14 DAY TRIAL // Researchers from CERT Poland say they’ve come across what appears to be a new distributed denial-of-service (DDOS) botnet. What’s interesting about it is the fact that the cybercriminals have developed malware to infect both Windows and Linux machines.
According to experts, the botnet is designed only for DDOS attacks, particularly DNS Amplification attacks. When CERT Poland published its report, a couple of days ago, the Windows version of the malware was detected by most antiviruses.
However, the Linux variant of the threat was detected only by a handful of engines.
When it finds itself on a device, the Linux malware connects to a command and control (C&C) server through a high TCP port. First, the bot starts gathering information on the infected hosts, after which it waits for commands.
The infected machine can be commanded to launch one of four types of DDOS attacks against a specified target. Researchers have found that there are some unimplemented functions, one of which might be designed for DDOS attacks via the HTTP protocol.
In the case of the Windows version of the malware, the infection happens in two stages. In the first phase, a malicious scvhost.exe file is dropped and executed. This component is responsible for registering a new Windows service which ensures that the threat remains persistent.
In the next phase, the bot connects to a C&C server using a different high TCP port than the Linux variant.
A significant difference between the Windows and Linux versions is that the former requests the IP of the C&C domain via a DNS query to 8.8.8.8, while the latter has the IP address hardcoded in the bot.
Experts believe that the attackers are targeting Linux machines because they’re often used for servers, which means that they have a considerable network bandwidth. Since the threat’s sole purpose is to launch DDOS attacks, bandwidth is very important.