Home / malwarePDF  

Linux.Raubdo


First posted on 22 October 2015.
Source: Symantec

Aliases :

There are no other names known for Linux.Raubdo.

Explanation :

The worm propagates by generating random IP addresses and attempting to log in to servers at these locations using a list of Secure Shell (SSH) credentials.

If the worm successfully logs in, it copies itself into the following folder: /tmp/.xs
Next, the worm connects to the following websites, searches for pseudo-random terms, and looks for command-and-control instructions in the returned results: twitter.comreddit.commy.mail.ru
These instructions may allow the worm to upload, download, and execute files.

The worm also opens a back door on the following TCP ports, allowing a remote attacker to access the compromised computer:
90001337

Last update 22 October 2015

 

TOP