Linux malware threats you should know about

Linux doesn't get malware, right? By Windows standards that has historically been true.

But now in one form or another Linux powers much of the web, with the open source OS keeping internet heavy-hitters like Google, Facebook and Wikipedia running. Not only does Linux power servers, but is increasingly crucial to internet of things devices, and the small fact that every Android device on the planet is based on the open source software. All of this makes Linux systems an irresistible target.

While attacks going after Linux desktop environments are relatively rarer compared to their Windows counterparts they're still out there - and shouldn't be ignored. Read on for the nastiest Linux malware out there.

CrossRat
iStock

CrossRat

Suspected to have been developed by the Lebanese ‘Dark Caracal’ hacking group (PDF) and first exposed in a joint research report by Lookout and the Electronic Frontier Foundation, the CrossRAT malware is a cross-operating system piece of Java-based spyware that’s able to change system files and take screenshots, as well as copy, move or read files.

In Linux, CrossRAT tries to write a copy of itself to /usr/var/mediamgrs.jar, and if not possible will copy itself to the home directory. Once embedded in your machine it pings its command and control server via TCP. The point of the malware appears to be surveillance.

While much nastier on Windows – where it can execute DLLs – the EFF’s sample was only version 0.1 suggesting it’s still under development. When it was first discovered only a few anti-malware programs could detect it, leading some analysts to describe it as ‘undetectable’.

That’s not strictly true, however. As TWCN writes, on Linux you can search for an autostart file, most likely called mediamgrs.desktop, within ~/.config/autostart or test for the jar file, mediamgrs.jar in /usr/var.

GoScanSSH
iStock

GoScanSSH

Cisco’s threat intelligence wing Talos discovered a new malware strain directed at SSH servers open to the internet, named by the organisation as GoScanSSH. It’s written in Golang – a relatively unusual programming language to code malware in.

GoScanSSH appeared to target Linux devices with weak or default credentials, attempting to brute force its way into servers with a list of thousands of typical default usernames such as ‘admin’, ‘guest’, ‘user’, or ‘ubuntu’. It also went after devices like the Raspberry Pi, jailbroken iPhones, and Huawei devices with default credentials.

Interestingly the malware would specifically dodge government and military domains such as .army .police.uk and .gov.uk.

The main function of the malware appears to be to scan for vulnerable devices that could be opened up to further exploitation by the attackers. It would also use the Tor2Web proxy service to make the attacker controlled infrastructure more difficult to track and take down.

RubyMiner
iStock

RubyMiner

A cryptocurrency miner called ‘RubyMiner’ scoured web servers looking for unpatched systems to exploit and secretly run mining programs. Researcher Stefan Tanase told security news website Bleeping Computer that  the attackers would use a server fingerprinting tool to find unpatched servers, then direct exploits at them to infect with the mining program.

Both Windows and Linux servers were targeted, and once compromised a script would download and run a modified version of the XMRig Monero app, to mine for the Monero cryptocurrency.

Security firm CheckPoint noted that as many as 30 percent of networks worldwide suffered compromise attempts by RubyMiner.

Erebus ransomware
iStock

Erebus ransomware

In 2017, researchers unearthed a strain of the Erebus ransomware that had been ported to target Linux server and desktop environments – with South Korean web hosting firm NAYANA hit by an attack that had infected as many as 153 of its servers.

Once Erebus had compromised the network, it spread itself to websites, database and multimedia files hosted by NAYANA, affecting 3,400 of its customers.

As Trend Micro points out, the first Erebus attack was reported in September 2016, when banner ads with malicious coding infected users with the Rig exploit kit, which was then used to infect systems with ransomware.

This variant, ported to Linux, used the RSA algorithm to encrypt files with AES (Advanced Encryption Standard) keys. It demanded 10 bitcoin at first, later lowering this to five bitcoin, and targeted file types including office documents, archive files, email files, databases, developer project files and multimedia files. It used the UNIX cron utility to check if the ransomware was running, and added a fake Bluetooth service to make sure that the malware would be executed in the case of a system or server reboot.

Red Hat advises that, as is often the case with ransomware, preventative measures are probably the most effective: keep servers and workstations up to date with patches and maintain data backups, because if infected, a software reinstall and data restore “may be the easiest resolution”.

Hand of Thief Trojan - 2013

Hand of Thief Trojan - 2013

Hand of Thief was built to run on 15 Linux distros as a data and credential stealer, making it one of the nastiest Linux trojans around when it debuted in 2013. It had been Discovered for sale on the Russian crime underground.

Jellyfish graphics card malware - 2015

Jellyfish graphics card malware - 2015

Created by researchers as a proof-of-concept malware platform designed to highlight the possibility that malware could hide on or use GPUs. Not a new worry but a neat implementation that offered a Linux rootkit and a Windows-based Remote Access Trojan.

\'HEUR\' backdoor Java app - 2014

'HEUR' backdoor Java app - 2014

A malicious Java application (which runs across Windows and Mac as well as Linux), this threat hit unpatched flaws on that platform with glee. Infected systems became part of an old-fashioned desktop DDoS bot.

Linux ‘Mayhem’ botnet - 2014

Linux ‘Mayhem’ botnet - 2014

Another Linux botnet but this time one found by Russian firm Yandex to be exploiting the Shellshock security flaw discovered in 2014. Patch your servers.

Linux Chapro - 2012

Linux Chapro - 2012

Essentially a malicious module designed to run under Apache web servers, Chapro injected compromised pages into those served by the infected system as a way of spreading malware such as banking Trojans.

IPtables botnet - 2014

IPtables botnet - 2014

Typical of the modern threat to Linux servers, the hard-to-detect Iptables attacks Apache servers to add them to its DDoS botnet. Akamai reckoned this bot and its Linux slaves was used in major attacks during the year.

Wirenet Trojan - 2012

Wirenet Trojan - 2012

Unusual for infecting Linux as well as Mac, Linux and even Solaris desktops, Wirenet was designed to steal passwords, probably as part of highly-targeted attacks. Non-mainstream, perhaps, but a warning about the potential of cross-platform malware.

Spike toolkit - 2014

Spike toolkit - 2014

Another DDoS botnet, this time with clear Chinese origins, Spike started infecting Linux servers in 2014 before being ported to Windows and SME routers. Used to generate huge DDoS attacks during that year.

Windigo platform - 2011

Windigo platform - 2011

Part of a larger operation to target Linux systems (FreeBSD, OpenBSD) as well as Mac and Windows, Windigo was used to infect 25,000 servers including cPanel and the kernel.org repository using a web of components such as Cdorked, Ebury and the Calfbot PERL script. Concerning.

Anonymous OS hoax - 2012

Anonymous OS hoax - 2012

An odd one thisbut criminals sometimes use lateral thinking. News emerged of a secure ‘Anonymous’ OS image running under Ubuntu offering tools such as Low Orbit Ion Cannon (LOIC) for sympathisers. Unfortunately, the OS was a hoax full of trojans and backdoors.

Copyright © 2018 IDG Communications, Inc.