It is currently 15-12-2017 15:21

Linux Trojan.lady, written in GO, mines cryptocurrency, infecting redis servers

Linux Trojan.lady, written in GO, mines cryptocurrency, infecting redis servers

by seo_worker » 2016-08-11 12:48:23



Experts of company "Doctor Web" warned of a new Trojan, dubbed ID Linux.Lady.1. Malware infect unprotected servers with Redis on Board and is able to spread from one system to another, like a worm.

Researchers at Doctor Web" reported that the Trojan is able to perform a limited number of functions: to determine the external IP address of the infected machine to attack other computers, and to download and run on the infected machine program for the extraction (mining) cryptocurrency, and that is its main function.

Linux.Lady.1 written in by Google the Go programming language. Dangerous application that is created using this language, there are virus analysts in the past, but yet occur relatively infrequently. In its architecture the Trojan uses many libraries, published on the popular storage service and joint application development GitHub.

Infiltrating the system, Linux.Lady.1 transmits to the control server information about your computer a version of Linux and the name of the OS family to which it belongs, data on the number of processors name number of running processes and so on. In response the malware then receives a configuration file that is downloaded and run the program-miner is designed for mining cryptocurrency. Thus obtained, the Trojan transfers money to the cyber criminals e-wallet.



Linux.Lady.1 is able to determine the external IP address of the infected machine with the help of special sites, links on which the malware gets in the configuration file.

The malware also can attack other computers on the network. He attempts to connect to remote nodes via the port used by the data store Redis (remote dictionary server) without password, based on the fact that the system administrator of the attacked machine is incorrectly configured system. If a vulnerable system is found, and managed to establish a connection, the Trojan writes the cron jobs on the remote computer, the script loader, detectable under the name Linux.DownLoader.196. That, in turn, downloads and installs on the compromised host copy of Linux.Lady.1. Then the malware adds to the list of authorized keys key to connect to the attacked machine via SSH.

This feature makes Linux.Lady.1 is similar to the PhotoMiner worm that has been infecting vulnerable FTP servers, and also mainil with them using the cryptocurrency.
seo_worker
moderators
Сообщений: 789
Депозит: 0.005 BTC

Rating: 2