileges during the installation.

Linux-fight! Dev's plan to bundle kernel patches sparks debate

Linux.BackDoor.Xudp is installed via Linux.Downloader

Xudp is not distributed directly, but crooks lace these malicious packages with another malware called Linux.Downloader. This is what the infosec community calls a payload downloader, malware that’s small enough to fit inside other apps, tasked only with downloading other malware.

In this particular case, after the user gives root privileges to an app laced with Linux.Downloader (version 77), this trojan will download an upgraded version of itself (version 116), which includes more features needed during Xudp’s installation.

Version 116 will download and install Xudp in the “/lib/.socket1″ or /lib/.loves” folders, add Xudp to the system’s autorun scripts, and also wipe clean the local iptables firewall, if in use.

Xudp’s server communications hidden from sight using encryption

Linux.Downloader then shuts down, and Xudp takes over. The first thing it does is to check a hardcoded configuration file for any of the attacker’s preset instructions, and then gather information about the infected computer, sending it to its C&C (command and control) server, letting it know a new victim was successfully infected.

This first ping to the C&C server is sent in a cleartext HTTP request, but all subsequent communication operations are handled via HTTPS.

As for Xudp’s main components, the trojan is split in three major threads. The first is responsible for handling C&C server communications via HTTPS, the second constantly listens to instructions coming from the C&C server, and the third periodically sends data from the infected machine to the attacker’s server.

Technically, Dr.Web security experts say that Xudp can be used as a backdoor to execute commands on the local machine, or as a bot in coordinated DDoS attacks. At the time of writing, the antivirus maker had detected at least three different versions of Linux.BackDoor.Xudp.