Posted on June 1, 2019 at 2:37 PM
While Linux has always been touted as a much safer solution compared to Windows, this has always been somewhat of a fallacy. Both of the operating systems have security measures in place for those who are security obsessed, but the sheer number of people using Windows over Linux means that anyone who wants to target as large an audience as possible will make Windows malware . Particularly since most organizations use some form of Windows instead of Linux.
What malware Linux does have is mainly focused on its efficient use of resources. Hackers have tended to place crypto-mining malware that eats up a machine’s resources or DDoS software to help with DDoS attacks. There is a new malware out in the Linux ecosystem today and it is called HiddenWasp – and unlike many of the common Linux malware, it focuses primarily on the remote control of the computer that it has infected. A targeted attack of this type points towards very specific goals on the part of the attacker/s.
Intezer gives details on malware
Security research firm Intezer has stated that the malware is extremely dangerous for two reasons. It is still active and being used regularly by the attackers. The second reason is due to the malware being able to evade detection from a variety of antivirus suites.
The malware borrows code from two very popular malware programs, the Azael rootkit and Mirai. There is also a substantial portion of the code that can be found in Chinese developed malware, but that particular attribution is only made with low confidence according to security researcher Ignacio Sanmillan.
However, while HiddenWasp has borrowed quite a bit from publicly available malware, the majority of the code, says Ignacio is unique. The malware itself consists of a user-made rootkit, as well as a Trojan with the last part of the malware being an initial deployment script. Ignacio does note that malware creators focused on Linux actually do not tend to spend much effort on writing the section of the implant of their malware. Particularly when considering the pains to which Windows malware authors go to.
The reasons for this, according to Sanmillan, is due to the anti-virus software available on Linux. It simply is not as robust as counterparts on Windows. This should not come as a surprise to anyone in the infosec world as Windows has a far greater history of virus problems and therefore has better immunity.
The problem with Linux, however, is that there is a very large base of open-source malware examples that can be tailored to people’s specific needs. These include those with very strong evasion techniques that are very easy to adapt for whatever purpose a threat actor has.
Protecting against HiddenWasp
Since the detection rate of HiddenWasp is so low, more work needs to be done in order to mitigate the threat posed by this malware. The first, and most crucial, the thing that needs to be done to secure a Linux computer is prevention. This step would only really work if the target computer is not infected. Prevention is possible by blocking Command-and-Control IP addresses associated with the malware.
The second step, in case your system is compromised, is to use a Yara rule that Intezer has kindly provided. This Yara rule is run against in-memory artifacts. This helps with the detection of the malware. Another method to check if the malware is on your Linux computer is to search for files with the name of “ld.so”. The files should all contain the “/etc/ld.so.preload” string and if it is missing from any of them, then there is a good chance the computer is infected.
The reason for this is because the malware patches ld.so, so that it is able to enforce the LD_PRELOAD mechanic from a wide variety of random locations.
While this malware is dangerous and evades AV programs easily, it is at least possible to insulate your computer against it with the advice from Intezer.