Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.

Trainings

We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert level we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

Linux Alert- New Dubbed Linux/Rakos Malware Can Compromise Servers And Devices

 

 

A new Linux Malware has been detected by the malware researchers of Slovakia-based security firm “ESET”. The malicious code of this “Dubbed Linux/Rakos” malware is written in the GO Language (Open Source Language, Created by Google). A number of Linux users were complaining about forums that they are facing some problems with their embedded devices. Their devices were getting overloaded with unknown network and computing processes. In actual, Linux/Rakos malware was using those devices to run malicious programs. The binary of Linux/Rakos malware is compressed with the “Standard UPX Tool”. This Linux malware is capable of compromising servers, as well as embedded devices.

 

How Dubbed Linux/Rakos Malware Works?

First of all, the malware conducts an SSH scan to find out the open SSH ports. Then, it performs a brute force attack to get the access of poorly protected SSH ports. Almost every Linux malware performs the same action to get access to the network. This Linux/Rakos malware is a little bit different because it can compromise both servers and embedded devices. After compromising an embedded device and server, Linux/Rakos malware can convert it into a botnet. Through the command and control servers, attackers can perform various malicious activities through the botnet. The malware can easily compromise those devices which are protected with easy and simple passwords. According to malware researchers, in some cases, they have noticed that the devices protected with strong passwords were also in the control of this malware. All these devices were enabled to use online services and after a factory reset, the malware was using their default password to get access.

 

Step 1

To start the brute force attack, the attackers are loading a configuration file into the system through “stdin” (standard input). This file is written in human-readable data serialization language YAML. The file contains information about the command and control servers and a list of credentials which the malware have to use in brute force attack.

 

Step 2

After that, Linux/Rakos malware starts an HTTP service at the local host (http://127.0.0.1:61314). According to the researchers of ESET, the purpose of attackers behind this activation is still unclear but there could be two reasons for it. First one is, as a cunning method for the future versions of the bot to kill the running instances regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters “ip”, “u”, “p” by requesting http://127.0.0.1:61314/ex.

 

The previous version of this malware was also scanning IP addresses for SMTP service, but this version is only scanning the IP addresses with the help of command and control servers to find out the SSH ports. The current version of Linux/Rakos is also creating a web server listening on all the interfaces.

 

After Getting Access of Device

Once the Linux/Rakos malware got the access of the device, it runs two commands. By running “id and uname – m” commands, the malware checks whether it is possible to upload malicious codes into the targeted device or not. The attackers can also upgrade “.YAML configuration file” from backend through command and control servers.

This malware is using following command and control Servers to take commands:

  • 185.14.29.65
  • 185.82.216.125
  • 195.123.210.100
  • 185.20.184.117
  • 193.169.245.68
  • 46.8.44.55
  • 5.34.180.64
  • 5.34.183.231
  • 217.12.208.28
  • 185.14.30.78
  • 217.12.203.31

 

Mitigation

This malware is not capable of continuing the same process after the system reboot. Therefore you can use following security tips to protect your system from this malware:

•    Through SSH or Telnet, Connect To Your Device

•    Locate “.javaxxx” named process.

•    List out all the unwanted and unknown processes by using commands such as “netstat and Lsof-n”.

•    (voluntarily) collect forensic evidence by dumping the memory space of the corresponding process (with gcore for example).          One could also recover the deleted sample from /proc with cp /proc/{pid}/exe {output_file}

•    the process with the -KILL.

 

Source: welivesecurity.com

 

Also Read: 

FairWare Ransomware is Deleting Files From Linux Servers and Asking For Money!

The US Based Sports News Website “Bleacher Report” – Data Breached

Online Learning Platform Lynda.Com Has Been Hacked!

Leave a Reply

Name
Email id
Contact No
Comment

See more of Cyber Intelligence by logging in.
Connect with cyber security experts,Discover job opportunities,Online Training, Information Security Advisory and lot more.