Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Linux.DnsAmp.3

Added to the Dr.Web virus database: 2014-04-22

Virus description added:

A group of Linux Trojans designed to carry out DDoS attacks. These Trojans can infect 32-bit (Linux.DnsAmp.3) and 64-bit (Linux.DnsAmp.4) versions of Linux.

In fact, these malicious programs are modifications of Linux.DnsAmp.1 and Linux.DnsAmp.2. The difference lies in the number of commands they can execute.

Once launched, this Trojan automatically registers itself in the OS autorun list by modifying the etc/rc.d/rc.local file. Then the Trojan creates two threads. Though each of these threads executes the same actions, they employ different command and control servers for their work.

Once the connection to the command and control server is established, the Trojan starts gathering information about the infected system. This information can include the following data:

  • OS name and version
  • Free memory and Swap cache space
  • CPU frequency
  • Data from the dosset.dtdb file (the data is written in the file after a corresponding command is received from the command and control server)

The data acquired by the Trojan is forwarded to the remote command and control server. Then the malware awaits further commands. If the Trojan cannot receive a command, it gathers additional information and sends it to the command and control server.

Depending on the command key value (DWORD values at zero offset), the malicious program can execute the following actions:

KeyCommand
0x99Terminate a DDoS attack.
0x4DEEnter the data in dosset.dtdb.
0x88 && (attack has not been launched yet)Launch a DDoS attack.

A DDoS attack command looks as follows:

OffsetMeaning
76Victim’s IP or domain (C string)
48Number of threads used for the attack
40Attack type

Trojans belonging to this group can launch the following attacks:

  • SYN Flood (repetitive sending of a specially generated package to the attacked host until the host stops responding)
  • UDP Flood (after establishing a connection to the attacked host over the UDP protocol, the Trojan attempts to send the victim 1,000 messages)
  • Ping Flood (an echo request with the process PID as an identifier is generated over the ICMP protocol (data is the HEX value 0xA1B0A1B0))
  • Sending requests to DNS servers (DNS Amplification)
  • Sending requests to NTP servers (NTP Amplification—implemented, but not used, in older versions of these Trojans)

Recommandations pour le traitement


Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série