{
	"id": "a3782568-b7ec-4d87-b2f1-6e88c9634723",
	"created_at": "2026-04-06T00:22:19.171061Z",
	"updated_at": "2026-04-10T03:21:18.405469Z",
	"deleted_at": null,
	"sha1_hash": "097e13b7c7bf30dc3994f7980317100d9d528c85",
	"title": "DDoS Trojans attack Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110383,
	"plain_text": "DDoS Trojans attack Linux\r\nPublished: 2014-05-15 · Archived: 2026-04-05 21:57:04 UTC\r\n15.05.2014\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nMay 15, 2014\r\nThe fallacy that Linux is fully protected against malware thanks to the specific features of its architecture\r\nmakes life much easier for intruders distributing such software. In May 2014, Doctor Web's security\r\nanalysts identified and examined a record-high number of Trojans for Linux, a large portion of which is\r\ndesigned to (distributed denial of service) attacks.\r\nThese programs share common features: first, they carry out DDoS attacks via various protocols, and second, they\r\nappear to have been created by the same person, according to Doctor Web specialists who have examined all the\r\ncircumstantial evidence.\r\nThe malicious program that was added to the Dr.Web virus database as Linux.DDoS.3has a wide array of\r\nfeatures. When launched, it determines the address of its command and control server (C\u0026C server) and stands by\r\nfor the parameters of the current task (once the task has been completed, it reports back to the criminals).\r\nLinux.DDoS.3 can launch DDoS attacks on the specified server over the TCP/IP (TCP flood) and UDP (UDP\r\nflood) protocols. It can also send DNS requests to enhance the effectiveness of the attacks (DNS Amplification).\r\nAnother modification of the threat, dubbed Linux.DDoS.22, targets Linux ARM distributions, while\r\nLinux.DDoS.24 can infect servers and desktops running 32-bit versions of Ubuntu and CentOS. The Trojan\r\nLinux.DDoS.24installs in the system as pktmake and modifies the start-up scripts so that it will be launched\r\nautomatically. Once launched, it also collects system hardware information, including the CPU type and available\r\nmemory, and sends it in encrypted form to the C\u0026C server belonging to the cybercriminals. The main purpose of\r\nthis malware is to perform DDoS attacks upon command by the remote host.\r\nAnother group of threats to Linux, studied by Doctor Web's security researchers this month, includes\r\nLinux.DnsAmp.1, Linux.DnsAmp.2, Linux.DnsAmp.3, Linux.DnsAmp.4 and Linux.DnsAmp.5. Some\r\nmalware of the Linux.DnsAmp family communicates with two control servers and can infect both 32-\r\n(Linux.DnsAmp.1, Linux.DnsAmp.3, Linux.DnsAmp.5) and 64-bit (Linux.DnsAmp.2, Linux.DnsAmp.4 )\r\nversions of Linux. Like other members of this class of DDoS Trojans, Linux.DnsAmp modifies the start-up\r\nscripts, collects and sends to the remote server the infected machine’s configuration information (OS version,\r\nCPU, amount of free memory and swap file) and then waits for commands. Trojans of this family have the\r\nfollowing features:\r\nSYN Flood (sending SYN requests to the target node to render it non-responsive).\r\nUDP flood (the Trojan makes sure that the remote host responds to requests and attempts to send 1,000\r\nUDP packets to the target host).\r\nhttps://news.drweb.com/?i=5760\u0026c=23\u0026lng=en\r\nPage 1 of 2\n\nPing Flood (an ICMP echo request that uses the PID of the process as the identifier and 0xA1B0A1B0 as\r\ndata is dispatched to incapacitate the target).\r\nDNS Amplification\r\nNTP Amplification is implemented in various versions of the Trojan but remains unused.\r\nAlso upon command by a remote server, Linux.DnsAmp can write information into the log file, repeat the attack\r\nor update itself.\r\nThe Trojans Linux.DnsAmp.3(for 32-bit versions of Linux) and Linux.DnsAmp.4(for 64-bit Linux distributions)\r\nare modifications of the first version of Linux.DnsAmp with a limited set of features. In fact, these Trojan\r\nmodifications can perform only three commands from the C\u0026C server: start a DDoS attack, stop the attack and\r\nsave the log file. It should be noted that many of the malware programs mentioned above connect to the same\r\ncontrol servers.\r\nFinally, we need to mention a malicious program for ARM-compatible Linux distributions that has been dubbed\r\nLinux.Mrblack. This Trojan is also designed to perform DDoS attacks via TCP/IP and HTTP. It features a fairly\r\nprimitive design and, like other similar threats, acts on control server commands.\r\nThe command servers facilitating control over the Trojans are located mainly in the territory of China, and the\r\ncorresponding DDoS attacks are directed mainly against Chinese websites. All these malicious applications are\r\ndetected and removed by Dr.Web Anti-virus for Linux and, therefore, pose no danger to systems protected by the\r\napplication.\r\nSource: https://news.drweb.com/?i=5760\u0026c=23\u0026lng=en\r\nhttps://news.drweb.com/?i=5760\u0026c=23\u0026lng=en\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://news.drweb.com/?i=5760\u0026c=23\u0026lng=en"
	],
	"report_names": [
		"?i=5760\u0026c=23\u0026lng=en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/097e13b7c7bf30dc3994f7980317100d9d528c85.pdf",
		"text": "https://archive.orkl.eu/097e13b7c7bf30dc3994f7980317100d9d528c85.txt",
		"img": "https://archive.orkl.eu/097e13b7c7bf30dc3994f7980317100d9d528c85.jpg"
	}
}