Dealing with Linux Malware, Insights by the Author of rkhunter
Malicious software plague computers for more than 40 years. It is hard to think this threat will ever stop. The Linux platform definitely has their share of malware, although many people never experienced it firsthand. Let’s dive into this subject and discover why your system might actually being compromised at this very moment.
The types of malware
To understand the risks, you have to understand the threats and weaknesses. When we talk about malware, there are different family types, each with their own threat and method of attack. The most common five families are:
- Virus – attaches itself to binaries (e.g. ELF binary)
- Worm – spreads via the network, e-mail, file transfers
- Rootkit – alters the system with a specific purpose
- Backdoor or Trojan horse – allows for secret access
- Dropper – disguises itself as legitimate, while performing secret actions
Each of these malware families has a specific usage. Some are meant to spread itself to as many systems as possible. Others are focusing on the opposite and cover their tracks and remain silent. That is, until the master shows up with a secret token.
Viruses on Linux?
A computer virus has the intention to attach itself to another file in the first place. Next step is getting distribution. This is very similar to seeds that are hidden inside fruits, to be eaten by animals. The seeds are tough and only leave the animal at a different spot, including fresh fertilizer. When we talk about computer viruses the same thing happens. The file gets infected, moved or copied by a computer user, then deployed on a different system.
MS-DOS and Windows were known to be very vulnerable for computer viruses. Software was pirated and infected EXE files found their way to new computer systems. As Linux consists of mostly free and open source software components, the chance for a traditional virus are much lower. Why copy a file from someone, while you can download it yourself for free? There are some viruses available to infect ELF files, the typical binary format for Linux binaries. The effect of ELF infecting viruses is minimal, as the chance of spreading is low.
What about Linux worms?
Like a virus, a worm wants to get replicated. Instead of being passive and attaching to a binary, it has more aggressive techniques. It becomes active and finds way to spread quickly and perform a related action. To spread it often uses network connectivity, e-mail, or access to file shares. Just being deployed on many systems is not enough. The worm has a second purpose, to do something directly, or after a predefined set of time. This could be harmful, like destroying the hard disk of the infected system.
While most worms were written in the past for Windows, this threat is applicable to Linux systems as well. The Adore and Slapper worms are examples which infected unpatched Linux systems very quickly. This was done by exploiting weaknesses in network-based services and then deploy the worm on the new system. This newly infected system would start scanning other possible targets as well.
Rootkits are a Linux thing
As the name describes, rootkits sound like they are applicable to Linux. We can safely say that this is the case. Rootkits are a set of utilities (=kit), to maintain high privilege access (=root). The goal is not to become root, but stay on the system for as long as possible. This way attackers can use the resources of the system at a later stage, without being detected in the meantime.
To achieve invisibility, rootkits take a lot of measures to hide itself. This starts with masking any related files or directories on the disk. To achieve this, a binary like /bin/ls or /usr/bin/find needs to be altered. Any legitimate system administrator will no longer see the files when scanning through the system. Then there is the alteration of tools like ps and lsmod, to prevent showing the related processes and kernel modules. Quickly this becomes a set of altered binaries, which is exactly why we call it a kit. Most of the rootkits also have a backdoor in them. This way the attacker can get a free pass to access the system at any time. Without any suspicious logging entries in the log files of course.
Where is the backdoor on Linux?
Backdoors are common on all platforms, including Linux. They are part of rootkits, but can also be implemented as small standalone pieces. For example, the PHP/C99Shell is one of the most used backdoors on PHP. It simply disguises itself somewhere on the system, often as a file with the JPG or GIF extension.
The problem with backdoors is that they can reside on many places within the system. A kernel module could be providing one, only to open up if the right sequence of network packets was noticed. Your SSH daemon could also be backdoored, giving access to those with the master password. So this threat of backdoored services on Linux is something we should take seriously.
The dropper is an interesting malware family. It disguises itself as a normal file. Upon execution it does the behavior of something expected, like showing a program. In the background it does a little bit more, often completely unnoticeable for the system user. Droppers exist also for Linux, but are less common. One of the most common one is Linux.RST.B. It infects an ELF file (like a virus), with the goal to provide a backdoor in the background.
How do attackers get in?
With all these types of malware, you might wonder how you a system gets infected in the first place. There are two main reasons:
- Vulnerabilities in software
- Weak configuration
Software products need continuous attention. It is often created under pressure and chances are high it contains 1 or more issues, or software bugs. Some of these bugs may result in a security vulnerability. Such a vulnerability could be skipping a required authentication step, or filling the memory with unexpected data. An attacker can use vulnerabilities to exploit the software, and do things which were not intended.
Weak configurations are also responsible for many break-ins. This could be the usage of a weak or default password. With so-called brute-forcing these passwords can be quickly detected and abused. In the same category, there are the weak software configurations itself. Your Linux system may be running Apache with all default settings enabled. This instance of Apache may be giving away too much details about the software, but also the operating system itself.
Attackers use all the tricks in their book to find weaknesses. They start with the enumeration phase, the act of collecting information. Every bit of information is then stored and later analyzed to determine if systems have any possible weaknesses. The more information your systems share, the easier it becomes to find a vulnerability sooner or later.
Why is there malware on Linux systems?
Most malware on Linux has the goal to do something right now, or at a later stage. From being a bot in a huge botnet, to providing anonymous internet access for the attacker. A lot of the malware is used for sending e-mail spam, or become part in a distributed denial of service (DDoS). Every system with a connection to the internet is therefore a valuable resource to attackers.
Maximizing malware value
Attackers want to get the most value out of their malware. If you would like to misuse a system for sending spam, you don’t want it to be detected too easily. Attackers know this and try to keep their victims systems under the radar as well. Another way to stay undetected is the tricks used by most rootkits and many of the backdoors. Simply disguise as another process, hide somewhere between the thousands of files, or become an invisible kernel module.
Malware creators have become very creative in hiding their traces. Here are some common places:
- As a binary in common PATH
- Somewhere in the directories of the man pages
- Hidden in a cron job
All these mentioned tricks make it close to impossible to detection, so is there hope?
Step 1: Detect Linux malware locally
The first action to take is run specific malware scanners on your Linux system. Don’t do it just after you feel a system may be compromised. Make it part of ongoing scanning and be prepared.
- Linux Malware Detect (LMD)
- Rootkit Hunter
Chkrootkit and Rootkit Hunter are tools which focus on Linux rootkits and backdoors. ClamAV and Linux Malware Detect focus more on backdoors (e.g. PHP) and generic malware, including samples used on Windows. Combining them will give you the most chance to detect any trace of malware.
Step 2: Detect Linux malware by change
Another good way to detect malware is using integrity tools. For example monitoring your most critical files for change. If your /bin/ls binary was changed, but you didn’t make any updates to it, that is a bad sign.
Step 3: Detect Linux malware on the network
Sometimes the best way to detect something is wrong, is outside the system itself. The network is a great place to monitor. See an increased in SMTP traffic from a system, but can’t find anything in the mail.log on the system itself? It might be the result of a hidden process being a member of a botnet and recently woken up. Early detection might save a lot of time and abuse of resources.
What to do after you found something?
Dealing with malware can be a challenging task. After all, you have to know first how serious the intrusion is. Your ClamAV discovering an infected email is something completely different than a rootkit on the system.
Don’t unplug the system if you want to do analysis. Better is to keep the system running in a controlled way, so it can’t do harm. Some malware is smart enough to detect when it is being analyzed, or when it feels it is being busted soon. Such trigger could be a network link going down. Instead, keep the link up, and place the system in a different network segment where it can’t do harm. If you manage your network infrastructure, it would be wise to have a quarantine VLAN available for infected systems. Here systems still have connectivity, but limited. Some traffic might be silently dropped, to ensure the system doesn’t do damage.
Easiest and still the best advice: if you had a serious malware piece on your system which needed root permissions to install, reinstall your system. If someone else became root, there is always the chance that something is running in the background.
But I want to clean up my system!
If you feel confident that your system will be really clean after your actions, go for it. That is if you really know how the malware arrived on the system. Next requirement is that if no root permissions were needed to place the malware. Otherwise you may risk maintaining a system with still hidden services running on it. In that case, it may be better to learn a lesson from it: install a fresh system, restore data, implement the right countermeasures.
Tip: Be aware that malicious traces could be in your backup. So only restore data directories and reconfigure the rest manually.
Is prevention possible?
The best way to prevent malware is by applying the right security defenses. We call this process system hardening. Limiting incoming connections on systems can be of great help and avoids exposing vulnerable services. Those services which need to be available can be hardened by using safe configurations. Remove default accounts and change default passwords.
Linux system hardening takes some time, but is worth the effort. Since this is a broad subject and covers a lot of areas, we have written many individual posts. If you are completely new to the subject or want to understand how to prioritize system hardening, use Lynis. It gives a first good insight what you can do. Start with the warnings, then move on to the quick wins on the list. Linux system hardening is not a one-time effort. It needs to be applied in small steps. So track your progress and prioritize.
Another way to prevent malware on Linux is by keeping software up-to-date. This process is named software patch management and consists of receiving security bulletins, testing available patches, and finally applying them.
Did you like this article? Here are more resources to follow-up on the subject.
- Presentation – Handling compromised Linux systems
- Intrusion detection: Linux rootkits
- Monitoring Linux Systems for Rootkits
Got questions to keep your systems protected? Ask them in the comments.
The rootkit I wrote can’t be detected by rkhunter or chkrootkit. Most of that code is 15+ years old. Those detectors use signatures and the manual method are easily defeated with syscall hijacking.
The ONLY way I can detect my rootkit is by memory forensics.
The ONLY way I have found to prevent my rootkit from being deployed successfully is to use host based intrusion detection (OSSEC/AIDE/TRIPWIRE).
It is true that rootkit scanners can be tricked. The cat-and-mouse game does definitely apply here. One should therefore always use “defense in depth”, applying several complementary levels of security. Another good suggestion is to prevent kernel modules from loading, by disabling that functionality.
Thanks for the reply and great answer on preventing loading a LKM in the first place.