Linux Malware: The Truth About This Growing Threat [Updated]
How to Protect Your Linux System Against Malware and Other Dangerous Attacks
If you’ve been keeping up with security news, you may have noticed that it seems as if there have been an increasing number of attacks on Linux recently - Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon serving as prime high-profile examples. This observation is somewhat counterintuitive, as Linux is generally regarded as a highly secure operating system. So what exactly has been going on lately, and are these attacks being blown out of proportion by the media? Is Linux still a viable OS for security-conscious users? LinuxSecurity.com aims to put the recent attacks on Linux into context, provide some background on Linux malware and shed some light on these questions in this article.
The Modern Linux Threat Landscape in a Nutshell
Unfortunately, despite the heralded security of the Linux operating system, gone are the days where threats such as malware and viruses are not a serious concern for Linux users. Attackers have come to view Linux servers as yet another viable target that often provides a valuable return on investment. In March of 2018, 15,762 new Linux malware variants were developed - a notable increase from the 4,706 new variants developed in March of 2017.
The evolution of malware research in recent years has offered superior visibility into attacks threatening Linux servers. It should be noted that a vulnerable server of any sort is an open door for data and credential theft, DDoS attacks, cryptocurrency mining and web traffic redirection. Most significantly, it can be used to host malicious command and control (C&C) servers.
Just over a year ago, bringing to conclusion a collaborative three-year effort, security researchers identified various OpenSSH backdoors - including the notorious Linux/Ebury backdoor - which could be used to compromise servers with dangerous malware. Simultaneously, ESET researchers exposed 21 Linux-based malware families, 12 of which were previously undocumented. In a sense, these findings confirmed an evolving, increasingly dangerous array of threats facing Linux users and their systems.
A Brief History of Linux Malware
The increasing prevalence of Linux malware in recent years arguably creates the illusion of a new threat targeting Linux systems; however, in reality, Linux malware has been around for quite some time. The first piece of Linux malware - dubbed Stoag - was identified in 1996. Staog was a basic virus that attempted to gain root access by attaching itself to running executables, but did not spread very successfully and was rapidly patched.
Stoag made its claim to fame as the first piece of Linux malware, but Bliss - recognized in 1997 - was the first Linux malware variant to grab headlines. Similar to Stoag, Bliss was a fairly mild infection. It attempted to grab permissions via compromised executables, and could be deactivated with a simple shell switch.
Guardian Digital CEO and LinuxSecurity.com founder Dave Wreski comments on the evolution of Linux malware, “Over the years, malware targeting Linux systems has become both more sophisticated and more common; however, up until fairly recently Linux malware was still relatively scarce and primitive compared to the variants that threatened proprietary operating systems. As of 2018, there had not yet been a single widespread Linux malware attack or virus comparable to those that frequently target Microsoft Windows - which can be attributed to a lack of root access and rapid updates to the majority of Linux vulnerabilities.” Unfortunately for Linux users, that era has come to an end. The threat landscape on Linux has remodeled over the past two years to become significantly more complex and dangerous.
Linux Malware: A Growing Concern for Administrators
Much to the dismay of Linux system administrators and users, 2019 and the first five months of 2020 have been plagued with emerging malware campaigns targeting Linux servers. These attacks have demonstrated new and dangerous tactics for spreading, remaining undetected and compromising servers. Although they constitute a small sample of emerging malware targeting Linux systems, Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon are seven prime examples of the rapid evolution of Linux malware in the past year.
Cloud Snooper uses a unique combination of sophisticated techniques to sneak into Linux and Windows servers and communicate freely with command and control servers through firewalls. The malware enables threat actors to open up servers to the cloud “from the inside out”, and is the first example of an attack formula that combines a bypassing technique with a multi-platform payload targeting both Windows and Linux systems. While each individual element of Cloud Snooper’s tactics, techniques and procedures (TTPs) has been observed previously, these elements have not been utilized in combination until now. Security experts predict that this package of TTPs will be used as blueprints for dangerous new firewall attacks.
Just last month - in a sophisticated exploit utilizing Cloud Snooper - hackers pwned Amazon Web Services (AWS) servers, set up a rootkit which enabled them to remotely control servers, then funneled sensitive data to command and control (C2) servers from compromised Windows and Linux machines. Security researcher Willem Mouton describes the attack: “From a technical perspective it is a thing of beauty, also the fact that they made it cross platform.”
Discovered in July 2019, EvilGnome disguises itself as a Gnome shell extension to remain undetected by security software, while spying on desktop users. EvilGnome is delivered via a self-extractable archive created using the makeself shell script, and the infection is automated with the help of an autorun argument left in the headers of the self-executable payload. When downloaded on a Linux system, the malware is capable of stealing files, taking desktop screenshots, capturing audio recordings from the user’s microphone and downloading and executing other modules.
EvilGnome attacks have been linked to the Gamaredon Group, a Russian advanced persistent threat (APT) group notorious for developing custom malware variants. The EvilGnome malware developers and the Gamaredon Group use the same hosting provider, and EvilGnome uses C2 servers connected to domains associated with the Russian threat group. While it has not been confirmed that Gamaredon Group has developed or used any Linux malware to date, tactics and techniques used by the EvilGnome Linux backdoor match those used by the Russian threat group, making a strong case that Gamaredon Group may be broadening its horizons and targeting Linux with its sophisticated attacks.
Early in 2019 security researchers discovered a new strain of Linux malware created by Chinese hackers which could be used to remotely control infected systems. Dubbed HiddenWasp, this sophisticated malware consists of a trojan, a user-mode rootkit and an initial deployment script. It is deployed as a second-stage payload, and is capable of running terminal commands, interacting with the local filesystem and more. HiddenWasp displays similarities to several other Linux malware families including Azazel, ChinaZ and Adore-ng, suggesting that some of its code may have been borrowed. Unlike common Linux malware, HiddenWasp is not focused on DDoS activity or crypto-mining. Rather, it is a trojan solely used for targeted remote control.
This past summer, security researchers identified a rare instance of Linux ransomware targeting network-attached storage (NAS) servers. The malware, which they named QNAPCrypt, is an ARM variant that encrypts all files; however, unlike standard ransomware, the ransom note is delivered solely as a text file, without any message on the screen. Each victim is provided with a unique Bitcoin wallet, a tactic that helps conceal the identity of the attackers. Once a system is infected, the ransomware requests a wallet address and a public RSA key from the command and control server (CC2) before file encryption. This is a major flaw in QNAPCrypt’s design - as it enables victims to temporarily block threat actors’ operations. Despite this weakness, QNAPCrypt represents the “evolution and adaptation of an attack to bypass security controls” - as it isn’t very common for Linux system administrators to deploy endpoint monitoring to network file servers.
GonnaCry is an emerging Linux ransomware variant that is currently under active development for research purposes in Python and C. Lead developer Tarcisio Marinho explains the motivation behind his work: “Since the worldwide spread of the Wannacry ransomware in May 2017 affected so many countries and companies, I kept wondering: Is it really hard to mess with a company’s or a person’s life with a computer? The answer is yes, it’s possible. And ransomware is a computer virus so powerful to do so.”
GonnaCry begins its work by finding the files it will encrypt. Once it has identified these files, the malware starts its encryption routine and then creates a desktop file that will help the decryptor access the path, key and IV used to encrypt each file. The ransomware then frees the memory allocated by the files on the computer. GonnaCry does not rival notorious variants like WannaCry and Petya in complexity, but according to Marinho, “The basic structure is working.”
FBOT is a client variant of the infamous Mirai botnet that targets Linux IoT devices. According to the Malware Must Die! blog, FBOT recently re-emerged after almost a month of inactivity on February 9, 2020, with several technical updates, including advances in its method of infection and increased propagation speed. Malware Must Die! Reflects on the re-emergence of FBOT and the future of Linux IoT malware: “We are in an era where Linux or IoT malware is getting into better form with advantages. It is important to work together with threat intelligence and knowledge sharing, to stop emerging malicious activity before it becomes a big problem for all of us later on.”
Tycoon is an emerging strain of Java-based ransomware that targets both Linux and Windows systems. This dangerous ransomware variant, which was discovered by Blackberry security researchers, uses a little-known file format - making it highly difficult to detect before it detonates its file-encrypting payload. The researchers who discovered Tycoon report that this is the first time they’ve seen a ransomware module compiled into a Java image (JIMAGE) file format. JIMAGE files are rarely scanned by anti-malware engines, and malicious JIMAGE files stand a good chance of going undetected as a result. BlackBerry explains in a blog post, “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats.”
BlackBerry researchers say that they have observed roughly a dozen “highly targeted” Tycoon infections over the past six months, and that the attackers appear to carefully select their victims, favoring small- and medium-sized businesses in the software and education industries. However, as is often the case, the researchers suggest that the actual number of infections is likely much higher.
Tips and Tools for Defending Linux Servers Against Malware:
With attacks targeting Linux servers becoming increasingly common and dangerous, defending against malware and other advanced threats is more critical than ever in maintaining a secure Linux system. Some tips and best practices for securing Linux servers include:
Double check all cloud configurations - user misconfiguration and lack of visibility are the top causes of attacks in the cloud.
Ensure that remote access portals are properly secured - many network-level attacks where criminals need root or admin powers are made possible because attackers find their way in through a legitimate, insecure remote access portal.
Create a complete inventory of all devices connected to a network, and update all security software used on these devices frequently.
Make sure that all external-facing services are fully patched. Be aware that firewall security is not a substitute for an organization’s own cloud security measures.
Set special rules in your firewall to block control packets specific to Cloud Snooper.
Enable multi-factor authentication on all security dashboards or control panels used internally to prevent threat actors from disabling security software in the case of an attack.
Review system logs regularly. It’s rare that threat actors are able to take over servers without leaving some trace of their actions – such as log entries showing unexpected or unauthorized kernel drivers being activated. Keep in mind, however, that criminals who already have root powers can tamper with your logging configuration and the logs themselves, making it more difficult to spot malicious activity.
Remember that a comprehensive, defense-in-depth approach to security is essential in protecting your system from modern, advanced exploits.
How to Rapidly and Accurately Identify and Eliminate Linux Malware
If malware does get downloaded on your system, being able to rapidly and accurately identify and eliminate it is critical to protecting yourself, your users and your files. Luckily, there are various effective open-source tools that can be used to detect and remove malware on your system. They include:
Linux Malware Detect: Linux Malware Detect is a malware scanner that can be used to detect malware in shared Linux environments. It utilizes threat data from network edge intrusion detection systems to identify and extract malware that is actively being used in attacks and generates signatures for detection. This tool also derives threat data from user submissions and community resources.
The Rootkit Hunter & Check Rootkit: The Rootkit Hunter (Rkhunter) and Check Rootkit (chkrootkit) are tools that scan local systems, identifying any potentially malicious software such as malware and viruses that masks its existence on a system.
Volatility: Volatility is an open-source memory forensics framework for incident response and malware analysis.
Lynis: Lynis is a command-line application that scans a local or remote system to help an auditor identify potential security issues.
Kali Linux: Kali Linux is a Linux distribution used for penetration testing, ethical hacking and digital forensics. The included security penetration and management tools can be used for network discovery and other research purposes, as well as to identify potential vulnerabilities. Kali Linux includes many of the other tools mentioned here.
Cuckoo Sandbox is an excellent sandbox for malware analysis. This tool allows you to safely execute possible malware samples, and it provides a comprehensive report on the code executed.
Malware as a Business
The malware market is rapidly expanding and evolving, forcing the security industry to keep pace. The success of this market drives rapid innovation - perpetuating growth and encouraging further malicious activity. Threat actors are creating and utilizing increasingly agile and sophisticated malware strains in their attacks, challenging security engineers to build stronger defenses against them. Traditional antivirus software is no longer effective in detecting and combating advanced, modern exploits. Protecting against today’s sophisticated malware attacks requires a comprehensive, defense-in-depth approach to digital security.
According to Verizon, 92.4 percent of malware is delivered via email. Thus, an effective email security strategy is imperative in preventing dangerous and costly infections. Malware is a serious threat to all businesses - an infection can result in significant downtime, recovery costs and reputation damage. Small businesses face a heightened risk because they often lack the resources and funding necessary to support a full-time IT department.
Guardian Digital EnGarde Cloud Email Security provides fully-managed, multi-layered email protection against malware, phishing and other persistent email-borne threats. Through a transparent, collaborative open-source approach to software development, Guardian Digital is able to access resources and tools from an innovative global community in a way that no other vendor can. This approach, combined with decades worth of industry experience and engineering expertise, enables Guardian Digital to offer flexible enterprise-grade solutions to businesses of all sizes at competitive prices.
Key benefits of EnGarde’s protection include:
Advanced real-time defenses against social engineering and impersonation attacks
Email encryption and sender authentication protocols detect fake From addresses and block them automatically
Neutralizes threats associated with malicious attachments and links
Scalable cloud-based system simplifies deployment and increases availability
Tighter security, adaptive implementation and eliminated risk of vendor lock-in through the use of a community-powered open-source approach to software development
Professional engineering services - Guardian Digital expert engineers take the time to learn about each clients’ key assets, operations and specific needs
Passionate, knowledgeable around-the-clock customer support services
The Bottom Line
Now you are probably wondering: What is the deeper meaning of the increasing number of attacks on Linux? Is Linux less secure than experts previously thought? What does all this mean for the Linux community?
Despite the growing number of threats targeting Linux systems, there is still solid evidence that Linux is secure by design. The transparency of its open-source code and the constant scrutiny that this code undergoes by a vibrant worldwide community provides a strong argument for the inherent security of the operating system. Because of the “many eyes” that are constantly reviewing the source code that comprises the Linux kernel, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary operating systems such as Microsoft Windows. Threat actors recognize and exploit this, directing the majority of their attacks at proprietary software, platforms and operating systems. To put things in perspective, according to ESET security researchers, the Operation Windigo botnet, which uses the Cdorked Web server attack kit to compromise Apache and other popular open-source Web servers, has a total of 26,000 infections since May 2013. In comparison, the infamous ZeroAccess Windows-based botnet had infected nearly two million Windows PCs before it was taken down in December 2013.
However, the digital threat landscape is rapidly evolving to become more advanced and dangerous and while the majority of attacks still victimize proprietary operating systems, threat actors are experimenting with newer targets like Linux. Linux users should undoubtedly be aware of the growing risk that their systems face, and recognize that as this new decade unfolds, prioritizing system security and maintenance is more critical than ever. Regardless of the operating system being used, it is critical that users adopt safe habits - especially in the context of the modern digital threat landscape. In many cases, malware attacks can be attributed to administration issues and vulnerabilities in individual accounts, as opposed to the security of the operating system being run. Guardian Digital CEO Dave Wreski states, “Although it may be easy to blame the rise in Linux malware in recent years on security vulnerabilities in the operating system as a whole, this is unfair and largely untrue. The majority of malware exploits on Linux systems can be attributed to misconfigured servers.”
On a broader scale, the rise of Linux malware should serve as a wake up call for the security industry to allocate more resources to detect these threats - as Linux malware will continue to become more complex, and currently, even common threats targeting Linux frequently fly under the radar.