Linux.BackDoor.Xunpes trojan lets cyber-crooks take control and execute commands on your Linux machine

Jan 25, 2016 10:54 GMT  ·  By

Threats to Linux computers are now appearing on a regular basis, and what was once dubbed a "no-virus zone" has started being targeted by malware authors.

The latest of such threats is a trojan with backdoor capabilities named Linux.BackDoor.Xunpes, discovered by Dr.Web security researchers over the weekend.

According to the Russian antivirus maker, this trojan consists of two sections. Thus, there's a dropper component written in Free Pascal tasked with infecting computers and then downloading the second component, which is the actual malware payload, the main body of the backdoor trojan, coded in C.

For Linux.BackDoor.Xunpes' case, the dropper is hidden inside an app for making Bitcoin payments (in this case, Bitcoin ATM from Pay MaQ), which explains how the malware infects Linux computers. While the dropper itself is quite generic and was used for other malware families, the backdoor component, despite being quite small, includes support for quite a few commands.

The backdoor includes support for various operations

Once on an infected computer, the malware author can send over 40 different types of commands to any infected host. All commands are sent through a C&C (command and control) server, which allows the backdoor's owner to remain semi-anonymous.

After analyzing the trojan's source code, Dr.Web security researchers said that Linux.BackDoor.Xunpes can execute some of the following commands: →  Download other files →  Launch files into execution →  Copy files →  Rename files →  Delete files →  Create folders →  Delete folders →  Run bash commands →  Simulate keystrokes →  Log keystrokes →  Upload keylogger files to a server →  Take a screenshot of the desktop →  Upload screenshots to a server →  Snoop on the status of open sockets →  End communications →  Turn itself off

Linux malware numbers are growing

Last week, a similar trojan with screenshoting capabilities was also discovered. That trojan was named Linux.Ekocms and caused quite a stir, being one of the first Linux malware pieces with fully working screengrab capabilities ever detected.

If that's not scary enough, there's also the Linux.Encoder ransomware that's been terrorizing server admins in the past few months. Fortunately, Bitdefender researchers have managed to crack the ransomware time and time again.

And let's not forget the XOR DDoS malware and the Linux.Rekoobe trojan, also targeting Linux machines only.

While Linux users thought their operating system was special or somehow impenetrable by malware, they're now waking up and facing the cold hard truth. Linux was never "magically" impregnable when it came to security, and as their operating system becomes more popular, malware authors will focus more of their efforts on their precious OS.

UPDATE: Added more elaborate information about the dropper component.

Bitcoin payments app through which the trojan infects Linux computers
Bitcoin payments app through which the trojan infects Linux computers

Photo Gallery (2 Images)

Backdoor trojan discovered targeting Linux machines
Bitcoin payments app through which the trojan infects Linux computers
Open gallery