The company “Dr. Web” found a new version of the Trojan Linux.Sshdkit, represent a danger to the Linux servers.
According to statistics compiled by analysts, by far the Trojans from the actions of this family have been affected by several hundreds of servers, some of which are large servers hosting providers.
About the first versions of the malware Linux.Sshdkit company “Dr. Web” reported in February 2012. This Trojan is a dynamic library. In this case, there exist a variety of both 32-bit and 64-bit versions of Linux distributions Linux. After a successful installation in the Trojan into the process of sshd, intercepting the authentication function. After installing the session and successfully entering the user name and password are sent to the attacker’s remote server.
Specialists intercepted several management servers previous version Linux.Sshdkit. Furthermore, it was possible not only to collect statistics on the number of infected machines, but also to determine its address. Total for May 2013 Trojan sent to the monitored by analysts “Dr. Web” data management node to access the 562 infected Linux-based servers, including servers are major hosting providers.
Discovered a new version of the Trojan, dubbed Linux.Sshdkit.6, is also a dynamic library: now revealed modification designed for 64-bit Linux-based systems. In this implementation Linux.Sshdkit attackers made a number of changes in order to make it difficult to intercept virus analysts stolen passwords. Thus, virus writers have changed the method of determining the addresses of the servers on which the Trojan sends stolen information. Now to calculate the target server uses a special text record containing data encrypted RSA-key size of 128 bytes.
In addition, virus writers have changed the algorithm to obtain the Trojan teams: now for their successful completion of the malicious program receives a special line for which tests the value of the hash function.
The Trojans family Linux.Sshdkit represent a high risk for servers running the operating system Linux, because they allow attackers to gain unauthorized access to data on the server.