A few words about malware for Linux and ways to protect your system

If you follow the latest news in the field of IT security, you may have noticed an increase in the number of attacks on the network infrastructure of Linux systems. Among the main types of malware you should be aware of are Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT, and Tycoon.

Linux is considered a very secure operating system, but these cloud infrastructure security threats may cause users to doubt the security of your company as a whole. In this article, we want to talk about the current situation with Linux threats, give a brief overview of the history of Linux malware, and shed light on other related issues that users may encounter.

A few words about the modern landscape of Linux threats

Despite the praised security of Linux operating systems, network threats, including malware and viruses, have become a serious concern for Linux users. Network attacks target Linux because attackers seek to gain significant benefits when accessing systems where such systems are commonly used. As of March 2018, 15,762 new variants of Linux malware had been developed, which is significantly more than the 4,706 new variants developed in March 2017.

Advances in malware research in recent years have revealed vulnerabilities in the cybersecurity system that threaten Linux servers. A vulnerable server of any type is an open door for data and credential theft, DDoS attacks, cryptocurrency mining, and web traffic redirection. Moreover, it can be used to host malicious command and control (C&C or C2) systems.

A little over a year ago, after completing a three-year joint effort, information security analysts identified a number of backdoors in OpenSSH, including the infamous Linux/Ebury backdoor, which could be used to compromise servers with dangerous malware. At the same time, analysts from ESET identified 21 Linux-based malware families, 12 of which had not been previously documented. In some ways, these findings confirmed the presence of an evolving and increasingly dangerous set of data and network security threats, putting Linux users and their systems at risk.

A Brief History of Linux Malware

The growing prevalence of Linux malware in recent years creates a sense of a new looming network security threat targeting Linux systems. Unfortunately, Linux malware has been around for quite some time. The first Linux malware, named Stoag, was discovered in 1996. Staog was a primitive virus that attempted to gain root access by attaching itself to running executable files, but its spread was not very successful, and its exploit was quickly patched.

Stoag became famous as the first Linux malware, but the first Linux malware to make headlines was Bliss, discovered in 1997. Like Stoag, Bliss was a rather weak virus that attempted to gain access rights through compromised executable files, but fortunately, it could be deactivated by a simple shell switch.

CEO of Guardian Digital and founder of LinuxSecurity.com Dave Wreski comments on the evolution of Linux malware: "Over the years, malware targeting Linux systems has become more sophisticated and widespread, but until recently, Linux threats remained relatively few and primitive compared to those threatening proprietary operating systems. As of 2018, there has not yet been a large-scale malware or virus attack on Linux comparable to those that frequently attack Microsoft Windows, which can be explained by the lack of root access and the quick patching of most Linux vulnerabilities." Unfortunately for Linux users, the era of complete network and data security has ended as the Linux threat landscape has changed and become significantly more complex and dangerous for users.

Why is Linux malware causing increasing concern among administrators?

To the great dismay of system administrators and Linux users, the entire year of 2019 and the beginning of 2020 were marked by the emergence of new malicious campaigns targeting Linux servers. These attacks demonstrated new and dangerous propagation tactics, allowing cloud security breaches to go unnoticed until they compromised servers. Let's look at the main strains of Linux malware that have become widespread in the last couple of years.

CloudSnooper

CloudSnooper uses a unique combination of sophisticated techniques to penetrate Linux and Windows servers to allow the malware to communicate freely with command and control servers through firewalls. CloudSnooper allows threats to work with servers from the inside and is the first example of an attack that combines evasion techniques and a multi-platform payload targeting both Windows and Linux systems. Although each individual element of CloudSnooper's TTPs (techniques, tactics, and procedures) has been seen before, these aspects have not been used in combination until now. Cybersecurity experts predict that this TTP package will be used as a basis for new dangerous attacks on firewalls, which could jeopardize the security of many networks and data.

Hackers used CloudSnooper in sophisticated exploits to penetrate Amazon Web Services (AWS) servers and install a rootkit that allowed attackers to remotely control the servers. Having achieved this, the attackers transferred confidential data from the compromised Windows and Linux machines to the command and control servers. Information security analyst Willem Mouton describes this attack as follows: "From a technical point of view, it's just phenomenal. And they also made it cross-platform."

EvilGnome

Discovered in July 2019, EvilGnome masquerades as a Gnome shell extension to remain undetected by security programs and spy on PC users. EvilGnome is delivered via a self-extracting archive created with the makeself shell script, and the infection occurs automatically using the autorun argument left in the headers of the self-executing payload. When loaded into a Linux system, the malware is capable of stealing files, taking desktop screenshots, and capturing audio recordings from the user's microphone, which can then be uploaded and used in other modules.

Attacks by EvilGnome were associated with the Gamaredon Group, a Russian APT group known for developing its own variants of malware. Both hacker groups use the same hosting provider and work with the same C2 domains. The connection between the groups has not been confirmed, but the experience of using malware for Linux by EvilGnome and Gamaredon Group was similar. Therefore, it is very likely that these network security attacks originate from the same source.

HiddenWasp

In early 2019, information security analysts discovered a new strain of Linux malware created by Chinese hackers that can be used to remotely control infected systems. This sophisticated malware, named HiddenWasp, consists of a trojan, a user-mode rootkit, and an initial deployment script. HiddenWasp is deployed as a second-stage payload and is capable of executing terminal commands, interacting with the local file system, and much more. HiddenWasp has similarities with several other families of Linux malware, including Azazel, ChinaZ, and Adore-ng, suggesting that part of its code may have been borrowed. Unlike common Linux malware, HiddenWasp is not aimed at DDoS activity or cryptocurrency mining. Instead, it is a trojan used exclusively for targeted remote control.

QNAPCrypt

This summer, virus analysts discovered a rare case of Linux ransomware targeting NAS servers. The malware, named QNAPCrypt, is an ARM variant that encrypts all files. However, unlike standard ransomware, the ransom note is delivered exclusively as a text file without any on-screen messages. Each victim is provided with a unique Bitcoin wallet — this tactic helps conceal the identity of the attackers. After infecting the system, the ransomware requests the wallet address and public RSA key from the C2 server before encrypting the file. Fortunately, this is a flaw in the QNAPCrypt design that allows victims to temporarily block the threat's actions to protect further data and network security. Despite this weakness, QNAPCrypt represents the next step in the "evolution and adaptation of attacks to bypass security controls." Unfortunately, Linux system administrators do not often install endpoint monitoring on network file servers.

GonnaCry

GonnaCry is a new ransomware for Linux, actively developed in Python and C for research purposes. Lead developer Tarcisio Marinho explains the motives behind his work: "Ever since WannaCry spread worldwide in May 2017 and affected a large number of countries and companies, I have always wondered: is it possible to ruin a company's or a person's life using a computer? The answer is yes, it is quite possible. And ransomware is exactly the kind of powerful computer virus that allows this."

GonnaCry starts its work by searching for files to encrypt. Once identified, the malware initiates the encryption process and creates a .desktop file that helps the decryptor access the path, key, and IV used to encrypt each file. The ransomware then frees the memory allocated to the files on the computer. In terms of complexity, GonnaCry is inferior to well-known variants like WannaCry and Petya, but according to Marinho, "the basic structure works quite well."

FBOT

FBOT is a client variant of the infamous Mirai botnet targeting IoT devices running Linux. According to the "Malware Must Die!" blog, FBOT reappeared on February 9, 2020, after a month of inactivity, demonstrating several technical updates, including improved infection methods and increased spread speed. "Malware Must Die!" reflects on the reappearance of FBOT and the future of Linux IoT malware: "We are in an era where Linux or IoT malware is becoming more sophisticated. It is very important to collaborate with threat analytics and share knowledge to stop emerging malicious activity before it becomes a big problem for all of us in the future."

Tycoon

Tycoon is a new Java-based ransomware variant targeting Linux and Windows systems. This dangerous ransomware variant, discovered by virus analysts at Blackberry, uses a rare file format for malware, making it extremely difficult to detect before it detonates the entire payload intended to encrypt files. Analysts who discovered Tycoon reported that this is the first time they have seen a ransomware module compiled into the JIMAGE file format. JIMAGE files are rarely scanned by antivirus systems, so malicious JIMAGE files have every chance to go unnoticed. BlackBerry explains this in their blog: "Malware authors are constantly looking for new ways to remain undetected. They are gradually moving away from traditional obfuscation and switching to unusual programming languages and uncommon data formats."

BlackBerry analysts claim that they have recently noticed about a dozen "highly targeted" Tycoon infections. The attackers seem to have carefully chosen their victims, preferring small and medium-sized businesses in the software and education sectors. However, as is often the case, analysts suggest that the actual number of infections is likely much higher.

Awareness of various network security threats that take control of Linux systems is very important to take care of your server and prevent attacks.

Recommendations and tools for protecting Linux servers from malware

As attacks on Linux servers become more common and dangerous, protecting against malware and other modern threats to Linux is more important than ever. Here are some recommendations and tools to consider when protecting your Linux system. All of them can reduce vulnerabilities and provide greater data and network security:

  • Double-check all cloud configurations, as misconfiguration and lack of proper controls are the main causes of cloud security breaches.

  • Ensure that remote access portals are properly secured. Many network-level attacks become possible because attackers infiltrate the network through a legitimate but insecure remote access portal, posing as a trusted source.

  • Conduct a full inventory of all devices connected to the network and regularly update all security programs used on these devices.

  • Ensure that all external services are fully patched. Remember that a firewall does not replace cloud's own security measures, so patching should be done regularly.

  • Set special rules in the firewall to block control packets characteristic of Cloud Snooper.

  • Enable multi-factor authentication on all security panels or control panels used within the company to prevent security software from being disabled in the event of an attack.

  • Regularly review system logs. It is rare for anyone to capture servers without leaving traces of their actions, such as log entries indicating the activation of unexpected or unauthorized kernel drivers. However, remember that attackers who already have root privileges can change the logging configuration and the logs themselves, making it more difficult to detect malicious activity.

  • Remember that a comprehensive approach to security with defense-in-depth is necessary to protect your system from modern exploits.

How to quickly and accurately detect and remove malware on Linux?

If malware has entered your system, the ability to quickly and accurately identify and remove it is very important to protect you, your users, and your files. Fortunately, there are various effective open-source network security toolkits that can be used to detect and remove malware in your system:

  • Linux Malware Detect — a cloud scanner that can be used to detect malware in shared Linux environments. It uses threat data from network edge intrusion detection systems to identify and extract malware actively used in attacks and generates signatures for detection. Additionally, this tool receives threat data from users and community resources.

  • Rootkit Hunter (Rkhunter) and Check Rootkit (chkrootkit) — tools that scan local systems to identify any potentially malicious programs, such as malware and viruses, that hide their presence in the system.

  • Volatility — an open-source cloud security system for memory analysis, incident response, and malware analysis.

  • Lynis — a command-line application that scans a local or remote system to help an auditor identify potential network security issues.

  • Cuckoo Sandbox — an excellent sandbox for malware analysis. This tool allows you to safely execute potential malware samples and provides a full report on the executed code.

  • Kali Linux — a Linux distribution used for pentesting, ethical hacking, and digital forensics. The pentesting and security management tools included in the distribution can be used to detect network threats and other research purposes, as well as to identify potential security vulnerabilities. Kali Linux includes a large arsenal of network security tools.

Malware as a Business

The malware market is rapidly growing and evolving, forcing the security industry to keep up. The development of security systems, in turn, motivates innovation, which contributes to the growth and strengthening of further malicious activity. Attackers create and use increasingly flexible and sophisticated strains of malware in their attacks on network security, forcing engineers to create more reliable means of protection against them. Traditional antivirus software is no longer effective in detecting and combating modern cybersecurity exploits. Protection against modern sophisticated malware requires a comprehensive approach to digital security.

According to Verizon, 92.4% of malware is delivered via email. Thus, an effective email security strategy is critical to preventing infections. Malware poses a serious network security threat to all businesses, as an infection can lead to significant downtime, recovery costs, and reputational damage. Small businesses are at increased risk because they often lack the resources and funding needed to support an in-house IT department.

Guardian Digital EnGarde Cloud Email Security provides fully managed multi-layered email protection against malware, phishing, and other persistent email-related network security threats. Through a transparent, collaborative approach to open-source software development, Guardian Digital has access to the resources and tools of the global scientific and technical community and delivers them in a way that no other security service provider can. This approach, combined with decades of experience in the security industry and engineering expertise, allows Guardian Digital to offer flexible enterprise-level solutions for businesses of any size at competitive prices.

The main benefits of EnGarde protection include:

  • Enhanced real-time protection against social engineering and impersonation attacks

  • Email encryption and sender authentication protocols detect and automatically block fake addresses

  • Neutralization of network security threats related to malicious attachments and links

  • Scalable cloud system simplifies deployment and increases availability

  • Increased data and network security, adaptive implementation, and elimination of vendor lock-in risk through the use of an open-source software development approach

  • Professional engineering services, as Guardian Digital expert engineers take the time to study the key assets, operations, and specific needs of each client

  • Passionate, competent, 24/7 customer support services

Conclusion

Despite the growing number of data and network security threats targeting Linux systems, there is still compelling evidence that Linux is secure by design. There is an active global community that makes strong arguments and strives to improve security by thoroughly reviewing all input resources, allowing companies to be more transparent with their open-source code when it becomes available for all operating systems for which it is intended. Because employees constantly review the Linux kernel source code, cybersecurity vulnerabilities are identified and fixed faster than flaws in the opaque source code of proprietary operating systems such as Microsoft Windows. Attackers recognize and exploit these weaknesses, directing most of their attacks at proprietary software, platforms, and operating systems.

According to information security analysts at ESET, the Operation Windigo botnet, which uses Cdorked web servers to hack Apache and other systems, has been detected in 26,000 infection cases since May 2013. The infamous ZeroAccess botnet infected about two million Windows PCs before being dismantled in December 2013.

The digital threat landscape is rapidly evolving, becoming more advanced and dangerous. While most network security attacks are still aimed at proprietary operating systems, attackers are experimenting with new targets such as Linux. Linux users undoubtedly need to be aware of the growing risk to their systems and understand that in the new decade, the priority of security and maintenance of system data and networks becomes more important than ever.

In many cases, malware attacks can be attributed to administration issues and cybersecurity vulnerabilities of individual accounts rather than operating system flaws. Guardian Digital CEO Dave Wreski argues: "While the rise in Linux malware in recent years can easily be attributed to security vulnerabilities in the operating system as a whole, this is unfair and largely inaccurate. Most successful attacks on Linux systems are the result of improperly configured servers."

More broadly, the rise in Linux malware should serve as a wake-up call for the information security industry to allocate more resources to detecting these threats. As Linux malware continues to become more complex, even more common malware will often target Linux, remaining undetected.

Comments