ESET discovers 21 new Linux malware families

All malware strains are trojanized versions of the OpenSSH server or client apps that include keylogger and backdoor capabilities.

Although Linux is a much more secure operating system compared to the more widely used Windows, it is not impervious to misconfigurations and malware infections.

Over the past decade, the number of malware families targeting Linux has grown, but the total number of threats is still orders of magnitude under the malware numbers reported attacking Windows systems.

This smaller number of threats has resulted in cyber-security firms paying much less attention to the Linux malware ecosystem than they normally do to its Windows counterpart.

So it is to no surprise that some Linux malware families have only now been discovered after operating unseen for more than four years.

In a report published yesterday by cyber-security firm ESET, the company details 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client.

They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

ESET said that "18 out of the 21 families featured a credential-stealing feature, making it possible to steal passwords and/or keys" and "17 out of the 21 families featured a backdoor mode, allowing the attacker a stealthy and persistent way to connect back to the compromised machine."

openssh-backdoor-galaxy-1.png
Image: ESET

These malware strains aren't "new," per-se. ESET researchers admitted that they didn't discover these strains first hand. That honor goes to the creators of another Linux malware named Windigo (also known as Ebury).

ESET says that while analyzing the Windigo botnet and its central Ebury backdoor, they found that Ebury featured an internal mechanism that would scan for other locally installed OpenSSH backdoors.

The way the Windigo crew did this, ESET said, was by using a Perl script that scanned for 40 file signatures (hashes) known to have been deployed by competing malware gangs.

"When we looked into these signatures, we quickly realized that we did not have samples matching most of the backdoors described in the script," said Marc-Etienne M. Léveillé, malware analyst at ESET.

"The malware operators actually had more knowledge and visibility into in-the-wild SSH backdoors than we did," he added.

Léveillé says ESET has been using that same list of 40 file signatures to hunt down those malware families for the past few years. Some of the original 40 strains have never been spotted before, most likely because their creators moved on to other malware strains, but 21 of those trojanized OpenSSH backdoors have continued to be used in the subsequent years.

ESET has now released a 53-page report detailing each of these 21 strains. Some of these malware strains are really simple, but some are also very complex, most likely being the work of experienced malware developers.

Linux server administrators can use the indicators of compromise (IOCs) included in this report to scan their systems for these strains.

The report doesn't go into detail of how botnet operators plant these backdoored OpenSSH versions on infected hosts. But if we've learned anything from previous reports on Linux malware operations is that threat actors usually rely on the same ol' techniques to get a foothold on Linux systems:

  • Brute-force or dictionary attacks that try to guess SSH passwords. Using strong or unique passwords, or an IP filtering system for SSH logins should prevent these types of attacks.
  • Exploitation of vulnerabilities in applications running on top of the Linux server (e.g. web apps, CMSs, etc.). If the app/service has been misconfigured with root access, or if the attacker exploits a privilege escalation flaw, an initial WordPress plugin flaw can be easily escalated to the underlying OS. Keeping everything up to date, both the OS and the apps running on top of it should prevent these types of attacks.

Unless Linux owners go out of their way to misconfigure their servers, for convenience's sake, they should be safe from most of these attacks.

More security news: