14 DAY TRIAL // Two malware families, Linux.Ellipsis.1 and Linux.Ellipsis.2, are infecting Linux machines, with the former setting up a proxy to aid the latter in brute-forcing SSH accounts and getting remote access to the infected station.
This malware families were detected by the Russian-based Dr.Web antivirus company, and were always spotted working together in their attempts to compromise targeted Linux machines.
As Dr.Web researchers explain, Linux.Ellipsis.1, once downloaded on a Linux system, starts by removing its own working directory, clearing the iptables rules (Linux firewall utility), and then killing processes for logging and analyzing Web traffic.
Furthermore, the malware also removes and replaces existing system log files and directories, changing their permissions, and effectively making them inoperable.
After this step, the trojan modifies the "/etc/coyote/coyote.conf" by adding a password alias so the real password won't appear in the domain.xml file, and then removes a series of system tools from /bin/, /sbin/, and /usr/bin/. If this operation encounters errors, the immutable attribute is added to some files needed for the operation of those tools, also making them inoperable if everything else fails.
The proxy is used in launching brute-force attacks on Linux machines with accessible SSH connections
The purpose of this is to hide its activity from any prying eyes, allowing it to set up a proxy server on the infected machine, redirecting all Web traffic connections through it.
Linux.Ellipsis.1 then starts communicating with a C&C server, which looks over local traffic and starts issuing orders on what kind of connections to block, for which IP and for what ports. Additionally, a local list of words is also used to temporarily or permanently block incoming or outgoing traffic.
This process is quite complex, and according to Dr.Web researchers, it is tied to Linux.Ellipsis.2, which infects the same machines, hides its activities in the same manner as Linux.Ellipsis.1, but goes on to take advantage of the infected machine's CPU to carry out brute-force attacks.
For this, the malware uses a list of common username:password combos, and once an SSH connection is successful, it sends the data to its C&C server.