Description
Researchers have discovered a new botnet in active development that aims to entangle Linux systems into an army of bots ready to steal sensitive information, install rootkits, create reverse shells, and operate as web traffic proxies.
Summary
The newly found malware, dubbed B1txor20 focuses its attacks on Linux ARM, X64 CPU architecture devices. This malware was first spotted on February 9 by researchers at Netlab 360. A total of four malware samples were captured with backdoor, SOCKS5 proxy, malware downloading, data theft, arbitrary command execution, and rootkit installing functionality.
How it works
For communication channels with the command-and-control (C2) server, the B1txor20 malware uses DNS tunneling. Bots provide stolen sensitive data, command execution results, and any other information that must be delivered to C2 via a DNS request, after disguising it with specific encoding techniques. The C2 sends the payload to the Bot side as a response to the DNS request. Bot and C2 can communicate using the DNS protocol in this fashion.
Remediation
Computers are infected by botnets either by worm or virus that installs the bot, or when someone visits a malicious or non-trusted website that exploits a vulnerability in the browser and installs it.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: A Linux Backdoor Using DNS Tunnel.pdf
References