Introduction of common viruses in Linux system (with solutions)

Posted May 27, 20206 min read

[ ]( == # wechat_redirect)

Unlike the various ransomware families under Windows, there are several families of malware that are heavily infected under Linux. However, these families accounted for most of the infected hosts in the world, almost showing a monopoly trend. This article will introduce 7 common malware families in Linux environment and their corresponding removal steps.

Seven major malware families


BillGates was first discovered in 2014. It was named because of the multi-variable and function contains the string "gates" in the sample. The virus is mainly used by hackers for DDos. Its characteristic is that it will replace the normal program of the system(ss, netstat, ps, lsof) for disguise

Host poisoning phenomenon:

\ [1 ]There are gates.lod and moni.lod files in the/tmp/directory.

\ [2 ]Virus folder/usr/bin/bsd-port/appears.

\ [3 ]Host access domain name .

\ [4 ]System files(ss, netstat, ps, lsof) have been tampered with and the modification time is abnormal.

Virus removal steps:

\ [1 ]Remove/usr/bin/bsd-port/getty, .ssh and other virus processes.

\ [2 ]Remove/usr/bin/bsd-port/getty, /usr/bin/.sshd and other virus files.

\ [3 ]Restore the original system files from the/usr/bin/dpkgd/directory.


DDG is the most frequently updated malware family at the same time, and the infection volume is also very large. Hackers use the P2P protocol to control this botnet to achieve the purpose of hiding C & C. The main purpose of the virus is worm mining, which is characterized by version iteration During the process, the virus file names remain named after the specifications of ddg. And

Host poisoning phenomenon:

The ELF file with ddgs. + Numbers appears under \ [1 ]/tmp/directory.

\ [2 ]There are random name files such as qW3xT. And SzDXM in the/tmp/directory.

\ [3 ]There is a scheduled task to download

virus removal steps:

\ [1 ]Clear the random name mining process and corresponding files.

\ [2 ]Delete the parent file ddg. \ *.

\ [3 ]Delete the scheduled task with string.

\ [4 ]Delete the ssh cache public key authorized \ _keys.


SystemdMiner uses three methods(YARN vulnerability, Linux automated operation and maintenance tools, .ssh cache key) to propagate. The file name of the virus in the early stage has a Systemd string, and the later version has been replaced with a random name. Its characteristics are good Use darknet agents for C & C communications.

Host poisoning phenomenon:

\ [1 ]Regular access to domain names with tor2web and onion strings.

\ [2 ]Systemd files appear in the/tmp directory(later versions are random names).

\ [3 ]There is a scheduled task to run systemd-login(later version is random name).

virus removal step:

\ [1 ]Clear suspicious scheduled tasks in the/var/spool/cron and /etc/cron.d directories.

\ [2 ]Clear the mining process of random names.

\ [3 ]Remove the remaining systemd-login and .sh virus scripts.


StartMiner was discovered in February this year. It was named because its process and scheduled tasks contained the 2start.jpg string. The virus spread through ssh. Its characteristic is that it will create multiple malicious scheduled tasks containing the 2start.jpg string.

Host poisoning phenomenon:

\ [1 ]The scheduled task contains a string containing 2start.jpg.

A virus file named x86 \ _ exists in the \ [2 ]/tmp/directory.

\ [3 ]/etc/cron.d has multiple camouflaged scheduled task files:apache, nginx, root.

virus removal steps:

\ [1 ]ends the mining process x86 \ _.

\ [2 ]Delete all scheduled tasks with the string 2start.jpg.

\ [3 ]Clear all wget processes with 2start.jpg string.


In 2019, a WatchdogsMiner family that was also spread by Redis unauthorized access vulnerabilities and SSH blasting was discovered because it released a parent file called watchdogs in the/tmp/directory. The initial version of WatchdogsMiner will host malicious code on to bypass detection, but subsequent versions have been deprecated and changed to their own C & C The characteristic of this virus is that the sample is compiled by go language, and tried the disguised hippies/LSD package(github \ _com \ _hippiesLSD). Host poisoning phenomenon:

\ [1 ]There is a timed task to execute malicious code on

A virus file named watchdogs exists in the \ [2 ]/tmp/directory.

\ [3 ]visit \ *. domain name.

virus removal steps:

\ [1 ]delete the malicious dynamic link library /usr/local/lib/

\ [2 ]Clean up crontab exceptions \ [3 ]Use the kill command to terminate the mining process

\ [4 ]Investigate and clean up possible remaining malicious files:

(a) chattr -i/usr/sbin/watchdogs /etc/init.d/watchdogs/var/spool/cron/root /etc/cron.d/root;

(b) chkconfig watchdogs off;

(c) rm -f/usr/sbin/watchdogs /etc/init.d/watchdogs.

\ [5 ]Because the file is read-only and related commands are hooked, you need to install busybox and delete it with the busybox rm command.


The XorDDoS botnet family has survived since 2014. It is named XorDDoS because of its extensive use of Xor in its decryption method. Its main purpose is the DDos public network host. The feature is that the sample uses "polymorphism" and self-deletion methods, resulting in the host Random name processes continue to appear, and rootkit technology is used to hide the communication IP and port. Host poisoning phenomenon:

\ [1 ]Virus file /lib/ exists.

\ [2 ]There are virus files with random names in the/usr/bin,/bin,/lib,/tmp directories.

\ [3 ]There is a timed task to execute

virus removal step:

\ [1 ]Clear the udev program in the/lib/udev/directory.

\ [2 ]Remove random malicious files(10 random string numbers) under/boot.

\ [3 ]Clear the contents of timer files in /etc/cron.hourly/ and/etc/crontab.

\ [4 ]If there is a RootKit driver module, you need to uninstall the corresponding driver module. This time, the malicious program mainly uses it to hide the relevant network IP port.

\ [5 ]Clear the debug program in the/lib/udev directory.


RainbowMiner has appeared frequently since 2019. It is named after the C & C domain name it visits with a Rainbow string. Its biggest feature is that it will hide the mining process kthreadds. Investigators will find that the host CPU usage is high, but it is not suspicious. process.

Host poisoning phenomenon:

\ [1 ]hide the mining process/usr/bin/kthreadds, the host CPU usage is high but the process is not visible.

\ [2 ]Visit malicious domain name.

\ [3 ]Create ssh password-free login public key to achieve persistent attacks.

\ [4 ]There is a process persistence guard.

virus removal steps:

\ [1 ]download busybox:wget ... \ _ 64.

\ [2 ]Use busybox top to locate and clear the mining process kthreadds and the parent process pdflushs.

\ [3 ]Delete/usr/bin/kthreadds and /etc/init.d/pdflushs files, and startup items under /etc/rc*.d/.

\ [4 ]Delete the virus disguise file under/lib64 /.

\ [5 ]Clear the python process.

Reinforcement recommendations

  1. Linux malware is mainly mining. Once the host is mined, the high CPU usage will affect the business, so it is necessary to monitor the CPU status of the host in real time.

  2. Scheduled tasks are the persistent persistent attack techniques used by malware. You should check the system regularly for suspicious scheduled tasks.

  3. There are a large number of ssh weak passwords in enterprises, and they should be changed to complex passwords in time, and check whether there is a suspicious authorized \ _key cache public key in the /root/.ssh/directory.

  4. Regularly check the Web program for vulnerabilities, paying special attention to RCE vulnerabilities such as Redis unauthorized access.

If there are errors or other problems, friends are welcome to leave comments and corrections. If you have any help, welcome to like + forward and share.

Welcome everyone to pay attention to the public number of the migrant worker brother:The technical road of the migrant worker brother