6

I just discovered that my server is infected with Trojan.Linux.BillGates.G and is being used to launch DOS attacks.

It surprises me as the server is kept up-to-date (CentOS/Tomcat/CouchDB) as much as possible. My SSH server is only accessible via the public key/private key mechanism, no direct login is permitted.

It appears that this particular trojan is getting widespread recently. I have found several articles about it but none managed to clearly explain via what vulnerabilities the trojan is usually delivered. For instance, another trojan seems to always to laced in malicious packages.

QUESTION: What infection vectors is Trojan.Linux.BillGates known to often be used with?

Nicolas Raoul
  • 1,276
  • 2
  • 12
  • 17

1 Answers1

6

So I have found a few resources which seem to indicate that the main infection method is done by gaining access to the system using SSH bruteforce:

  1. A Avast antivirus research:

    The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script.

  2. A Akamai reasearch:

    Like the XOR botnet, this malware is believed to be of Asian origin. The attackers are using the same methods for infection, which are primarily SSH brute force attempts for root login credentials (previously it was reported that infection methods include a vulnerability in ElasticSearch Java VM).

Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • 1
    A strange thing is that my SSH server is only accessible via the public key/private key mechanism, no direct login is permitted. That seems to rule out SSH bruteforce, right? – Nicolas Raoul Jul 02 '16 at 03:33
  • @NicolasRaoul Are all the SSH users like this? Maybe your SSH is out of date? – Bubble Hacker Jul 02 '16 at 18:01