"Linux doesn't get viruses" — It's a Myth.
A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems.
Dubbed Linux.Proxy.10, the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later identified thousand of compromised machines by the end of January this year and the campaign is still ongoing and hunting for more Linux machines.
According to researchers, the malware itself doesn't include any exploitation module to hack into Linux machines; instead, the attackers are using other Trojans and techniques to compromise devices at the first place and then create a new backdoor login account using the username as "mother" and password as "fucker."
Once backdoored and the attacker gets the list of all successfully compromised Linux machines, and then logs into them via SSH protocol and installs the SOCKS5 proxy server using Linux.Proxy.10 malware on it.
This Linux malware is not at all sophisticated since it uses a freeware source code of the Satanic Socks Server to setup a proxy.
According to the security firm, thousands of Linux-based devices have already been infected with this new Trojan.
Besides this, the same server — belonging to the cybercriminals who distribute the Linux.Proxy.10 malware — not only contained the list of compromised devices but also hosted the control panel of a Spy-Agent computer monitoring software and a Windows malware from a known family of Trojan spyware, called BackDoor.TeamViewer.
This is not the first time when such Linux malware has been discovered.
Over a year ago, ESET security researchers uncovered a similar malware, dubbed Moose, that also had the capability to turn Linux devices into proxy servers that were then used for launching armies of fake accounts on social media networks, including Instagram, and Twitter.
Linux users and administrators are recommended to tighten SSH security by limiting or disabling remote root access via SSH, and to know if your system has already been compromised, keep a regular watch on newly generated login users.