/>
X
Innovation

This 'evasive' new Linux malware creates a backdoor to steal passwords and more

Cybersecurity researchers detail Orbit malware and the evolving threat of cyber criminals targeting Linux.
danny-palmer
Written by Danny Palmer, Senior Writer on
istock-silly-hacker-hands.jpg

The hands of a computer hacker working on a computer keyboard.

Image: Getty Images

A newly uncovered form of Linux malware creates a backdoor into infected machines and servers, allowing cyber criminals to secretly steal sensitive information while also maintaining persistence on the network. 

Detailed by cybersecurity researchers at Intezer, the previously undetected malware has been called Orbit after filenames it used to temporarily store the output of executed commands.

Linux is a popular operating system for servers and cloud infrastructure, which makes it a tempting target for cyber criminals.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Orbit malware provides cyber criminals with remote access to Linux systems, allowing them to steal usernames and passwords and log TTY commands – the inputs made in the Linux terminal.  

In addition to this, the malware can infect running processes on the machine, ultimately allowing the hackers to take control of the system required to monitor and steal information, while also maintaining a backdoor to the compromised systems.

Once installed, Orbit sets up a remote connection to the machine and hooks functions in the Linux Pluggable Authentication Module. By doing this, the malware can steal information from SSH (Secure Shell Protocol) connections providing remote access to the attackers while also hiding network activity from the victim. 

Orbit is also designed to be highly persistent, making it hard to remove from an infected machine while running. It does this by adding instructions that the malware should be loaded before any other processes. 

The malware is also set up to evade detection by preventing information that could reveal the existence of Orbit from being detected by manipulating the outputs to avoid detailing malicious activity. 

"Unlike other threats, this malware steals information from different commands and utilities and stores them in specific files on the machine," said Nicole Fishbein, security researcher at Intezer. 

"Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now Orbit is one more example of how evasive and persistent new malware can be," she added. 

Cloud services and servers are mistakenly misconfigured, providing unauthorised intruders with access to systems – businesses should ensure that their cloud setup is properly managed to avoid weak points like this that could allow attackers into networks. 

MORE ON CYBERSECURITY

Editorial standards

Related

Linus Torvalds: Rust will go into Linux 6.1
Rust

Linus Torvalds: Rust will go into Linux 6.1

Programming languages: It's time to stop using C and C++ for new projects, says Microsoft Azure CTO
software-developer-programming-computer-language-jobs.jpg

Programming languages: It's time to stop using C and C++ for new projects, says Microsoft Azure CTO

These are the absolute best Linux distros for programming
replace-this-image.jpg

These are the absolute best Linux distros for programming