Linux cryptominer steals passwords and turns off antivirus software

Researchers from the Russian antivirus manufacturer Dr. Web have found a new form of malware that steals passwords and turns off antivirus software. This is an unnamed trojan, which focuses on Linux. That’s what ZDNet reports.

The trojan itself is a gigantic shell script with over 1,000 lines of code. The script is the first file to be run on an infected Linux system. The script finds a folder on the disk where it should put permissions, so that it can copy itself and use it to download other modules.

It then uses one of two exploits called CVE-2016-5195 and CVE-2013-2094 to get root permission and full access to the operating system. Then it sets itself up as a local daemon, and downloads the nohup application to perform the operation.

Crypt Currency Mines

The next step is to carry out the main objective: to mince cryptic currency. First, the processes of various competing mining malware are identified and disabled, after which it starts its own Monero-mining operation. Other malware is also downloaded and executed. This is the Bill.Gates Trojan, a form of DDoS malware that comes with various functions that look like loopholes.

The Trojan continues to search for processes with names associated with antivirus solutions and disables them. The researchers say they have seen the Trojan eliminate processes with names like safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord.

A rootkit will also be downloaded and run. That rootkit has components that go even further into the system. For example, the rootkit can steal passwords for the su command that are typed by the user. Finally, a function is performed that collects information about all the remote servers that the infected computer has connected to via SSH, and then tries to connect to these machines. In this way, the Trojan wants to spread itself further.