New DDoS Malware Targets Linux and Windows Systems

Attackers use brute-force methods to guess SSH passwords and install the malware on Linux servers

By Lucian Constantin
Wed, December 18, 2013

IDG News Service — Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska).

The malware was found by the Polish CERT at the beginning of December and the Linux version is being deployed following successful dictionary-based password guessing attacks against the SSH (Secure Shell) service. This means only systems that allow remote SSH access from the Internet and have accounts with weak passwords are at risk of being compromised by attackers distributing this malware.

"We were able to obtain a 32-bit, statically linked, ELF file," the Polish CERT researchers said Monday in a blog post. The executable runs in daemon mode and connects to a command-and-control (C&C) server using a hard-coded IP (Internet Protocol) address and port, they said.

When first run, the malware sends operating system information -- the output of the uname command -- back to the C&C server and waits for instructions.

"From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target," the researchers said. "One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack."

While executing an attack, the malware provides information back to the C&C server about the running task, the CPU speed, system load and network connection speed.

A variant of the DDoS malware also exists for Windows systems where it is installed as "C:\Program Files\DbProtectSupport\svchost.exe" and is set up to run as a service on system start-up.

Unlike the Linux version, the Windows variant connects to the C&C server using a domain name, not an IP address, and communicates on a different port, according to the Polish CERT analysis. However, the same C&C server was used by both the Linux and Windows variants, leading the Polish CERT researchers to conclude that they were created by the same group.

Since this malware was designed almost exclusively for DDoS attacks, the attackers behind it are likely interested in compromising computers with significant network bandwidth at their disposal, like servers. "This also probably is the reason why there are two versions of the bot -- Linux operating systems are a popular choice for server machines," the researchers said.

Continue Reading

Our Commenting Policies