New Linux trojan turns servers into Bitcoin miners

Doctor Web, a Russian anti-malware company, has reported on a new self-spreading Trojan that is labelled “Linux.Lady”. Cybercriminals are using it to hijack servers and computers, take control and utilise their processing power in order to mine cryptocurrency.

Linux.Lady is able to run a mining program on targeted computers that have been infected. It is written with Google-developed language Go, and uses numerous libraries that are found on GitHub. According to“Go was developed as a system programming language to create highly effective programs that run on modern distributed systems, and multi-core processors”.

The use of Go for malicious intent is not a new idea – it was first used as such in 2012, despite the fact that it isn’t a widely adopted feature in the vxer (creators of computer viruses) community.

Picture1Linux.Lady uses a smaller Trojan called Linux.Downloader.196 in order to infect the system and acquire basic information (including the Linux OS version and the number of CPUs) to send to the command and control (C&C) server. The C&C server then provides a file for downloading and running a cryptocurrency mining utility.

Linux.Lady targets Redis NoSQL database systems that are unsecure in order to infect further computer systems. Consequently, up to 30,000 Redis servers that were not password protected have been left vulnerable due to administration negligence.

Doctor Web also observed the sample of Linux.Lady that was mining a cryptocurrency entitled Monroe.  Other Linux malware such as Encoder ransomware and Ekoms malware were also exposed by the anti-virus company.


Uncovering Netflix’s distribution network

Netflix is the world’s leading online video-streaming service with 83 million subscribers world-wide. It has accounted for up to 37% of internet traffic this year, accompanying similar consistent figures from previous years.

There has been a vast amount of speculation around Netflix’s unbelievable efficiency and impressive statistics for quite some time, which sparked researchers from Queen Mary University of London (QMUL)’s interest in mapping out the location of their servers. They performed a study which is believed to have produced the first map created of Netflix’s physical servers.


233 locations across six continents were mapped





As expected, most of the servers were reported to be situated in the USA – where studies have shown is the main source of traffic generated by Netflix. (47 million of Netflix’s 83 million subscribers are said to come from the US.) The servers became fewer and more spread out towards areas where subscription numbers are less. The USA was surprisingly followed by Mexico, Canada, Brazil and the UK in having the most number of servers. In Australia, content servers were found in Sydney, with ISP caching servers in the remaining state capital cities. Surprisingly, a content server was also found in Guam – perhaps due to its location close to the South Cross cable.

The researchers at QMUL acquired the locations of the servers by mirroring the global film request processes and observing the outcomes. They requested videos from university computers and localised them using web extensions. A particular reliance on Internet eXchange Points (IXPs) and Internet Service Providers (ISPs) was noted.

One of the researchers stated, “The study is important as it provides an insight into how today’s internet works, the different deployment strategies observed are caused by inherent regional differences, forcing Netflix to adapt its strategy to ensure low movie start-up times and to avoid video stalling during playback.”

The study shows that Netflix’s secretive efficiency is enhanced by placing servers in carefully-chosen locations, and is an interesting case study for effective distributing content world-wide.


The Internet of Things: a new era for cyberattacks?

The Internet of Things, also known as IoT, is the concept of setting up everyday appliances, objects and wearable devices with an Internet connection to allow the exchange of data and information. Thing of washing machines that send you a text when the load is done, or air conditioning you can turn on from an app on your phone. The technology has gained a lot of favourable attention and is becoming increasingly popular.

It is estimated by Gartner that 20.8 billion IoT devices will be in operation by the year 2020, with much of this growth predicted to be majorly in business and enterprise activity. It has therefore become particularly attractive to cybercriminals who have shown a growing interest in targeting IoT devices, or leveraging the growing ubiquity of IoT devices in order to facilitate attacks.


The sky-rocketing popularity of IoT offers a concrete platform on which cybercriminals can attack, as the majority of IoT devices contain outdated connection protocols and operating systems. Examples of this may include: remotely controlled lightbulbs and Wifi-enabled In-vehicle infotainment systems (IVIs), which are most commonly run through Linux and are created in C language, where safe complier actions are overlooked. Dated connection protocols, such as TCP/IP (1989, RFC 1122), ZigBee (2004 specification) and CAN 2.0 (1991), are used, and can cause the device to allow unauthorized access when exploited.

Additionally, man-in-the-middle attacks (where a third party secretly relays and possibly hinders messages between two unsuspecting parties, and will therefore gain access to their devices) can be caused when a TCP/IP protocol is exploited.

Gaining access to IoT devices involves several stages:  Investigation and Proof of Concept (PoC), Taking Control of the Device and ensuring that Maximum Damage is caused.

Investigation and Proof of Concept (PoC)

Programmers can concentrate on investigating around a target device, searching for vulnerabilities and considering PoCs from which they can discover exploits to use against the target. Cases of these PoCs incorporate weaknesses and vulnerabilities that can be found on Digital Audio Broadcasting radio collectors that are coordinated in IVIs, as well as further validation imperfections in associated lights which can give information a chance to be stolen – even from networks that are air-gapped.

Taking Control of the Device

It is at this stage that cybercriminals work on:

  • Locating their default and/or embedded authentication
  • Using fuzz tools with the purpose of exploiting protocol bugs
  • Finding input validation bugs such as buffer overflow and SQL injection.

Github, a web-based code hosting services, holds many open source research tools (such as Modbus, Fuzzer, the CANard tool) that are vulnerable to misuse by hackers to cut time on this step.

In order to take control of the device, hackers can use attack vectors – some of which include:

  • Utilizing exploits or the default username/password to get to the device, and finding an inside system from which they can lead parallel movement.
  • Implanting, and thereby building a botnet, and creating a network for the bot to allow further control.
  • Initiating a Distributed Denial of Service attack. IoT devices produce an ideal environment in which DDoS may attack as it needs a vast amount of data to act effectively. For example, thousands of compromised CCTVs which formed a botnet was recently used as a source of network traffic, which was needed to perform a DDoS attack.
  • Implanting a bitcoin-mining program. An individual IoT device has low CPU power; however, when many of them are infected, a vast amount of processing power is initiated. This huge amount of power is used to mine for bitcoins.

DVRs, which were used for security camera video-recording, were infected with a similar form of malware in April 2014.

Ensuring Maximum Damage

The hacker then has the ability to cause as much distress to the victim as possible. This may range from changing items on people’s automated grocery list to locking their car’s brakes and steering functionality. This will have a huge impact on the daily lives of millions and will cause major disruptions and safety threats.

IoT device security is largely forgotten about by vendors who are more concerned about their functionality and performance. Search engines such as Shodan and ZoomEye contribute to worsening the situation by providing archives of potentially vulnerable connected devices and systems. It is predicted that 25% of observed cyber-attacks on businesses will have IoT involvement by 2020.


The growing popularity in the use of IoT devices means that IoT device security is quickly gaining interest – so quickly in fact, that world-wide spending on IoT security has been predicted to reach $547 million in 2018. Tesla and Fiat Chrysler are but a few of those that looked at IoT device security by developing bug bounty programs for the purpose of protecting their connected cars.

The Automotive Information Sharing and Analysis Centre (Auto-ISAC) in the US, has worked with 15 automobile manufacturers in creating a list of most effective methods for their vehicle security against cyber-attacks.

Although threats such as cyber extortion and ransomware is technically possible in IoT, it is unlikely to be in effect within the coming years. The process of hacking IoT devices requires specifically dedicated time and resources. It also involves tailoring the attacks to specific victims and organizations through which they can proceed to make money on their attacks through extortion.

Furthermore, it is not a feasible option, specifically for malefactors such as ransomware operators, whose fast-paced systems work by attempting to establish quick ROI from as many targets as possible.

In spite of this, the growing interest and demand for IoT devices, along with the seemingly easy method of defying their security measures (or lack thereof), and the financial benefits of the extraction of money of their owners, are a dangerous blend.

Although there is no specific method for ensuring total security of the devices, counteractions such as the use of a security audit when designing IoT hardware and software, the implementation of security gateways, the introduction of endpoint monitoring and real-time log inspection, play a key role in reducing these risks.


APAC DDoS Report – Q2 2016

Intergrid’s DDoS mitigation partner, NexusGuard, has recently updated its quarterly statistics for DDoS attacks targeting the Australia Pacific region. NexusGuard observes and collecting data about threats which globally target enterprise and service-provider networks, such as ours.

The methodology of this monitoring involves analysis of events through honeypots (a type of online trap that is used to deflect and mislead programs that are attempting to gain unauthorized access to information systems) as well as through a vulnerable network of devices that are connected to the internet. Threats which target unknown vulnerabilities in software are often first seen on NexusGuard’s global research network.

The company’s quarterly report saw an 83% worldwide increase in attacks. The Asia-Pacific region, by contrast, has seen slightly more than half the global total increase at 43%. The country that was most targeted is China, where attacks rose by 50%. It was found that this was the result of a target who was hosting malware in the area within the last two years. The largest increase of attacks was that of Hong Kong with a huge 57%. There were however, minor decreases in a few countries – which is an incredible feat when dealing with DDoS. Japan was the lucky winner of a 4% decrease in attacks.

Another notable increase was the act of using ransomware, where an unauthorized program restricts access of the computer until a sum of money is paid. NexusGuard reported a few public attacks, such as the one on Pokémon Go, which was launched by a new group called Poodle Corp. More attacks from this group are predicted as they attempt to gain visibility and offer their services to other groups and industries to perform DDoS attacks.


The Chinese websites Chinanet and Alibaba stand first and second as the most attacked networks that were observed in the second quarter. Australian internet service provider Telstra and Kixs (Korean site) dropped down a few positions from the first quarter on the top ten list of sites that were attacked.

In the Asia-Pacific region, NTP (Network Time Protocol) attacks accounted for 90% of all attacks. This is a notable difference compared to the 46% accountability of NTP attacks on the rest of the world. It was further seen that many of the attack tools are scripted and are set to perform for a specific amount of time. It has been determined that NTP attacks are not only more popular in the Asia- Pacific region, but also tend to last longer compared to world-wide durations.

Intergrid has partnered to offer all customers with DDoS protection up to 50Gbps. To find out more about how Intergrid and NexusGuard can keep your organisation DDoS threat-free, visit


Do you need DDoS protection? A commercial perspective.

I often get asked where the value lies in DDoS protection, and whether such a service is a wise commercial investment. There’s a lot of analysts and indeed, DDoS protection providers, which will answer this question with a resounding “yes”. But is that strictly true?

DDoS protection is a bit like insurance. For the most part, you’ll be paying for the service without making any claims, but when disaster does strike it can be an invaluable resource. DDoS protection is not a necessity for operating a business online, despite what some companies may argue in their extensive sales copy. Instead, it comes down to a simple cost-benefit analysis:

If your business is brought offline because of an attack, how much money will you lose? Is that amount more, or less, than what you would pay for DDoS protection?

Of course, if you run a popular online store, a single outage could put you at risk of losing tens of thousands of dollars. But, if you’re just running a small blog, or an auxiliary website for a bricks-and-mortar business, website continuity during a malicious attack might not be as essential. For these sorts of websites, I would generally consider DDoS protection as a nice-to-have, but non-essential service.

The main premise of this article is to establish whether DDoS protection presents sufficient value for a business. That said, the good thing is that this decision is becoming less relevant; many reputable hosting providers are now including DDoS protection as standard in their service. For instance, Intergrid includes 50Gbps of DDoS mitigation with all services as standard.


Received a DDoS threat? Here’s what to do.

As the online space becomes increasingly vital for businesses both in Australia and abroad, hacking groups and extortionists are leveraging this dependence to bring businesses to their knees. From the start of the year, cybercriminals have been sending emails to online businesses threatening denial of service attacks unless the attackers are paid in Bitcoin.

There are a variety of different groups sending out these emails, but the premise is the same. Here’s an example that one of our customers received.


We are Armada Collective.

Your network will be DDoS-ed starting ____ if you don’t pay protection fee – 10 Bitcoins @ ____.

If you don’t pay by ____, attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

Our attacks are extremely powerful – sometimes over 1 Tbps per second. And we pass CloudFlare and others remote protections! So, no cheap protection will help.

Prevent it all with just 10 BTC @ ____

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

Interestingly, in many cases these threats appear to be little more than that – a threat. There’s two main reasons for this:

  1. Attackers appear to reuse Bitcoin addresses. This means that there’s no way for the attacker to differentiate between the targets that have or haven’t paid the ransom.
  2. Threats are sent out in bulk. This adds to the suggestion that the attackers cannot determine who has sent a payment, but also reinforces the fact that a an extraordinary amount of network capacity would be required in order to attack every target.
  3. The ransom amount is unclear. The email refers to both 10 and 20 Bitcoins.

There are several articles doing the rounds that suggest that these extortion attempts are entirely a facade and should not be treated seriously. In our experience, although the majority of the emails are merely empty threats, we have seen the extortionists follow through with a few attacks. From a limited dataset, it appears that threats against medium sized websites are more likely to be followed through; small enough that they are unlikely to have extensive DDoS mitigation in place, and large enough that a DDoS attack would have a significant effect on their bottom line.

Despite the slim possibility of a follow through, some website owners still pay the ransom, which can soar as high as $30,000 AUD. Don’t pay the ransom – that money can be much better spent investing in DDoS protection which works.

Here’s what to do if you receive a threat:

  1. Do not pay the ransom. I cannot stress this enough. If you pay the ransom, you set a precedent for future threats, and the attack will likely happen either way.
  2. Do not reply to the email. This should be fairly obvious, but there’s not much point antagonising the person with a (potentially) loaded gun to your head.
  3. Call your hosting provider. Tell them what has happened. Here’s the questions you should ask:
    1. Do you have any protection or countermeasures in place for DDoS attacks?
    2. If so, what type?
      1. A blackhole/nullroute will simply drop all traffic to your website – which is essentially the same as an effective DDoS.
      2. Scrubbing or traffic analysis is the best option here – any malicious traffic should be detected and dropped, while legitimate traffic is allowed through to your site.
    3. Are there any additional costs for this mitigation?
    4. Is the mitigation always-on or only enabled once an attack is detected? If it is not always-on, ask your hosting provider to place your IP address into a 48 hour scrub so that all traffic is analysed.
    5. Can DDoS scrubbing filters be customised for your individual needs? If so, tell your hosting provider where clean traffic is found (eg port 80 for websites). That way, unnecessary traffic on other ports can be blocked upstream.
  4. Otherwise, invest in a DDoS protected hosting service. If your website is important to your business, keeping it safe should be a no-brainer. There are quite a few hosting companies which specialise in DDoS protected services – for instance, all Intergrid services are protected for attacks up to 50Gbps as standard. Selecting a company that specialises in DDoS protected services is a must, as the technology is only as good as the team configuring it.

But why should you pay for DDoS mitigation if most of these extortion emails are empty threats? For me, the answer is simple: it’s only a matter of time until you are targeted by a genuine attack. Be it another cybercrime organisation with more willpower, a disgruntled customer or a questionable competitor, you should always be prepared.