Trustaira Blog
January 29, 2017        Trustaira Staff

There is a general thinking among the IT professionals that Linux based devices do not get affected by malware or virus. Well this is not true!

A recent report, published by a Russian antivirus company Dr. Web, showed that a cyber-criminal group has turned several thousand Linux-based devices into their proxy servers to do their dirty woks anonymously. A Trojan virus named “Linux.Proxy.10” has been used for this specific purpose. Unfortunately, the number of infected devices is increasing day by day.

“The Trojan, used by cybercriminals to infect numerous Linux network devices, has been named Linux.Proxy.10.” states the report published by Dr. Web. “As the name of this malicious program suggests, it is designed to run a SOCKS5 proxy server on the infected device on the basis of the freeware source code of the Satanic Socks Server. Cybercriminals use this Trojan to ensure that they remain anonymous online.”

To infect devices with Linux.Proxy.10 cyber criminals try to log into some particular types of devices. What types of devices attract them the most? Devices with SSH installed, devices that still have default standard settings in place (for control privileges or default passwords) or devices those are already infected Linux Malware.

Remember, lots of Linux-based devices (Such as Ubuntu OS) do not have an SSH server installed by default. Only if you install SSH and use default username & password, you will become vulnerable for the attack.

After successful security compromise of any device, hacker establish a backdoor user account with a particular combination of words as username and password. At the same time, IP addresses (of devices with backdoor log in account established) along with its username and password get stored in the cyber criminal’s server. This list looks like the picture given below.

Hacked Linux Device List

Source: Dr.Web

With the help of this list, a new script gets generated by cyber criminals.

Linux script list device

Source: bleepstatic.com

Which later runs on the already hacked devices using Sshpass. As a result, finally the devices gets infected with the Trojan named LINUX.Proxy.10. Now, the attacker can easily access the devices to all their illegal online activity while hiding their true identity,

Dr. Web Security researchers were able to detect one of the servers that helped to distribute the malware.  List of affected devices along with spy-agent administrator panel and a build of a windows malware named “Backdoor.TeamViewer” was found there.

list of malware affected device from admin panel

Source: Dr.Web

To stay secure from this, it is highly recommended to increase SSH security either by limiting or even better, by completely disabling remote root access using it. Furthermore, regularly monitor user activities (i.e. newly generated login users.)

Thank you for reading it.Feel free to check out other articles from our website.