Shulou(Shulou.com)06/02 Report--

Dr.Web, a Russian antivirus software company, recently unveiled a new Trojan called Linux.BtcMine.174, which is more complex than traditional malicious Linux viruses and contains a large number of malicious features.

The Trojan is a shell script that contains more than 1000 lines of code and is also the first file that can be executed on an infected Linux system.

After invading Linux, the script looks for folders on disk with write permissions, propagates them, and downloads other modules. It then takes advantage of one of the two vulnerabilities, CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094, to claim rights. After obtaining the root permission, the Trojan sets itself as the local daemon.

During this process, the virus will look for the name of the antivirus software process on the Linux system and turn it off, including safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets and xmirrord.

When everything is ready, the Trojan will perform its main function-mining the cryptocurrency.

In addition, the Trojan downloads and runs other malware, collects information about all remote servers connected by the infected host through SSH and attempts to connect in order to spread itself to more systems.

At present, Dr.Web has released the SHA1 file hash of each component of the Trojan on GitHub:

Https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174

For more information, see Dr.Web 's report:

Https://vms.drweb.com/virus/?i=17645163

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.