Home Malware Programs Trojans ELF botnet

ELF botnet

Posted: April 6, 2019

The ELF botnet is a network of Trojans that compromise Linux systems for loading DDoS attacks for flooding and crashing Web servers. The ELF botnet has a close relationship with threats such as Linux/DDoSMan and Elknot, both of which contain various features for subverting the user's control over the system. If you suspect an infection, disable all network connections before having your anti-malware products remove all ELF botnet software automatically.

This Elf Travels with Trojans

Recent discoveries from cyber-security researchers are showing the inner workings of the latest decentralized network of Trojan-infected systems or botnet. The ELF botnet facilitates nothing more than the usual Denial-of-Service attacks that are a well-known bludgeon for criminals trying to take down Web servers by flooding them forcibly. However, the fellow Trojans that the ELF botnet uses for coordinating these attacks offer both new code and old code put to use in refreshed ways.

The ELF botnet's all-caps acronym refers to the Executable and Linkable Format, which is a multi-purpose format for executables, shared libraries, and compiled code. Although ELF files are, theoretically, very portable, the ELF botnet runs through Linux/DDoSMan, a Linux-based threat that establishes persistence with its primary component and, then, drops Elknot for loading the DDoS attacks. The second Trojan's Denial-of-Service is configurable through various methods but always involves crashing servers that threat actors specify via the commands they issue to the overall ELF botnet.

Although the ELF botnet causes little immediate harm to any compromised systems, by itself, the Trojans enabling it can provoke other security issues. Both Linux/DDoSMan and Elknot include features that malware experts would classify as equivalent to backdoors that give an attacker control over the PC. Additionally, the bots harvest some system information for the C&C, and both programs may update themselves for the overall improvement of their attack capabilities.

An Anti-Elf Defensive Strategy for Any PC

In light of the ELF botnet's attacks exploiting open ports, server administrators should monitor their firewall configurations and close ports that they don't require being open for legitimate traffic. Brute-forcing exploits are a secondary security issue that's avertible by avoiding unnecessary password sharing and by using logins with appropriately-secure complexity. Responsible server managers should, in particular, avoid using default login values that may be known to the public at large.

Ordinary PC owners are, also, at risk from the ELF botnet's bot Trojans, which may make 'equally-opportunity' use of recreational and personal machines as much as they abuse business sector servers. While users may monitor their network activity for unexpected traffic that could be the result of a DDoS Trojan's features, there aren't intentional symptoms related to such infections. Most anti-malware brands include various means of identifying related threats and should remove an ELF botnet Trojan without needing any special assistance, other than, potentially, a database update.

The ELF botnet is a silent predator that helps criminals control PCs without giving itself away to any observing eyes. While its campaign is receiving its management from China, it's not likely that Linux systems anywhere are safe from being taken under its wing entirely.

Loading...