Short Bytes: Named Linux.lady, a new trojan has been reported by Russian anti-virus firm Dr. Web. This malware attacks a poorly configured Redis server and turns it into a bitcoin miner for the attacker’s benefit. This trojan spreads on its own by infecting the other computers on the network.
This malware has recently been discovered by Russian anti-virus firm Dr. Web. Interestingly, the malware is written in Google’s Go programming language and relies on open source Go libraries hosted on GitHub.
For those who don’t know, Redis is a NoSQL database system that is used to store data in key-value format. It makes use of an in-memory system for data handling and subsequent queries.
How does Linux.lady operate?
After the initial infection, Linux.lady uses another trojan named Linux.Downloader.196 to download the main payload. Once installed, Linux.Lady sends back basic information about the compromised system to the c&c (command and control) server over SSH:
Here’s the information sent by the trojan:
- Trojan’s version
- Number of CPUs on the machine
- Host’s name
- Number of running processes
- Name of the operating system
- Family of the operating system
- Host’s uptime
Using the received information and number of CPUs, a configuration file is sent from the c&c server that starts the bitcoin mining process on the infected computer. Being a self-propagating malware, Linux.lady has the power to infect other computers on the network.
It’s interesting to note that while Linux.lady targets Linux systems, it doesn’t exploit any Linux flaw. In the recent times, the poor security of Redis database has been repeatedly criticized in different security reports.
The sysadmins are advised to enable security mechanisms that will put extra safety layers. Dr. Web also recommends the use of its own anti-virus to defeat Linux.lady.
Did you find this article helpful? Don’t forget to drop your feedback in the comments section below.