It is currently 22-11-2017 11:56

Self-replicating Linux-rex Trojan attacks websites, creating a P2P botnet

Self-replicating Linux-rex Trojan attacks websites, creating a P2P botnet

by seo_worker » 2016-08-22 14:00:17



The specialists of "Doctor Web" warned of the discovery of a new threat to Linux systems. Linux Trojan.Rex.1 written in Go, and attacks websites that are running different CMS, including Drupal. The Trojan is capable of DDoS attacks, send out emails and spreading on its own across the network.

The first new threat noticed by the users of the Kernelmode forum and found a Trojan "extortionist for Drupal" (Drupal ransomware), which was not quite true. The specialists of "Doctor Web" found that Linux.Rex.1 really attacks websites running on Drupal a popular engine, but it can not limited.

Experts explain modern botnets are divided into two types. Botnets of the first type are the team with the command and control servers, botnets of the second type operate at all without them. These networks transmit information directly from one infected host to another. Linux.Rex.1 just organizes the botnet of the second type. Such botnets are called peer-to-peer, peer-to-peer or P2P networks. The architecture of Linux.Rex.1 has its own implementation of the DHT Protocol that allows you to share information with other infected hosts and to create thus a decentralized P2P botnet. Once infected with Trojan, the computer runs as one node of the network.

Linux.Rex.1 receives control directives via HTTPS from other infected computers and, if necessary, transmits them further to other nodes of the botnet. Team Trojan to start or stop a DDoS attack on the node with the specified IP address. Using a special module, using the library github.com/natefinch/pie Trojan is able to scan the network for web sites with content management system Drupal, WordPress, Magento, JetSpeed, and others. Also he is looking for network hardware running the operating system AirOS.



If possible, Linux.Rex.1 uses a known vulnerability in the listed products to get the list of users closed the SSH keys, logins and passwords that are stored on remote nodes.

WordPress Trojan searches for vulnerable plugins WooCommerce, Robo Gallery, Rev Slider, WP-squirrel, Site Import, Brandfolder, Issuu Panel and Gwolle Guestbook. Websites based on Magento are checked for CVE-2015-1397, CVE-2015-1398 and CVE-2015-1399.

Another feature of Linux.Rex.1 — sending messages with threats via e-mail. In these letters, the attackers threaten owners of websites to organize them a DDoS attack. If the e-mail went to the wrong address, the attacker asking the recipient to forward it to the responsible person of the company that owns the website. To avoid attack, the potential victim encouraged to pay a ransom in bitcoin equivalent.



The specialists of "Doctor Web" write that for hacking sites running Drupal, is used a known vulnerability CVE-2014-3704. If the bug is not fixed, with the help of SQL-injection Trojan is authenticated in the system. If the break is failed, Linux.Rex.1 loads on the compromised website own copy and start it. So in Linux.Rex.1 is implemented amorality.
seo_worker
moderators
Сообщений: 767
Депозит: 0.005 BTC

Rating: 2