Linux popular virus family & cleaning method highlights

Unlike the five-flowers of the five flowers under Windows, there are several families with large infection in linux. However, these families occupy most of the world’s infected hosts, almost show the trend of monopoly. This article introduces 7 more common popular malware families under the Linux environment, and its corresponding clearance steps.

Seven malware families


Billgates was first discovered in 2014. Because the multivariates and functions in their samples contain strings “Gates”, the virus is mainly hacked for DDOS, which is characterized by replacing the system normal program (SS, NETSTAT, PS, LSOF) for camouflage.

Host poisoning phenomenon:

There is a Gates.lod, Moni.LOD file in / tmp / directory. Virus folder / usr / bin / bsd-port /. The host accesses the domain name The system file (SS, NetStat, PS, LSOF) is tampered with, and the modification time is abnormal.

Virus clearance step:

Clear /usr/bin/bsd-port/getty ,.ssh and other viruses. Clear /usr/bin/bsd-port/getty ,/usr/bin/.sshd and other virus files. Restore the original system file from the / usr / bin / dpkgd / directory.

2. DDG

DDG is currently updated the most frequent malware family, and the amount of infection is also very large. Hackers use the P2P protocol to control this botnet, to achieve hidden C & C’s purpose, the main purpose of the virus is the worm-type excavation, characterized by the version iteration During the process, the viral file name is namded in DDG. And I.SH.

Host poisoning phenomenon:

/ TMP / Directory has a DDGS. + digital ELF file. There is a random name file such as QW3XT. And SZDXM in / tmp / directory. There is a timing task for downloading I.SH.

Virus clearance step:

Clear the random mine mining process and corresponding documents. Delete the parent file DDG. *. Delete timing tasks with I.SH strings. Delete the SSH Cache Public Key Authorized_Keys.

3. SystemDminer

SystemDminer uses three ways (YARN vulnerability, Linux automation tool, .ssh cache key), the Virus’s pre-file name is named the SYSTEMD string, and the later version has been replaced with a random name, and the characteristics are, good C & C communications with dark network agents.

Host poisoning phenomenon:

Time access is dominated with Tor2Web, an Onion string. The SYSTEMD file (later version is a random name) under the / tmp directory. There is a timing task running SystemD-Login (the late version is a random name).

Virus clearance step:

Clear the suspicious timing task under / VAR / spool / cron and /etc/cron.d. Clear the mining process of the random name. Clear residual SystemD-login and .sh virus scripts.


4. Startminer

STARTMINER was found in February this year. Because the 2Start.jpg string is included in its process and timing tasks, the virus propagates via SSH, which is characterized by creating a plurality of malicious timing tasks that contain 2Start.jpg strings.

Host poisoning phenomenon:

There is a string containing 2Start.jpg in the timing task. / TMP / Directory presents a viral file called x86_. /etc/cron.d There are multiple camouflage timing task files: Apache, Nginx, root.


Virus clearance step:

End mining process x86_. Delete all timing tasks with 2Start.jpg strings. Clear all Wget processes with 2Start.jpg strings.


5. WatchDogsminer

In 2019, a WatchDogsminer family that was also used in REDIS unauthorized access vulnerabilities and SSH blasting spreads, because they would be named after the / tmp / directory released a parent file called WatchDogs. The initial version of WatchDogsminer will host the malicious code on to bypass the test, but the subsequent version has been discarded, change to its own C & C server The virus is characterized by compiling the sample by the Go language and tries to the camouflage HipPies / LSD package (Github_com_hippieslsd).

Host poisoning phenomenon:

There is a timing task that performs malicious code on / TMP / directory There is a viral file called WatchDogs. Visit the * domain name. Virus clearance step:

(1) Delete malicious dynamic link library /usr/local/lib/

(2) Clean the crontab exception item

(3) Terminate the mining process using the kill command

(4) Check the malicious documents that may remain residual:

Chattr -i / usr / sbin / watchdogs /etc/init.d/watchdogs /var/spool/crootdogs /var/spool/croot; otc/cron.d/root; Chkconfig Watchdogs Off; RM -F / USR / SBIN / WATCHDOGS / ETC / InIT.D / Watchdogs.

(5) Since the file is read-only and the relevant command is hook, you need to install BusyBox and remove it with the busybox rm command.

6. xorddos

The xorddos zombie network family has always survived since 2014, because of its decryption method, it is named XORDDOS, which is the main purpose is the DDoS public host. It is characterized by the sample to use “polymorphism” and self-deleted ways, leading to the host. Constantly appear random name processes, and use rootkit technology to hide communication IP and ports.

Host poisoning phenomenon:

There is a virus file /lib/ There is a random name virus file in / usr / bin, / bin, / lib, / tmp. There is a timing task in which GCC.SH is executed.

Virus clearance step:

Clear the UDEV program under the / lib / udev / directory. Clear the random malicious file under / boot (10 random string numbers). Clear /etc/cron.Hourly/ and / etc / crontab timer files related content. If there is a rootkit drive module, you need to uninstall the corresponding drive module, which is mainly to hide the relevant network IP port. Clear the Debug program under the / lib / udev directory.

7. Rainbowminer

Rainbowminer has frequently appeared since 2019. Because the C & C domain names have been named Rainbow string, the biggest feature is to hide the mining process KTHREADDS. The investigators will find that the host CPU has high occupation, but can not find suspicious process.

Host poisoning phenomenon:

Hidden mining process / usr / bin / kthreadds, host CPU usage is high but can not see process. Visit the malicious domain name. Create ssh-free login public key to achieve persistence attacks. There is a process persistence guard.

Virus clearance step:

Download BusyBox: wgethtp: // Use Busybox TOP to the mining process KthreadDs and parent processes PDFLUSHS, and clear. Delete the / usr / bin / kthreadds and /etc/init.d/pdflushs file, and the startup item under /etc/rc*.d/. Delete the virus camouflage file under / lib64 /. Clear the Python process.


Linux malware is dominated by mining, once the host is mining, the CPU usage is high, which will affect the business, so you need to monitor the host CPU status in real time. Timed tasks are the persistent attack techniques of malware usual, and should check if the system has suspicious timing tasks. Enterprises have a large number of SSH weak passwords, and should be changed to complex passwords in time, and check for suspicious authorized_key cache public keys in /Root/.ssh/ directory. Timed Check if the web program has a vulnerability, especially concerned about RCE vulnerabilities such as Redis unauthorized access.