Trojan is not yet finished, still a work in progress

Sep 9, 2016 08:40 GMT  ·  By

A new trojan coded in Rust is targeting Linux-based platforms and adding them to a botnet controlled through an IRC channel, according to a recent discovery by Dr.Web, a Russian antivirus maker.

Initial analysis of this trojan, detected as Linux.BackDoor.Irc.16, reveals this may be only a proof-of-concept or a testing version in advance to a fully weaponized version.

Currently, the trojan only infects victims, gathers information about the local system and sends it to its C&C server.

Trojan controlled via an IRC channel

The trojan, which is coded in Rust, a programming language sponsored by the Mozilla Foundation, also integrates the "irc" Rust library by Aaron Weiss, in order to communicate via the IRC protocol to a remote IRC public channel.

At the time of writing, the channel hardcoded in the trojan's configuration is offline.

All trojans that infect a target will automatically connect to this IRC channel and wait for commands.

The hacker in control of this IRC channel can submit a message to the channel's public chat, and all connected bots will parse this message and execute it.

Trojan is still a work in progress

Support is currently included only for a limited set of commands, hence the reason why Dr.Web researchers consider this to be work-in-progress malware.

Researchers say the botnet's operator can currently only query a bot for its technical specifications, retrieve a list of running processes (apps), and kill the malware, if they want to remove a bot. There's also support for a feature that updates the trojan's source code, but it has not yet been fully implemented.

"Linux.BackDoor.Irc.16 was designed to be a cross-platform Trojan—to make a version for Windows, for example, cybercriminals can just recompile this malware program," the Dr.Web team says.

Previously, security researchers have discovered Linux malware coded in languages such as Go (Rex) and Lua (LuaBot), but most of it is coded in C or C++ (Mirai).

Below is a screenshot of what the botnet's IRC channel would look like, as reconstructed by Dr.Web's researchers.

IRC channel used to control the trojan's botnet
IRC channel used to control the trojan's botnet

Photo Gallery (2 Images)

New Linux.BackDoor.Irc.16 trojan discovered coded in Rust
IRC channel used to control the trojan's botnet
Open gallery