The case of Linux DDoS Trojan ported to Windows

Experts at Dr.Web detected a Linux DDoS Trojan designed to infect also Windows OS, the circumstance is considered rare in the criminal ecosystem.

The Russian antivirus company Dr. Web discovered that a Chinese DDoS Trojan written for Linux operating system seems have jumped to Windows, an event considered rare.

“Cases of Linux malware being tailored by virus makers to infect Windows are extremely rare. However, recently while examining several malicious samples acquired by the Doctor Web anti-virus laboratory, security researchers encountered exactly this phenomenon.” states the company in an official blog post.

According to the experts at Dr Web, the malware was first detected in May 2014 as “Linux.Dnsamp”, basically the malicious code is a DDOS Trojan, which infects Linux machines. The malware is able to modify the startup scripts, collects information on machine configuration and send it to C&C server, of course its main characteristic is to run silently and wait for orders.

“The virus analysts examining the malware concluded that the Trojans had been crafted by Chinese virus makers. Not long ago, several new modifications of these Trojans were discovered. Despite the apparent similarity with previously found DDoS Trojans, these programs differed significantly from their predecessors. They are ported Windows versions of earlier Trojans.” states the post.

The experts noticed that the trojan has been ported to Microsoft Windows, they dubbed the Windows version “Trojan.Dnsamp.1”, this new version gains admission into the OS pretending to be Windows Service Test.

“Some malware of the Linux.DnsAmp family communicates with two control servers and can infect both 32- (Linux.DnsAmp.1, Linux.DnsAmp.3,Linux.DnsAmp.5) and 64-bit (Linux.DnsAmp.2, Linux.DnsAmp.4 ) versions of Linux. Like other members of this class of DDoS Trojans, Linux.DnsAmp modifies the start-up scripts, collects and sends to the remote server the infected machine’s configuration information (OS version, CPU, amount of free memory and swap file) and then waits for commands. Trojans of this family have the following features:” reports Dr.Web.

The Windows version recently detected is installed into the targeted system and its executable file is saved in the system folder under the name vmware–vmx.exe. As explained by analysts, the DDoS trojan is triggered by the date of the system, if it is set after 2nd December, 2013 the malware is activated.

The malware could be used to run DDoS, but once infected the victims it can also download and run the other malicious payload.

Experts at Doctor Web revealed that the largest number of DDoS attacks involving the Trojans of this family (especially Linux.BackDoor.Gates) in the period from June 5th and August 13th, 2014 hit Chinese websites (28,093 attacks corresponding to the 79,1%), and website hosted in the United States (9,4). In the following image is reported the geographic location of the attacks.

In July 2014, experts at Kaspersky Lab detected another strain of malware with a modular structure, quite similar to the one discovered by Dr.Web, which was able to run DNS amplification attacks.

As explained by the experts at Dr. Web the discovery is singular because it is rare to detect a malware designed for Linux machines that is ported on Windows OS.

Pierluigi Paganini

(Security Affairs – DDoS Trojan, malware)