A short history of Linux malware

A look at some of the worms and viruses and Trojans that have plagued Linux throughout the years.

121114 linux malware 1

Nobody’s immune

Although not as common as malware targeting Windows or even OS X, security threats to Linux have become both more numerous and more severe in recent years. There are a couple of reasons for that – the mobile explosion has meant that Android (which is Linux-based) is among the most attractive targets for malicious hackers, and the use of Linux as a server OS for and in the data center has also grown – but Linux malware has been around in some form since well before the turn of the century. Have a look.

121114 stago

Staog (1996)

The first recognized piece of Linux malware was Staog, a rudimentary virus that tried to attach itself to running executables and gain root access. It didn’t spread very well, and it was quickly patched out in any case, but the concept of the Linux virus had been proved.

Linux malware

Bliss (1997)

If Staog was the first, however, Bliss was the first to grab the headlines – though it was a similarly mild-mannered infection, trying to grab permissions via compromised executables, and it could be deactivated with a simple shell switch. It even kept a neat little log, according to online documentation from Ubuntu.

121114 ramen

Ramen/Cheese (2001)

Cheese is the malware you actually want to get – certain Linux worms, like Cheese, may actually have been beneficial, patching the vulnerabilities the earlier Ramen worm used to infect computers in the first place. (Ramen was so named because it replaced web server homepages with a goofy image saying that “hackers looooove noodles.”

121114 linux malware 5
Wikimedia CommonsCC LicenseKevin Collins

Slapper (2002)

The Slapper worm struck in 2002, infecting servers via an SSL bug in Apache. That predates Heartbleed by 12 years, if you’re keeping score at home.

121114 linux malware 6

Badbunny (2007)

Badbunny was an OpenOffice macro worm that carries a sophisticated script payload that worked on multiple platforms – even though the only effect of a successful infection was to download a raunchy pic of a guy in a bunny suit, er, doing what bunnies are known to do.

121114 linux malware 7

Snakso (2012)

The Snakso rootkit targeted specific versions of the Linux kernel to directly mess with TCP packets, injecting iFrames into traffic generated by the infected machine and pushing drive-by downloads.

121114 thief

Hand of Thief (2013)

Hand of Thief is a commercial (sold on Russian hacker forums) Linux Trojan creator that made quite a splash when it was introduced last year. RSA researchers, however, discovered soon after that it wasn’t quite as dangerous as initially thought.

121114 linux malware 9

Windigo (2014)

Windigo is a complex, large-scale cybercrime operation that targeted tens of thousands of Linux servers, causing them to produce spam and serve drive-by malware and redirect links. It’s still out there, according to ESET security, so admins should tread carefully.

121114 malware mayhem

Shellshock/Mayhem (2014)

Striking at the terminal strikes at the heart of Linux, which is why the recent Mayhem attacks – which targeted the so-called Shellshock vulnerabilities in Linux’s Bash command-line interpreter using a specially crafted ELF library – were so noteworthy. Researchers at Yandex said that the network had snared 1,400 victims as of July.

121114 linux malware 11

Turla (2014)

A large-scale campaign of cyberespionage emanating from Russia, called Epic Turla by researchers, was found to have a new Linux-focused component earlier this week. It’s apparently based on a backdoor access program from all the way back in 2000 called cd00r.