First infections occurred around the start of October

Dec 3, 2015 22:04 GMT  ·  By

Linux users are about to get a nasty surprise for Christmas in the form of a new trojan targeting the Linux operating system, discovered by Dr.Web, a Russian-based antivirus maker, and named Rekoobe (or its more technical name: Linux.Rekoobe.1).

Security researchers first observed the trojan at the beginning of October, but it took them some time to observe its behavior and dissect its activity.

Rebooke can target 32- and 64-bit Linux machines

According to Dr.Web's staff, the first version of the trojan only targeted Linux SPARC architectures, but it didn't take long before an upgraded version was able to target Linux PCs running on Intel chips, on both 32-bit and 64-bit architectures.

Internally, the trojan is extremely simple, but comes protected against reverse-engineering. It uses an encrypted configuration file (via the XOR algorithm) to keep prying eyes out, and in some instances, it often connects to its C&C server via a proxy to hide the master server's main location.

As for its capabilities, the trojan can't do that much, but it does more than enough to ensure a full compromise if the trojan's operator desires it.

Rebooke can execute only three operations: →     download files from its C&C server →     upload files to the C&C server →     execute commands on the local shell

A tiny but powerful threat

While many would think Rebooke as harmless and a nuisance, the trojan's simple design allows attackers to vary their attacks, and deliver more powerful payloads on infected systems.

The fact that the trojan uses encryption for its configuration file and a complicated mechanism for validating C&C communications shows that its operators took great care to make sure their tool can't be easily compromised.

We may be watching a new malware strain being born and Linux.Rebooke.1 being just an alpha stage in the trojan's development.