Linux Malware - Challenges & Threats

Dec 3, 2024 by Zacharia Mansouri | 495 views

Linux Offensive Security

https://cylab.be/blog/379/linux-malware-challenges-threats

Linux powers a wide range of devices across various environments, including cloud platforms and embedded systems. These systems, ranging from personal computers to critical infrastructure like medical devices and autonomous vehicles, are key targets for cyber threats. As Linux continues to grow in areas like cloud computing and the Internet of Things (IoT), securing these systems becomes increasingly crucial. This blog post explores the diversity of Linux environments, common malware types, and vulnerabilities that pose significant risks in cloud and embedded settings.

3e9fc1f5-c6cd-4f23-8184-c0d6f123062c.png

Target Diversity

Linux computing spans diverse environments such as:

  • personal computers
  • routers
  • printers
  • servers
  • Android devices
  • embedded systems (cameras, smart TVs, medical devices, etc)
  • cloud platforms

Let’s focus on two of these: cloud platforms and embedded systems.

Cloud Platforms: according to a W³Techs study (December 3, 2024), Linux powers 54.8% of websites where the operating system is identifiable. This dominance is further reflected in the use of popular web server software like Apache and Nginx, which predominantly run on Linux. Major cloud providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, also offer extensive support for Linux-based virtual machines, driven by the growing demand for cloud infrastructure. Containers provide a lightweight, flexible, and scalable solution for packaging and deploying applications. Docker, along with its Linux-based containers, has become a core component of DevOps, supporting everything from microservices to cloud-native applications. These containers are created from images that bundle applications with their dependencies, with DockerHub hosting millions of these images. Popular official images on DockerHub typically include base operating systems such as Ubuntu, Alpine, and CentOS, as well as environments like Node.js, Python, and MySQL. Common security concerns with containers include:

  • unnecessary tools or libraries, which can expand the attack surface (e.g., compilers, debugging tools, or documentation files).
  • use of outdated or vulnerable software, as many DockerHub images contain known vulnerabilities, often due to relying on outdated base images.

The 10 most vulnerable images found with a scan of the top 20 most downloaded official images from DockerHub are: python, node, golang, wordpress, nginx, httpd, redis, mysql, postgres and memcached.

Embedded Systems: embedded devices have long been utilized in industrial settings, but only recently have they begun being part of many facets of our daily lives, largely driven by the rise of the “Internet of Things” (IoT) revolution. However, the push for rapid time-to-market and the inclusion of innovative features to captivate users often leaves these interconnected devices highly susceptible to critical security vulnerabilities. the Linux Foundation’s 2020 Kernel History Report highlights Linux’s expanding role in safety and security-critical products, ranging from medical devices to autonomous vehicles and spacecraft. The report also emphasizes Linux’s active development, noting an average of over 10 commits per hour. This continuous improvement is driven by a growing pool of contributors, including individual developers and organizations, reflecting the collaborative strength of the Linux community.

The diversity of Linux targets is also driven by the wide range of devices using it, each with different architectures, loaders/libraries, and operating systems. Let’s explore these aspects in more detail.

Computer Architectures: Linux supports a wide range of architectures, with examples like MIPS 32-bit, ARM 32-bit, and x86 32-bit used by malware such as the Mirai botnet. ARM, in particular, poses challenges due to its many variations in CPU architectures.

Loaders and Libraries: Linux programs use the ELF file format, which specifies a loader to prepare executables in memory. The presence of the correct loader is essential for program execution, alongside specific libraries. Some Linux programs are dynamically linked with alternative libraries like uClibc or musl, which offer smaller and more efficient options compared to the traditional glibc.

Operating Systems: the ELF format includes an “OS/ABI” field meant to indicate the operating system required for execution, but this field is often ignored by modern Linux kernels. For example, binaries specifying “FreeBSD” as their OS/ABI may still run on Linux if they are dynamically linked, as their syscall numbers and arguments can align. However, statically linked programs typically crash due to mismatched syscalls between FreeBSD and Linux.

Malware Families

Here are some common types of malware:

  • Botnets: attackers often exploit poorly protected IoT devices to form large botnets, which are remotely controlled networks. Tools like Shodan or ZMap can quickly locate vulnerable devices to target.
  • Ransomware: targeting vulnerabilities in outdated software, misconfigured systems, or through phishing, ransomware attacks on Linux systems are increasing. These attacks encrypt or steal files and data, demanding a ransom for their release.
  • Cryptocurrency miners: these attacks exploit misconfigurations in cloud environments, such as public-facing Linux applications, to use the victim’s computing resources for mining cryptocurrencies.
  • Web shells: after exploiting web application vulnerabilities like SQL injection, file inclusion, or command injection, attackers install malicious scripts on a server, providing a powerful interface for remote control of the system and network.
  • Rootkits: typically requiring kernel-level access, rootkits exploit privilege escalation vulnerabilities to manipulate system calls and logs, hiding their presence and making detection and removal difficult.
  • Backdoors: these tools allow unauthorized access by bypassing normal security measures. Attackers install them to maintain persistent control over the system, often hidden within legitimate software or embedded in the system itself for future access.
  • Traditional file infectors: these malware types attach to executable/library files. When the infected file runs, it spreads to other files on the system or network, potentially causing instability, data loss, or enabling further attacks. They typically rely on user actions, like executing a malicious file.
  • Privilege escalation tools: these tools exploit vulnerabilities to elevate an attacker’s privileges from a standard user to an administrator or root user, granting them unauthorized control over the system and enabling ongoing access.

Common Malware Types

Most commonly vulnerabilities exploited by malwares include: unpatched software, misconfigurations, unsecure code and phishing/social engineering. The five most common Linux malware types in 2022 were:

  • Web shells (49.6%)
  • Trojans (29.4%)
  • Backdoors (11.6%)
  • Cryptocurrency Miners (4.2%)
  • Adwares (2.9%)

Common Vulnerabilities

Linux servers are sometimes used as storage or command-and-control (C&C) servers for malware targeting Windows and Android systems. Advanced Persistent Threat (APT) groups exploit BPF (Berkeley Packet Filter) filters to install backdoors, leveraging the enhanced functionality of BPF and the difficulty in detecting such abuse. Learn more about BPF/eBPF. This form of exploitation presents a significant challenge for security teams, as the inclusion of BPF bytecode in malware complicates detection, blocking, and analysis efforts. In 2022, the three most exploited Linux vulnerabilities were:

Common Web-based Attacks

Web-based attacks account for 97% of all attacks, while non-web-based attacks make up 3%. The three most common attacks leveraging protocol anomalies, as seen in HTTP protocol event anomalies in 2022, were:

  • URI path length too long (62.9%)
  • URI path depth exceeded (29.1%)
  • Invalid traversal (6.6%)

Attacks listed in the TOP 10 OWASP attacks account for 70.5% of all attacks in 2022. The five most common attacks among these were:

Conclusion

Linux’s widespread use across diverse sectors, ranging from cloud platforms to embedded systems, makes it a prime target for cyber threats. As the backbone of critical infrastructure, including medical devices and autonomous vehicles, securing Linux systems is essential. The rise of containers in cloud-native applications introduces additional vulnerabilities, with misconfigurations and outdated software increasing the risk.

Malware targeting Linux has evolved, with botnets, ransomware, cryptocurrency miners, web shells, and rootkits being some of the most common threats. The abuse of techniques like BPF filters for backdoors and the exploitation of Linux kernel vulnerabilities highlight the growing sophistication of attacks.

Web-based attacks dominate, with SQL injection, XSS, and command injection being the most common vulnerabilities. However, non-web-based attacks, like brute-force, DoS, and RCE, also remain significant threats. Regular patching, secure coding practices, and configuration management are critical to mitigate these risks.

As Linux continues to expand in IoT, cloud, and embedded systems, security must remain a top priority. The lessons learned from current threats and vulnerabilities will shape the development of stronger security measures, ensuring the resilience of Linux against evolving attacks.

Sources

This blog post is licensed under CC BY-SA 4.0

Measuring Network Performance with iperf3

Sysadmin Linux

Nov 29, 2024 | 576 views
Create your own plugin for RegRipper

Forensics Windows Linux

Oct 15, 2024 | 516 views
Install Eric Zimmerman's forensics tools on Linux

Forensics Linux

Aug 7, 2024 | 1062 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept