Ubuntu – How to check if the system is infected with the “Turla” trojan


As many have heard/read the news, a module of the state-sponsored trojan malware named "Turla" was recently discovered which infects Linux hosts: (News from ArsTechnica) (News from OMG-Ubuntu) (Technical Report by Kaspersky)

In the ArsTechnica article, it is mentioned that:

Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or, … Admins can also build a signature using a tool called YARA that detects the strings "TREX_PID=%u" and "Remote VS is empty !"

This short explanation doesn't really help me to figure out how I should check if my system is infected or not!

So can someone give a clear step-by-step explanation?

UPDATE: Although there seems to be no absolute method for detecting the infection, but a clear and step-by-step explanation using convenient tools for network monitoring to detect connections to the above-mentioned addresses (e.g. vnstat, netstat, …) and steps using convenient tools for blocking connection to and from the above-mentioned addresses (e.g. ufw, iptables, …) is greatly appreciated and DESIRED!

Best Answer

I just did a write-up on Turla yesterday over at security.stackexchange.com, covering both Windows and Linux versions. You can find it here.

Good news, by reading it you can get a better idea of what the Turla family is capable of.
Bad news, "Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet." - Kaspersky Lab

That means that the only analysis done so far has been from malware captured in a honeypot, and that it is very hard to detect. If you are interested, I have highlighted some of the anti-detection methods it is known to use in my write-up.

I think you will find there really isn't much more you can do at the moment besides what you already found in the article.