Gone are the days when the idea of viruses or other malware hitting Linux was almost universally greeted with quizzical glances, if not outright rejection. Long thought of as the perfect marriage of open-source goodness and strong, Unix-like security, Linux-based operating systems are now increasingly seen as another valuable – and viable – target.
This shift in thinking is partly the result of a growing realization among both Linux hobbyists and system administrators that a compromised Linux system such as a web server provides attackers an excellent ‘return on investment’. Just as importantly, malware research in recent years has brought better visibility into threats facing Linux systems.
Admittedly, there’s still more than a kernel of truth in the popular wisdom that associates Linux with better, though not perfect, security. Importantly, however, this fails to distinguish between various flavors and use cases of Linux-based systems while also disregarding the existence of various platform-agnostic threats.
Linux distros for the desktop continue to be vastly outnumbered by Windows systems (and also by macOS machines, for that matter). This niche status certainly plays a role in the relative scarcity of Linux-based malware. But shift your gaze to public-facing servers and it becomes apparent that there’s far more malicious activity simmering under Linux‘s lid. Much the same could be said about all sorts of embedded devices, networking gear and Android smartphones that, too, are based on Linux in some form.
Let’s focus on servers here, not least because they bear the brunt of malware attacks against Linux-powered systems. Linux server distributions are at the heart of most data centers and the operating system is big for businesses of various shapes and sizes. Indeed, much of today’s web, including servers operated by the likes of Google, Facebook and Twitter, is powered by Linux.
It should come as no surprise, then, that recent history has seen no shortage of examples of damage dealt by malware that has compromised a Linux server installation. A vulnerable server is a priceless target for various kinds of nefarious actions, including the theft of personal data and access credentials, web traffic redirection, DDoS attacks and cryptocurrency mining. Importantly, the server can also be abused for hosting command and control (C&C) servers for other malicious code and for launching spam campaigns to fan out malware – yes, especially malware targeting Windows systems.
A walk down memory lane
You don’t even have to look very far for instructive examples of chinks in Linux’s reputed malware armor. A little more than a year ago, ESET researchers exposed a slew of OpenSSH backdoors, a weapon of choice for attackers looking to wrest control of servers from their administrators. The researchers ferreted out 21 Linux-based malware families, including a dozen that had never been documented before. Almost all the strains had credential-stealing and backdoor functionalities.
This research was the result of three years’ worth of work that eventually offered unique insights into the Linux malware ecosystem. To be sure, it was not an isolated effort, nor did it occur out of the blue. The researchers went on the hunt armed with insights from their award-winning research into Operation Windigo, which had corralled around 25,000 servers, most of them powered by Linux, into one of the largest known server botnets. The compromised machines were abused for credential theft, spam campaigns, web traffic redirection to malicious content, and other nefarious actions.
At the heart of the campaign, which had run undetected for at least three years, was the Linux/Ebury backdoor. Even before this piece of malware was to be installed on a server, the attackers would get Ebury to check to see whether the server was already saddled with another SSH backdoor. It was this routine that prompted the hunt for in-the-wild OpenSSH malware families. And the rest is history.
Over the years, ESET researchers have made other discoveries that added to the body of knowledge on Linux server-side malware. Among other things, Windigo was found to be linked to one of their earlier discoveries – Linux/Cdorked, one of the most sophisticated backdoors targeting Linux Apache web servers at the time. Also, Windigo brought memories of ESET research into Mumblehard, another botnet that zombified thousands of Linux servers and was eventually taken down in an international law enforcement effort with support from ESET researchers.
How to capture the malware?
ESET researchers are eager to share their insights with Linux professionals, who may be inadequately trained to combat server-side malware. The upcoming RSA 2020 Conference will feature a workshop by ESET Senior Malware Researcher Marc-Etienne M.Léveillé, who has been a central figure in most of the investigations outlined above. Marc-Etienne’s workshop, Hunting Linux Malware for Fun and Flags, will provide system administrators and other IT professionals with an excellent opportunity to tackle the Linux malware threat and apply the takeaways in their own server environments.
We encourage you to read our interview with Marc-Etienne to get an expert perspective on the Linux malware ecosystem.