Pierluigi Paganini August 23, 2016

Security researchers discovered a new Linux Trojan dubbed Linux.Rex.1 that is capable of self-spreading and create a peer-to-peer botnet.

A newly observed Linux Trojan is capable of self-spreading through infected websites and can recruit the infected machines into a peer-to-peer (P2P) botnet, Doctor Web researchers warn.

Security researchers from the firm Dr. Web have discovered a new Linux Trojan dubbed Linux.Rex.1 that is capable of self-spreading through infected websites composing a peer-to-peer botnet.

The threat was designed to infect web servers that use certain content management systems (CMS). The Linux.Rex.1 Trojan was written in the Go programming language and can perform a wide range of malicious activities, including sending out spam messages, launch DDoS attacks and of course spread itself over networks.

The malware was first spotted by users of the Kernelmode that noticed several attacks against websites based on Drupal CMS, for this reason, they called it Drupal ransomware.

The malware has the ability to hack websites built using Drupal by exploiting a well-known SQL injection flaw.

Now malware researchers from Dr, Web discovered that the Linux.Rex.1 was able to infect many other CMSs.

“This malware program attacks web servers that use various CMS, performs DDoS attacks, sends out spam messages, and distributes itself over networks.” states the analysis published by Dr Web.

The botnet composed of machines infected by the Linux.Rex.1 is a P2P botnet, each node of the malicious network is able to share data with peers by using a protocol implemented by the malware authors.

“Linux.Rex.1 is a Trojan that can create such P2P botnets by implementing a protocol responsible for sharing data with other infected computers. Once the Trojan is launched, a computer that has been infected starts operating as one of this network’s nodes.” continues the analysis. “The malware program receives directives over the HTTPS protocol and sends them to other botnet nodes, if necessary. When commanded by cybercriminals, Linux.Rex.1 starts or stops a DDoS attack on a specified IP address.”

The malware uses the HTTPS protocol to send/receive commands, the experts noticed a special component used by the threat to scan for websites that uses several CMSs, including the Drupal, WordPress, Magento, JetSpeed, and others.

“It also searches for network hardware that runs AirOS, and exploits known vulnerabilities in order to get hold of user lists, private SSH keys, and login credentials stored on remote servers. However, this information cannot always be obtained successfully,” reads the analysis.

In addition, the Linux.Rex.1 malware is designed to send out spam email messages to website owners, threatening them with DDoS attacks on their servers. Curiously, if the email goes to the wrong recipient, crooks ask it to redirect the message to the website owner.

Crooks requests the payment of a Bitcoin ransom to avoid being attacked.

Just a few weeks ago, experts from Doctor Web discovered another Linux malware dubbed Linux.Lady.1, which is also written in the Go programming language and that was primarily developed to infect systems for cryptocurrency mining.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux malware, Linux.Rex.1)