As many have heard/read the news, a module of the state-sponsored trojan malware named "Turla" was recently discovered which infects Linux hosts: (News from ArsTechnica) (News from OMG-Ubuntu) (Technical Report by Kaspersky)
In the ArsTechnica article, it is mentioned that:
Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 126.96.36.199, … Admins can also build a signature using a tool called YARA that detects the strings "TREX_PID=%u" and "Remote VS is empty !"
This short explanation doesn't really help me to figure out how I should check if my system is infected or not!
So can someone give a clear step-by-step explanation?
UPDATE: Although there seems to be no absolute method for detecting the infection, but a clear and step-by-step explanation using convenient tools for network monitoring to detect connections to the above-mentioned addresses (e.g. vnstat, netstat, …) and steps using convenient tools for blocking connection to and from the above-mentioned addresses (e.g. ufw, iptables, …) is greatly appreciated and DESIRED!