A Trojan named Linux.Mirai has been found to be carrying out DDoS attacks.
The malicious program first appeared in May 2016, detected by Doctor Web after being added to its virus database under the name Linux.DDoS.87. The Trojan can work with with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers.
Linux.DDoS.87 searches the memory for the processes of other Trojans and terminates them once it has been launched on an infected computer. The Trojan creates a file named .shinigami in its folder and verifies its presence from time to time to avoid terminating itself. Then it attempts to connect to its command and control server for more instructions.
When directed to do so by cyber-criminals, the Trojan can launch UDP flood, UDP flood over GRE, DNS flood, TCP flood (several types), and HTTP flood DDoS attacks.
To help prevent this, Doctor Web researchers recommend that after booting up, users run a full scan of all disk partitions.