Linux is often praised for its enhanced security compared to other operating systems. Nevertheless, IT professionals must never assume that Linux is immune to threats.
Due to widespread adoption in critical infrastructure, Linux has drawn the attention of advanced persistent threat (APT) groups aiming to breach its security. Additionally, Linux finds use in various IoT devices. One of the largest cyberattacks in history involved the “Mirai” malware, which exploited vulnerabilities in devices running Linux.
- The Linux Environment
- Linux Vulnerabilities
- Dissecting Linux Malware: The ELF File Structure
- System Calls
- Behavioral Patterns
- Types of Linux Malware
- Distribution Methods
- Mitigation and Preparation Strategies
- Additional Resources and Links
The Linux Environment
Linux is the backbone of various critical infrastructure systems, such as IoT devices, servers, and cloud platforms.
Using Linux does provide some security benefits. These include continuous updates from repositories, the contributions of a sizable open source community dedicated to enhancing Linux security, and the availability of free and open source patches. Furthermore, Linux has the reputation of being less susceptible to viruses and malware.
The fact remains that vulnerabilities continue to pose a big risk to Linux systems.
A lack of effective vulnerability management and tracking procedures, combined with a lack of proper system patching processes, can leave systems exposed when a vulnerability is found and an exploit is published. It is vital for Linux users to not only assess the vulnerabilities of the platform itself but also of the applications running on the system.
Additionally, the system misconfigurations present a security concern, as misconfigurations can result in vulnerabilities.
Dissecting Linux Malware: The ELF File Structure
The ELF file format is the executable file type for Linux. ELF stands for “Executable and Linkable Format” and is analogous to the .exe file format in Windows. Standard file extensions for ELF files include .so, .ko, .o, and .mod. However, an ELF file could have no extension altogether. ELF files are compatible with different architecture types and offer flexibility by accommodating both 32-bit and 64-bit address sizes.
An ELF file might either be the actual malware or a piece of malware used within a multi-staged and multi-tooled attack by an APT group.
ELF files have a typical structure and various fields. A reverse engineer or malware analyst would be interested in this structure. During the aftermath of a malware incident, once the attack has been triaged and chronologically sequenced, and ELF files have been discovered, they will usually be analyzed.
System calls establish an interface between user mode programs and the operating system’s kernel. They allow user mode programs to securely access hardware, process management, and any other protected processes and services. Malware can exploit system calls to execute its functionalities.
A few examples of system calls exploited by malware include the following:
- Filesystem: Filesystem calls allow malware to interact with the filesystem.
- Network: Network system calls facilitate networking, albeit at a lower level than application layer protocols.
- Process management: Process management system calls are used to create new processes or interact with existing ones.
Shellcode refers to pieces of code written in assembly language that are executed on a system. While the delivery method for the shellcode may vary, it is generally written in a low-level language, which ensures easy delivery via injection into a target process’s memory.
Essentially, shellcode is code executed by the attacker and often functions as the payload for a larger exploit. It is of great interest to the malware analyst and reverse engineer.
Shellcode is frequently written to exploit existing vulnerabilities by injecting and executing code within compromised applications or systems. The attacker may use shellcode to escalate privileges, gain unauthorized access, and execute other malicious actions within the targeted system.
Malware types share the same basic behavior patterns, serving as identifiable markers that can both be searched for and monitored along with other activities of APT groups.
Check out the Mitre Attack framework for insight into tracking APT threat actors and their methods across enterprise, mobile, and industrial control environments. You can find a link to this framework in the Additional Resources and Links section at the end of this article.
An attack involves the initial delivery of a piece of code or complete malware, commonly through phishing and social engineering techniques. The malware then needs to communicate with its operators or a command and control server. Once communication is established, the malware can receive commands and either exfiltrate data or encrypt data in a ransomware attack.
Before this can happen, however, the malware must help attackers move laterally, elevate privileges, and maintain persistence through system reboots. Malware types and APT groups can achieve these goals in various ways.
Types of Linux Malware
Linux malware comes in various forms, each targeting a different aspect of the operating system (most of the time).
Rootkits attempt to gain root-level access to systems, enabling stealthy control by the attacker. Commonly, the attacker will hide malicious processes and files to evade detection, thereby securing the attacker’s foothold.
Backdoors create hidden access points, allowing attackers to access systems while bypassing conventional authentication mechanisms.
Trojans disguise themselves as legitimate software. Once run or executed by a user, trojans can carry out various actions, including communicating with command and control servers and assisting attackers with data exfiltration.
Botnets are multiple compromised systems under the control of malware operators. These networks can be exploited for a range of attacks, including distributed denial of service (DDoS) attacks. Mirai, a famous example, infected IoT devices to orchestrate large-scale network attacks.
Ransomware encrypts the data of an infected machine and then demands payment for the decryption key. Victims are often directed to TOR-based sites to make cryptocurrency payments. Ransomware victims must grapple with the dilemma of whether to pay the ransom or not.
In recent years, several Linux malware incidents have made headlines, with botnets and ransomware attacks among them.
- Shikitega: Malware developed for Linux that targets IoT devices and endpoints and uses a multistage infection chain.
- Symbiote: A malware variant with a rootkit capability.
- Clop: A ransomware variant with a Linux version.
In a recent ransomware trend, attackers may perform “double extortion” or “triple extortion,” threatening to post sensitive data unless ransomware demands are met.
To prevent incidents and infections, it’s important to understand how Linux malware gets distributed.
A vulnerability is a security weakness that attackers can take advantage of via an exploit. If a vulnerability is not known generally but is known to the attackers, we call it a “Zero Day” vulnerability. Zero-day vulnerabilities pose several risks because attackers can exploit them without the knowledge of legitimate users and security infrastructure and services such as antivirus companies.
Once vulnerabilities are disclosed, vendors and developers work on patches that are distributed through software updates.
Vulnerabilities underscore the importance of proactive patch management and maintaining up-to-date software and systems.
Phishing attacks aim to manipulate users to click on links to malicious sites or run malicious software. Engaging with the sites or software may trigger the download and installation of malware, followed by an attack. Phishing attacks commonly use multiple different tools and adhere to the cyber kill chain and APT groups’ strategies.
Compromised software repositories
Attackers may infiltrate software repositories, leading to the distribution of malware to unsuspecting users who download software from the repositories.
Supply chain attacks
This is a sophisticated type of attack where the perpetrators have gained access to a software or hardware supply chain. There have been many instances of supply chain attacks in the past few years, with the SolarWinds breach among the most notable. The SolarWinds breach affected various U.S. government entities and private organizations.
Mitigation and Preparation Strategies
Protecting Linux systems against any type of malware should involve a defense-in-depth approach. Defense in depth is a multi-layered strategy, where every layer in the defense is properly secured. The goal is to thwart attackers by creating a hurdle at every step of their attempt to penetrate the organization. The strategy requires coordination of the entire security process to work effectively.
Ensure regular updating and patching of both the operating system and all software installed on the system. Certain user-friendly Linux distributions, such as Ubuntu, will prompt you in the GUI to update the operating system. In Debian-based systems, you can run sudo apt-get update to update the operating system. In Red Hat-based distributions, you can run sudo yum update from the command line to update the system.
Use only secure software sources
Avoid all forms of “cracked,” pirated, or counterfeit applications and software. Use only the official repositories and pages for software downloads. Verified third-party sources of software also exist and can be considered safe. Official packages from reputable sources should be secure. Some software and applications have a hash or signature on the download site, allowing you to verify that you have installed the actual application and not a compromised package.
Computer users must receive training on how to avoid social engineering and phishing attacks. Most attacks, including high-profile incidents, use social engineering or phishing techniques to gain initial access to the organization or system. It is far easier for attackers to target an organization’s employees rather than attempt to breach heavily fortified web-facing infrastructure. The infrastructure is generally hardened to the point where it would take millions of dollars and teams of people to break through it.
Even in cases where attackers have massive resources, they frequently rely on social engineering to bypass technical obstacles standing in their way. An example is Stuxnet several years ago, where a phishing email was used to gain initial access to a nuclear reactor’s system. The phishing email paved the way for a sophisticated malware attack that targeted an industrial control component called a programmable logic controller. The malware caused severe damage, and it was all made possible because of social engineering in the form of a phishing email.
IT administrators typically shoulder the responsibility of enforcing compliance with IT security policies. Their role includes ensuring that all computer users and systems in the organization comply with security protocols.
You can further protect systems by hardening them. This can include reducing the attack surface by closing unnecessary or unused ports and services. It can also involve using password best practices, password management, and encryption and VPN services where applicable.
Unusual activity can be actively or passively detected. In enterprise settings, it’s important to set up and configure alerts. When Linux functions as critical infrastructure, organizations should establish logging and monitoring mechanisms. Moreover, integrate with security information and event management systems and other platforms when possible.
Implement backup and recovery systems
Make sure critical data is regularly backed up. Additionally, systems and infrastructure should be backed up as part of business continuity planning. The saying, “One is none and two is one,” can be applied here. To be safe, at least two backups should be made.
Additional Resources and Links
Here are several links and additional resources to help you on your way.
- Mitre Attack Framework: https://attack.mitre.org/
- The official Linux Kernel Documentation: https://docs.kernel.org/
- The Linux Foundation Filesystem Hierarchy Standard: https://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html