Linux Malware - Key Threats and Vulnerabilities

Linux powers a wide range of devices across various environments, including cloud platforms, embedded systems, and critical infrastructure. From personal computers to medical devices and autonomous vehicles, Linux is a prime target for cyber threats. As its use continues to grow in sectors like cloud computing and the Internet of Things (IoT), securing these systems becomes increasingly crucial. This blog post explores the diversity of Linux environments, common malware types, and vulnerabilities that pose significant risks in cloud and embedded settings.

Target Diversity

Linux computing spans diverse environments such as:

• Personal computers
• Routers
• Printers
• Servers
• Android devices
• Embedded systems (cameras, smart TVs, medical devices, etc.)
• Cloud platforms
• …

In this post, we’ll focus on two of the most critical environments: cloud platforms and embedded systems.

Cloud Platforms

Linux dominates the web hosting space, powering 55.9% of websites where the operating system is identifiable, according to a W³Techs study (March 13, 2025). This dominance is mirrored in the use of web server software like Apache and Nginx, which predominantly run on Linux. Major cloud providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure (yes), offer extensive support for Linux-based virtual machines, driven by the growing demand for cloud infrastructure.

Containers have become a central component of cloud-native applications. Docker, along with its Linux-based containers, plays a key role in DevOps, supporting everything from microservices to scalable web applications. Containers package applications with their dependencies, allowing for lightweight, flexible, and consistent deployments. DockerHub, the largest repository for container images, hosts millions of these, including popular base operating systems such as Ubuntu, Alpine, and CentOS, as well as environments like Node.js, Python, and MySQL.

While containers offer many benefits, they also introduce security concerns:

• Excessive tools or libraries can increase the attack surface (e.g., compilers, debugging tools, documentation files).
• Outdated or vulnerable software in DockerHub images, often due to reliance on outdated base images, can open the door to exploits. Scans of the top 20 most downloaded official images from DockerHub have revealed that popular images like python, node, golang, and redis often contain known vulnerabilities.

Embedded Systems

Embedded Linux devices are rapidly proliferating across industries and consumer markets, driven largely by the rise of IoT. These devices, ranging from medical equipment to autonomous vehicles, are increasingly integral to our daily lives. However, the rush for faster time-to-market and feature-rich devices often leaves them vulnerable to critical security flaws.

The Linux Foundation’s 2020 Kernel History Report highlights Linux’s expanding role in safety and security-critical products. These include medical devices, autonomous vehicles, and even spacecraft. With over 10 commits per hour to the Linux kernel, Linux’s active development continues to strengthen its security posture, although many IoT devices remain susceptible to security flaws due to limited resources or outdated software.

In recent years, a growing initiative within the Linux community has been the adoption of Rust programming language in the Linux kernel. Rust’s focus on memory safety without sacrificing performance makes it an ideal candidate for security-critical environments. This development aims to reduce the prevalence of vulnerabilities such as buffer overflows and use-after-free errors, which have historically been a major attack vector in C-based code. As Rust continues to integrate into Linux, it offers promising improvements in the robustness and security of the kernel, helping to mitigate common vulnerabilities and enhance overall system reliability.

Linux supports a wide variety of architectures (e.g., MIPS 32-bit, ARM 32-bit, and x86 32-bit), with ARM devices particularly challenging due to the many variations in CPU architectures. Linux programs also rely on the ELF file format, which specifies how programs are loaded into memory. Different architectures and library choices (e.g., uClibc or musl for smaller, more efficient alternatives to glibc) further complicate malware detection and system management.

Malware Families

Linux systems face several types of malware, each with unique methods of attack:

• Viruses: these attach to executable or library files and spread when the infected file is executed. Viruses can cause instability, data loss, or even enable additional attacks.
• Worms: self-replicating malware that spreads across networks without user interaction. They exploit software vulnerabilities to propagate and can overload systems and networks.
• Trojans: these masquerade as legitimate software to deceive users into installing them. Once installed, they open backdoors for attackers to steal data or spy on the system.
• Spyware: operating stealthily, spyware monitors user activities and collects sensitive information like passwords, keystrokes, and browsing habits, often for espionage.
• Adware: malware that displays unwanted advertisements. While less destructive, adware can degrade system performance and compromise privacy.
• Botnets: botnets consist of a network of compromised devices under remote control, often exploited from poorly secured IoT devices.
• Ransomware: increasingly targeting Linux systems, ransomware encrypts files or steals data, demanding a ransom for its release.
• Cryptocurrency Miners: these attacks hijack cloud infrastructure or IoT devices to mine cryptocurrencies without the owner’s consent.
• Web Shells: after exploiting web vulnerabilities like SQL injection, attackers install scripts to control the server remotely.
• Rootkits: these require kernel-level access and manipulate system calls and logs to avoid detection.
• Backdoors: installed by attackers to maintain unauthorized access to systems, often remaining hidden within legitimate software.
• Privilege Escalation Tools: ihese tools exploit vulnerabilities to gain higher privileges on a system, often enabling continuous access.

Common Malware Types in Linux

The most common types of malware affecting Linux systems in recent years include:

• Web shells
• Trojans
• Backdoors
• Cryptocurrency Miners
• Adware

Common Vulnerabilities

Linux servers are often used as storage or command-and-control (C&C) servers for malware. In 2022, the three most commonly exploited vulnerabilities were:

• CVE-2021-44228 (Log4j vulnerability)
• CVE-2017-12611 and CVE-2018-11776 (Apache Struts vulnerabilities)
• CVE-2018-15473 (OpenSSH vulnerability)

Advanced Persistent Threat (APT) groups have also exploited Berkeley Packet Filter (BPF) filters to install backdoors, complicating detection. BPF abuse, including malware variants such as BPFdoor, is becoming increasingly sophisticated and difficult to detect.

Common Web-based Attacks

Web-based attacks dominate Linux security threats, accounting for 97% of all attacks. Common attack techniques include:

• Cross-site scripting (XSS)
• SQL injection
• Command injection
• Path traversal

The OWASP Top 10 lists these vulnerabilities as major threats to web applications, and they remain prevalent across Linux systems.

Conclusion

Linux’s widespread adoption in critical infrastructure, from cloud platforms to embedded systems, makes it a prime target for cyber threats. While containers and cloud-native applications have transformed infrastructure, they also introduce new security concerns. As Linux continues to grow, securing it against malware, vulnerabilities, and attacks must remain a priority.

Sources

• E. Cozzi, M. Graziano, Y. Fratantonio and D. Balzarotti, “Understanding Linux Malware,” 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2018, pp. 161-175, doi: 10.1109/SP.2018.00054.
• David, Robert & Luqman, Saqib. (2024). Understanding Malware: A Comprehensive Guide to Types, Risks, and Prevention Strategies.
• https://www.trendmicro.com/vinfo/be/security/news/cybercrime-and-digital-threats/the-linux-threat-landscape-report

This blog post is licensed under CC BY-SA 4.0