- A+
The trojan also installs a rootkit and another malware variant that can lead to denial-of-service conditions该木马还安装了一个rootkit和另一个可能导致拒绝服务条件的恶意软件变种
Perhaps the malware variants that affect Linux users are not as common as threats to Windows users, but Linux malware becomes increasingly functional and complex, consider digital forensics specialists in the International Institute of Cyber Security.可能影响Linux用户的恶意软件变种不像对Windows用户的威胁那么常见,但Linux恶意软件变得越来越功能和复杂,考虑到国际网络安全研究所的数字取证专家。
The most recent sample of this trend is a trojan discovered this month by an antivirus developing firm;这种趋势的最新样本是一个反病毒开发公司本月发现的特洛伊木马; it is a malware that does not have a specific name yet, but has been tracked as Linux.BtcMine.174 .它是一种没有特定名称的恶意软件,但已被追踪为Linux.BtcMine.174 。 This trojan is a little more complex than most functional malware in Linux, mainly due to the large amount of malicious functions it is capable of performing.这个木马比Linux中的大多数功能恶意软件复杂一点,主要是因为它能够执行大量的恶意功能。
It's a gigantic shell script of over a thousand lines of code.这是一个超过一千行代码的巨大shell脚本。 This script is the first file executed on an infected Linux system.此脚本是在受感染的Linux系统上执行的第一个文件。 The first thing it does is look for a folder on the disk with writing permissions to be copied, then the malware uses that folder to download other modules, as reported by the cybersecurity and digital forensics specialists.它首先要做的是在磁盘上查找具有要复制的写入权限的文件夹,然后恶意软件使用该文件夹下载其他模块,如网络安全和数字取证专家所报告的那样。
When the trojan gets access to a foothold in the system, it uses the privilege escalation exploits CVE-2016-5195 (aka Dirty Cow) or CVE-2013-2094 to gain full access to the attacked operating system.当木马进入系统中的立足点时,它使用权限升级利用CVE-2016-5195 (又名Dirty Cow)或CVE-2013-2094来获得对受攻击操作系统的完全访问权限。 The trojan is then configured as a local daemon, and even downloads the nohup utility to achieve this operation if the utility is not already present in the system.然后将该木马配置为本地守护进程,如果该实用程序尚未存在于系统中,甚至可以下载nohup实用程序来实现此操作。
Once the trojan extends its domain over the infected system, it begins with the execution of its main task, the silent cryptocurrency mining ( cryptojacking ).一旦特洛伊木马在受感染的系统上扩展其域,它就开始执行其主要任务 - 静默加密货币挖掘( cryptojacking )。 The trojan first scans the system looking for cryptomining processes of rival variants, ends them and finally downloads and begins the execution of its own Monero mining operation.该木马首先扫描系统,寻找竞争变种的加密过程,结束它们并最终下载并开始执行其自己的Monero挖掘操作。 Malware also downloads and executes additional malicious software, known as the Bill.Gates trojan, a known malware strain for denial-of-service (DDoS) attacks, but also includes backdoor-like functions.恶意软件还会下载并执行其他恶意软件,称为Bill.Gates木马,这是一种用于拒绝服务(DDoS)攻击的已知恶意软件,但也包括类似后门的功能。
The trojan is capable of performing even more functions, it also looks for process names associated with Linux-based antivirus software and will end its execution.该木马能够执行更多功能,它还会查找与基于Linux的防病毒软件相关的进程名称,并将终止其执行。 Digital forensics specialists say they have seen trojans capable of stopping antivirus processes that have names such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord. 数字取证专家表示,他们已经看到了能够阻止防病毒进程的特洛伊木马程序,例如safedog,aegis,yunsuo,clamd,avast,avgd,cmdmgd,drweb-configd,drweb-spider-kmod,esets,xmirrord。
Despite all the functions that the Linux.BtcMine.174 trojan is capable to perform, it seems that its developers were not satisfied.尽管Linux.BtcMine.174木马能够执行所有功能,但它的开发人员似乎并不满意。 According to researchers in cybersecurity and digital forensics, the trojan is also added as an automatic execution entry to files such as /etc/rc.local,/etc/rc.d/… and /etc/cron.hourly ;根据网络安全和数字取证的研究人员的说法,该木马也被添加为文件的自动执行条目,例如/etc/rc.local,/etc/rc.d/...和/etc/cron.hourly ; to then download and run a rootkit.然后下载并运行rootkit。
Specialists claim that this rootkit component has even more intrusive features, such as the ability to steal user-entered passwords and hide files on the system, network connections, and running processes.专家声称,这个rootkit组件具有更多的侵入性功能,例如窃取用户输入的密码和隐藏系统上的文件,网络连接和运行进程的能力。
As if it were not enough, the trojan will also run a function to gather information about the remote servers that the infected host has connected through SSH and try to connect to those machines as well, thus propagating the infection.好像这还不够,该木马还将运行一个功能来收集有关被感染主机通过SSH连接的远程服务器的信息,并尝试连接到这些机器,从而传播感染。 Researchers believe this is the main method of distributing malware.研究人员认为这是分发恶意软件的主要方法。
