Interview: MalwareMustDie and their Linux malware research

Linux malware, research, and more

With great pleasure, we interviewed unixfreaxjp. He is the leader and founder of the malware research group MalwareMustDie. We want to learn about their activities, Linux malware, and useful skills for security professionals. Keep reading!

Interview MalwareMustDie

About the MalwareMustDie organization

So for those never heard about MalwareMustDie, can you tell us who you are?

As stated on our web site. MalwareMustDie, is a white-hat anti cybercrime security research workgroup. launched in August 2012, is an Non Profit Organization media for security professionals and researchers gathered to form the work-flow to reduce malware infection in internet. We work to raise malware awareness by sharing general information of malware infection scheme and trend to the common users, helping security vendors and public automation malware-related scanning/decoding tools by providing in depth decode analysis to the recent malware infection frameworks, and work with legal authorities to take down malware domains, and its further threat intelligence.

We aim to establish good relationship vertically with authorities, and horizontally with the fellow researchers and security entities, so that cooperation can be enlisted in dismatling domains that host malware and its infectors in internet.

Why do work for free? What is there to gain?

We work as non profit “organization”, hardly can be called as a company. All of us are mostly employees or engineers with the day-work duties related with the network and internet administration or security profession. The organization is not receiving any income and costs were paid by the involved member’s own money on operations.

Can you tell us a little bit about the MMD team? How big is it?

We maintained a steady value of members around 30 members, with the supporters included, it is around 60 people right now.

Linux malware

We typically hear that there aren’t viruses for Linux. Seeing the samples collected on websites like Packet Storm Security we know there is quite some malicious software around. What type of malware do you encounter?

Malware or virus in Linux exists for a long time. In 10 years ago, it is not as popular as Windows malware. But things had changed since 2012 when the abuse of Linux infection through unattended Linux devices has started. And we have a complete series of types since then, from backdoors, rootkit, hacking tools (scanner/bruter etc), spam tools, exploit distribution tool, ransomware, botnet kits (via irc or etc protocols) and to the traffic DoS attack malware tool.

Do you see any trend that suggests malicious software on Linux is increasing during the last years? What about ransomware for Linux, does that show up now?

In each time security community announces a new linux’s (or unix) services related vulnerability, the linux malware trend and infection is raising. In example: During the shellshock, The PMA (phpMyAdmin) vulnerabilities, Apache Struts vulnerabilities, various OpenSSL vulnerabilities that leads to illegal authentication, and now the IoT’s factory credential setting flaw, all of these is (was) raising the Linux malware infection and distribution to the affected systems.

Ransomware is in “a boom” in cyber crime business. There are various type of Linux ransomware that encrypt websites data or the server’s data now, since to code an encoder or encrypter program is not difficult at all. For the cyber crime, ransomware is always high in profit and low in risk compares to the in real life extortion or ransom crime, most of the professional cyber mafia are on this “business” now.

The thing is that Linux is based on open source, dissecting ransomware in Linux is only a matter of time. You just can not mess with Linux/UNIX system administrators, for years they are the one who ready with backups, images and more savvy solution to prevent any of their services go down.

When someone finds a piece of malware on their machine, they can upload it on your website. What happens with the samples?

We just analyzed each samples, each one of it. Then we checked whether the protection layer i.e. antiviruses or etc signature (IDS, Yara, etc) already cover it, then we go deeper to the uncovered ones. When it comes to an unknown malware and it is aiming public level of threat then we post the awareness in our blog. Sensitive cases like APT for example, we don’t expose at all.

Recent developments

You are known on Twitter as @malwaremustdie. You are using a lot of crusader pictures. Has it to do with religion, or is it something else?

It is just a symbol, just as Linux uses Penguin and FreeBSD uses a Daemon, we use knight images during the medieval era. No it is not related to any religion at all but all of the members are religious and decent citizens. The “Crusade” term is also symbolizing the hard effort we face to fight malware and crime scene behind it, it is a big deal, knowing that the malware still exist for, more than 20 years now.

Last year the Twitter handle became a private account. You also announced a lot of people to be removed from the followers. What was that about?

We are not active anymore on twitter. It’s all about security. There were malware people are lurking us. @malwaremustdie had 15,000+ followers and now we have around 1,300 after I reduce them. Most of the followers are the blackhat lurkers. They learned from what we tweet and use the information to improve their malware, some blackhats are using the vulnerability that we found to improve their malware too.

These lurkers are using the predicate as “security enthusiast”, “malware researcher”, “reverse engineer students”, “system administrator” and some of them are even faking real researcher’s pictures, names or avatars that they stole from respectful researchers from other SNS. In order to avoid this, to the people that we don’t know, we vetted and asked followers to inform about them self. We disconnect the follower who doesn’t explain. But our direct message is always open for them who want to re-follow after they give more details about them self.

I also run several scripts connected via twitter API to check the validity of accounts who tried to follow us, if the indicator is RED we won’t even answer to the request. Right now we have almost 500 requests already, that was still flagged as RED. We need to conduct our research peacefully and to OPSEC our comm better, right now we are in the most happiest state.

But people can still read the blog and learn about the details, right?

Yes, blog is the recommended ways for the public, including the malware bad guys, to read. The information in the blog was filtered, we passed all of the necessary details to the law enforcement before or during the time we blog it now.

If someone interested in malware and security, do they make a chance of being accepted as a new follower?

We are done with Twitter, if you refer to it. Right now I am not willing to add twitter followers anymore. People can follow us via blog or IOC feed we released, journalism and legit researchers know exactly where to reach us.

Our twitter DM in twitter is open to anyone. To ask questions or for an introduction. The funny thing is, blackhats are using this channel a lot to send “their messages” etc, instead of whitehats.

Professional skills

Is there a benefit for security professionals to learn analyzing malware samples? How could you use it in your daily work?

It is important for security professionals to know how to check a malware sample. They don’t have to reverse engineer the sample, but to identify it as malware up to some level. Using a tool to detect a malware is okay for the novice computer users, and they will go to the security professional to ask more issue or problem. Knowing by yourself about a malware sample will always bring more good than bad. Please, always conduct your analysis in the very safe environment.

If one would start with malware analysis, what would be a good way to start? Any resources we need to know about?

The internet is the best resource for learning in this era. This is why the internet has to be kept clean for all of us to learn and communicate on the safe services. There are a lot of reference for malware analysis on the internet. For Windows malware, I suggest you to take a look on, and for Linux malware, our blog is very rich for learning in real cases.

What makes that someone who analyzes malware go from being good to a great researcher?

I don’t know how to answer this. Personally, I never consider myself as malware researcher at all. I myself is as UNIX system engineer and protocol filtration developer. I like C programming in profession and reverse engineering as troubleshooting method and a hobby, and the best object to reverse is malware.

Many researcher “experts” laugh at the way I analyze a binary, as they think I go into too much detail of the binary I check. One thing that I do when I analyze a malware is, be relaxed and don’t get excited too much, I have to stick with the binary in hand and I have to extend my skill set if we face something I don’t understand. I like to understand what every opcode means, how is this binary was compiled in such way, how it is packed, how it is executed, etc. These are raising some “Why?” questions that I like to solve myself. The more you solve the better understanding you get from that malware.

Dealing with malware is not as same as we deal with legit software. Malware is coded with “lies” intact. But binary file never lies, they always try to tell you more of the badness inside of its bytes, and you just have to improve yourself to listen to it.

Thanks for your time and answering these questions. One more question: which security person do you think we should interview and why?

I suggest to interview Linus Torvalds, seriously, for his perception is very important for the roadmap of Linux kernel that is recently abused much by many malicious efforts. Ask questions about what he can develop in the future to make Linux kernel more secure than now.

Did you like this interview? Share it on your social network.


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon