Did you know that Linux systems are not immune to malware?
15,762 new Linux malware were found to be developed by March 2018. On the surface level, there is a thought that Linux doesn’t attract the attention of virus-makers, who favour the Windows operating system to infect instead. However, there is a growing (…and growing) threat to malware that is specifically designed for Linux.
Here’s an outline of the origins, rise and future of these malware threats and what can be done about it.
Origins
‘Stoag’ was the first known malware targeted directly to Linux. It was identified in 1996 – and whilst it wasn’t particularly effective and easy to patch, it marked the start of a growing trend that continues to this day.
So why are Windows virus’s so much more worthy of headlines?
Firstly, there are many more Windows administrators than there are Linux ones. Most anyone with a personal laptop is, whether they realise it or not, a Windows administrator and they can make for easy targets – all it takes is a double click on the wrong executable and suddenly, the computer is effected. Keyloggers, screen recorders and connections to ‘command and control’ servers can make the computer become at the mercy of virus-makers.
There’s also the fact that Linux is so much better at permissions than Windows. In the world of Linux, every file, folder and program can be manipulated as to who exactly can see it, run it or change it – whether that’s a particular user, a group of users or the root user themselves. Plus, every new user created doesn’t have the permissions of the administrator to run whatever the want.
Windows, however, has a prioritisation to ensure backwards compatibly. Not many people would want to buy the latest Windows if it meant they wouldn’t be able to run their favourite apps … so this forces them into a position to ensure updates are least disruptive, which in turn can rely on them using old security techniques that can be exploited.
Examples of Linux Malware
That being said, it doens’t make Linux vulnerable. Here’s some examples of successful Linux malwares:
- CloudSnooper (2020): A trojan that targeted Linux servers to steal sensitive data and monitor cloud communications.
- EvilGnome: (2019): A backdoor malware that secretly took screenshots and recorded audio on Linux systems, often spread through fake software updates.
- HiddenWasp (2019): Installed a backdoor, allowing attackers to remotely control the infected system.
- QNAPCrypt (2019): Ransomware that targeted QNAP NAS devices running Linux, encrypting files and demanding payment for decryption.
- GonnaCry (2017): Ransomware that exploited a Windows vulnerability but also had the ability to spread to Linux systems through weak SMB implementations.
Prevention
… is better than the cure. So, how do admins of a Linux environment protect their setup?
The easy answer is ‘Update’. It’s also the difficult answer. Linux updates come thick and fast – especially if you are on a bleeding edge or rolling update system such as Arch Linux and with each new update, comes new opportunities for things to break. Yet, this is the best way to ensure you’re protected against the known threats.
Other ways? System monitoring, log inspecting, auditing, penetration testing. It’s a never ending cycle that’s worthy of your attention. At the end of it all, having a great backup solution is must-have for the worst case scenario’s.