New Linux Trojan Found, Part of Turla

by Ostatic Staff - Dec. 08, 2014

The top story today is the discovery of a new Linux trojan that experts say could have been in place for years. Kaspersky Lab is saying this newly discovered Linux malware is part of the Turla campaign indicating that the culprits aren't limiting themselves to Windows. And that's not all that's unusual about this code.

Security experts Kurt Baumgartner and Costin Raiu today posted that a "previously unknown piece" of the Turla puzzle was discovered that is quite unusual. It's "the first Turla sample targeting the Linux operating system" found. Baugartner and Raiu said:

The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.

The experts write that the code, which doesn't require root privileges, stays hidden until it receives a "magic number." Then it jumps into action opening a socket and backdoor to listen for commands. "Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets." While this code is now known, there have been no reports of it in the wild as of yet.

Baugartner and Raiu added an update this evening saying they've discovered a second Linux module "representing a different malware generation than the previously known samples."