Skip to ContentSkip to Footer
IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
News

Linux botnet spreads using Log4Shell flaw

The malware uses DNS tunnelling to communicate with its C2 control server

by: Danny Bradbury
16 Mar 2022
Visual representation of an active botnet, with several black nodes connected with white strands

Shutterstock

The B1txor botnet, which is spreading via the Log4Shell flaw, enables attackers to get shell access to Linux systems and install a rootkit.

Chinese security company 360Netlab discovered and named the bot in February and publicly disclosed it this week. It takes the form of a backdoor for Linux that uses DNS tunnelling for its command and control (C2) communications.

The researchers observed the software propagating via the Log4Shell flaw in the Logj logging system that was first discovered in December.

The domain information that it uses to communicate with its C2 server is encrypted. Once the botnet client has decrypted it, it uses a DNS query to send its communications to the C2 domain, including stolen information and command execution results. The C2 server sends the next payload in the body of a DNS response.

The payload supports 14 instructions, which include simple beaconing to the C2 server, uploading system information, reading and writing files, forwarding traffic, opening a shell, and executing arbitrary system commands. The backdoor can also start a proxy service.

The botnet is buggy, according to the Netlab360 team, with one socket binding function rendered entirely inoperable thanks to code mistakes. Nevertheless, enough of the code works to make it a threat.

Related Resource

The state of SD-WAN, SASE and zero trust security architectures

Be a leader in the deployment of zero trust, SD-WAN and SASE

Whitepaper cover with graphic of a man stood on a laptop in front of a padlock, in front of a cloud with a server in the cloud, plus other peopleFree Download

"We presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20's siblings in the future," they said in an analysis of the malware.

Linux backdoors are popular for attacking the servers that run large portions of the internet. In November, criminals were found using one to compromise e-commerce sites with a software skimmer. In August, Trend Micro reported that hackers were targeting outdated versions of the operating system to gain control of resources in the cloud.

Last month, VMware researchers identified increased ransomware attacks against Linux servers in multi-cloud operating environments and called for more countermeasures.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why Amazon is cutting staff from AWS
Cloud

Why Amazon is cutting staff from AWS

21 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story
Sponsored

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
Skip to HeaderSkip to Content