Dr.WEB has conducted its own investigation on the incidents involving compromised Linux web servers. Its analysts found that a Trojan horse, dubbed Linux.Sshdkit by Dr.Web, was sometimes being employed to steal passwords on servers running Linux. The malware is a library file available for 32- and 64-bit versions of Linux distributions. How the Trojan spreads is yet to be determined, but there are reasons to believe that it exploits critical vulnerabilities to become installed on attacked servers. The latest Trojan version known to Doctor Web is 1.2.1, while one of the earliest-1.0.3-has been spreading for quite a while. Linux.Sshdkit uses a special algorithm to generate two DNS names, and if they both refer to the same IP address, that address is converted to a different IP to which the Trojan sends the stolen information. The routine used to generate command server addresses is outlined in the flowchart below. Doctor Web's analysts used a sinkhole to hijack one of Linux.Sshdkit control servers and thus confirmed that the Trojan sends stolen logins and passwords to remote hosts.
Related Articles -
computer technology news, online indian magazines, top information, technology magazines, front line magazine, latest computer technology news, digit,
|