Library
My library

+ Add to library

Profile

Linux.Proxy.10

Added to the Dr.Web virus database: 2017-01-24

Virus description added:

SHA1:

  • f23c4e3dd93bc54ec67dc97023c0b1251a6ca784

Linux Trojan is designed to set up a SOCKS5 proxy server on the infected computer on the basis of the freeware source codes of the Satanic Socks Server.

To distribute the Trojan, cybercriminals log in to the vulnerable devices via the SSH protocol. The list of vulnerable devices, as well as the logins and passwords that go with them, are stored on the server belonging to the cybercriminals. The lists look like this:

IP address:login:password

An example of such list can be seen in the following picture:

screen Linux.Proxy.10 #drweb

It is notable that users with such account details are usually created by other Linux Trojans. A script is generated with the help of this list, and it runs on the attacked devices using sshpass.

screen Linux.Proxy.10 #drweb

Port for access to proxy server is saved in the Trojan’s body during its compilation. Examined samples use the following ports:

18902
27891
28910
33922
37912
39012
48944
49082
49098
56494
61092
61301

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number