Linux is also facing a new virus problem

Linux and Malware - Should You Worry?

Malicious code can't harm Linux, can it? Stop for a second, because Linux malware is increasingly creating problems and making headlines.

The days when everyone agreed that viruses and malware did not affect Linux systems are long gone. For a long time, the combination of the advantages of open source and strong, Unix-like security was considered perfect. Now, however, Linux-based operating systems are seen more and more as vulnerable and are being targeted as a new target.

This change arose in part from the growing realization by both Linux hobbyists and system administrators that a compromised Linux system is very profitable for attackers who attack via web servers, for example. In addition, malware research in recent years has significantly increased the security of threats to Linux.

Of course, there is still something to the popular belief that Linux has better, if not perfect, security. But: No distinction is made between different types and case studies. In addition, the various platform-specific dangers are disregarded. The distribution for Linux desktop is still far outnumbered compared to Windows systems (and of course also with macOS devices, if we're at it). Of course, this niche position plays a role in the fact that there isn't that much Linux-based malware out there.

However, if we take a look at public servers, it becomes clear that a lot more malicious activities are hidden under Linux. The same can be said about embedded devices, network equipment, and Android smartphones, which are also based on Linux in one way or another.

Let's focus on servers, not least because they carry the brunt of a malware attack on Linux systems. Linux servers are at the heart of most data centers, and the operating system is popular with many companies of different industries and sizes. In fact, much of the Internet is powered by Linux; B. the servers at Google, Facebook and Twitter.

It is certainly not surprising that in the recent past there have been many examples of damage caused by malware on Linux server installation. A vulnerable server is a priceless target for many different malicious actions - such as theft of personal information and login credentials, redirecting web traffic, DDoS attacks, and cryptocurrency mining. In addition, servers can be misused for hosting a Command and Control (C&C) server that sends malicious code or spam campaigns with malware - these target Windows systems in particular.

A brief look back at history

You don't have to look far back to find a fitting example of damage in the highly acclaimed Linux malware armament. About a year ago ESET researchers published a lot of OpenSSH backdoors - an important weapon used by attackers trying to wrest control of a server away from the administrator. The researchers also came across 21 Linux-based malware families. That includes some that have never been documented before. Almost all of them had credential theft and backdoor functions.

The published findings were the result of three years of research, which ultimately provided a unique insight into the Linux malware ecosystem. Of course, this wasn't an isolated achievement or just appeared out of nowhere. The researchers went on the hunt, equipped with insights into the award-winning research on "Operation Windigo". It had around 25,000 servers, most of them Linux-operated, combined in one of the largest server botnets. The compromised devices were used for data theft, spam campaigns, redirecting traffic to malicious sites and other dangerous activities.

At the heart of the campaign, which went undetected for three years, was the Linux / Ebury backdoor. Even before the malware was installed on the server, the attackers had Ebury check whether the server had already been equipped with another SSH backdoor. This routine started the hunt for wild OpenSSH malware families. The rest is history.

Over the years, the ESET team made many more discoveries that were added to the knowledge base about Linux server malware. Among other things, it was determined that Windigo could be linked to a previous discovery - Linux / Cdorked, one of the most sophisticated backdoors that Linux Apache web servers were targeting at the time. Windigo also brought back memories of ESET's research on Mumblehard - another botnet that zombified thousands of Linux servers and was ultimately taken offline by international laws and interventions with ESET's help.

How can you catch malware?

ESET researchers would like to share their insights with Linux staff who may not be adequately trained on server-focused malware. The upcoming RSA 2020 conference offers a workshop by ESET Senior Malware Researcher Marc-Etienne M.Léveillé, who played a central role in the research mentioned above. Marc-Etienne's workshop “Hunting Linux Malware for Fun and Flags” gives system administrators and IT professionals the opportunity to tackle the topic of Linux malware threats and transfer the findings to their own server environment.

So next week you can expect an interview with Marc-Etienne, who gives an expert perspective on the Linux malware ecosystem.