Clam scan files on 14.04

Question

After running clam it found four files called win.trojan.Xored-1

What are they? They were in Chrome cache.

They must be trojans, downloaded from sites. But I do not think they can affect Ubuntu. — Pilot6, Mar 17 '16 at 14:16
@Pilot6 http://www.scmagazine.com/malware-targets-linux-and-arm-architecture/article/391497/ O_O — TheWanderer, Mar 17 '16 at 14:17
This is very unlikely. I have a friend who offers a money bonus for someone who sends a WORKING virus for linux that does not need a long manual to install ))) — Pilot6, Mar 17 '16 at 14:19
@Pilot6 There are quite a few articles on it. Search the ID OP provided. — TheWanderer, Mar 17 '16 at 14:20
@Pilot6 it's targeted at Linux specifically. It also says, however, that it relies on the user having default logins for their devices, so it isn't like the king virus or anything. — TheWanderer, Mar 17 '16 at 14:22

score 2 · Accepted Answer · answered Mar 17 '16 at 14:25

2

According to this article, They are files from a rather dangerous Trojan virus and rootkit.

The Trojan, called XOR.DDoS installs itself onto compatible Linux systems and hides its files so the user doesn't know it's there. It uses your computer to run DDoS attacks.

However, it relies on you having not changed any default logins on your devices, which means if you have a password you're probably OK. I would delete those files and maybe look into removing rootkits just in case, however.

The Avast blog has a more detailed article on it: https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

answered Mar 17 '16 at 14:25

TheWanderer

19,395
12
50
65

Oddly I have never used any default logins - system has always been password protected. Thanks for the article - will check it out. I just deleted all odd files clam found including some html.exploit.CVE files and scanned again. – danielp Mar 17 '16 at 14:31
@danielp I still recommend checking for rootkits: https://apps.ubuntu.com/cat/applications/precise/chkrootkit/ – TheWanderer Mar 17 '16 at 14:35
I got this: Searching for Suckit rootkit... Warning: /sbin/init INFECTED – danielp Mar 17 '16 at 14:50
Does this application allow you to remove rootkits? – TheWanderer Mar 17 '16 at 14:52
I ran chkrootkit so no I don't think it does - or at least I don't know how to remove – danielp Mar 17 '16 at 14:54
Second answer: http://askubuntu.com/questions/517/best-rootkit-removal-tool-for-a-server – TheWanderer Mar 17 '16 at 14:56
Re-installed Ubuntu - after running chkrootkit suckit rootkit still appears - seems its a bug? Also ran clam and found some trojan agent html files it didn't like. – danielp Mar 17 '16 at 16:51
No, it isn't a bug, unless you did a full format (overwrite data with 0s). Rootkits have a tendency to persist over even quick formats. If you didn't even do a quick format, then it's definitely still there. – TheWanderer Mar 17 '16 at 16:53
I reinstalled OS ie a new install from disk. – danielp Mar 17 '16 at 17:12
Just installing over the old installation? – TheWanderer Mar 17 '16 at 17:15
A new installation from Wubi disk. I didn't do anything else - just installation. I thought that overwrites files? I just ran RKhunter and it didn't pick up suckit (although it did pick up postfix - which I seems to have installed itself). Can of worms - check, can opener - check..... – danielp Mar 17 '16 at 17:35
Reinstalling on top of the current installation merely replaces system files, and not even very well. The best thing to do is a secure erase of the drive and reinstall. – TheWanderer Mar 17 '16 at 17:47
As it turns out its a false positive - well documented bug in chkrootkit – danielp Mar 19 '16 at 08:21
@danielp That's a relief – TheWanderer Mar 19 '16 at 10:43

Clam scan files on 14.04

1 Answers1