Guest blog: Why we should be paying more attention to Linux threats

Posted by    on   Sep 25, 2019

In a guest blog post VB2019 Silver partner Intezer outlines the importance of paying more attention to Linux threats.


In a previous blog post written for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of Linux-based threats.

This threat ecosystem is heavily concentrated with financially driven cryptominers and DDoS botnet tools which primarily target vulnerable Linux servers. In addition, more sophisticated threats utilizing rare evasion techniques exist within the Linux platform, evidenced by the recent discoveries of HiddenWasp, and the QNAPCrypt ransomware campaigns targeting Linux-based file storage systems (NAS servers).


Why Linux?

In the anti-virus industry, a large emphasis is placed on protecting Windows endpoints, and rightfully so — Windows desktop users comprise approximately 87% of the total desktop market share, in comparison to the 2% market share held by Linux desktop users. Because of this disparity, and the fact that we rarely see malware targeting Linux end-users, some security professionals argue that Linux is the safest and most secure operating system.

However, when discussing threats to the Linux platform, we must understand that Linux desktop usage is a very small piece of the puzzle. Linux makes up about 70% of the web server market share, and according to CBT Nuggets, 90% of all cloud servers. In a 2018 article, ZDNet reported that Linux is the most popular operating system on Microsoft's Azure Cloud.


The predominance of Linux servers on the cloud

In recent years, there has been a rapid growth in modern, cloud-based infrastructure. Linux has emerged as the predominant choice for cloud computing for two reasons:

  1. Servers in the cloud are cheaper to develop through Linux. Linux is an open-source ecosystem, which means it can be downloaded for free. A developer that wants to create a Windows-based cloud server has to purchase a licence from Microsoft.
  2. Linux is more convenient for developers. Many best practices in software development today, such as creating containers and new technology, are designed to work on the Linux operating system.


Reasons for low detection rates

The quick migration to the cloud, coupled with a lack of awareness into Linux instances and the threats that target these systems, have contributed to the low detection rates seen in the vast majority of security vendors.

Other contributing factors include:

Focus on Windows endpoints. In general, there are not many Linux protection systems, and as a result the evasion techniques are rudimentary in nature. The majority of security solutions are focused on protecting Windows environments—1) because Windows holds the majority of the desktop market share, and 2) since the cloud is a relatively new development. In addition, security vendors try to adapt their Windows tools to fit the Linux platform, but Linux is very different. As a result, these solutions are not as effective at detecting threats as they are in the Windows domain. Organizations require a tailored solution for Linux, not an adapted Windows technology.

  • Lack of visibility. There is a lack of visibility into Linux instances, which makes gathering information about Linux malware more difficult.
  • Lack of research. A lack of visibility leads to a lack of research being published about Linux malware, meaning we don't know enough about the threats that reside in the Linux ecosystem. More importantly, we don't know how to mitigate them properly.
  • Lack of techniques. The lack of visibility and research into Linux threats contributes to a lack of mitigation techniques being developed. Since there is not enough research being published about Linux malware, we lack critical data such as IOCs which can enable us as defenders to better understand, investigate, and tailor our response to Linux threats.

Big picture. For enterprises that host their data on the cloud, there is a strong possibility that they are using a Linux server. Without proper detection and response mechanisms in place, organizations' cloud infrastructures can be exposed, making them more vulnerable to data breaches.


The importance of code reuse detection

In an open-source ecosystem like Linux, there are large amounts of publicly available code that can quickly be copied and reused by adversaries in order to produce their own malware. In the case of HiddenWasp, the authors behind the malware reused large portions of code from open-source Mirai and the Azazel rootkit. While Mirai is not a highly complex malware, its code was previously leaked in 2016, and we often see the code being reused by attackers to deploy their own instances of Mirai, especially within the Linux platform.

In the world of software development, developers are incentivized to reuse code. Reusing code brings tools to market faster. The same principle applies to malware authors. Especially on the Linux platform, where detection rates have been consistently low, attackers have become less concerned about implementing excessive evasion techniques. Even when the attackers reuse extensive amounts of code, threats have managed to stay relatively undetected.

The majority of cyber attacks, whether they are targeting Linux or Windows systems, contain code from previous threats. As defenders of these environments, it's critical to analyse the binary code that is being used in these attacks. By identifying and then indexing an attacker's code, defenders can detect any future variant of the threat that uses even the smallest amounts of the same code.

This code reuse detection approach, which we call 'genetic malware analysis', is particularly relevant for detecting and classifying Linux threats, because, as we have seen in the cases of HiddenWasp and Mirai, Linux malware authors will reuse code.

In another example, an Intezer Analyze community user recently detected a GonnaCry ransomware sample. GonnaCry is an open-source ransomware designed for the Linux platform. GonnaCry's source code is downloaded from GitHub and utilized by attackers to infect vulnerable Linux endpoints by encrypting their file systems. At the time of detection, this sample had 0/55 detections in VirusTotal. However, the sample was immediately flagged in our system because it shared 453 genes, or over 47% of its code, with previous instances of the GonnaCry ransomware.



Additional mitigation recommendations

In addition to adopting a genetic malware analysis approach, organizations can implement the following security best practices in order to mitigate the cyber threats targeting Linux-based systems:

  1. Keep your systems patched and updated across all Linux servers and devices.
  2. Ensure signature-based detection solutions are updated, in order to keep up with the different, evolving threats.
  3. Secure SSH login with a key. The victims of the QNAPCrypt ransomware campaigns were compromised by brute force techniques. For remote control standpoint with SSH login, remove the option to login with credentials — otherwise you could be the victim of a brute force attack. It's much safer to login via an SSH key.
  4. Perform a routine review of important system files. It's important to remember that, once installed on a server or device, malware will likely attempt to achieve persistence. In Linux servers especially, it's crucial to look at the different suspicious cron jobs or systemV, systemd initizliation scripts and services.
  5. Disable root accounts. The root account has access to all files and commands on a Linux system, with full read, write and execute permissions. Errors by the root user can have critical implications on the normal operation of a system. This article from TecMint explains four ways to disable the root account in Linux.



The world of IT is changing quickly as more organizations host their data and files on the cloud. Linux, in particular, has emerged as the popular choice for cloud servers, even among Microsoft cloud computing services. Since Linux comprises nearly 90% of the cloud server market share, the majority of enterprises that host their data on the cloud are likely operating from a Linux server.

While the majority of security solutions are focused on detecting threats residing in Windows, particularly on Windows desktops, a greater emphasis needs to be placed on spreading awareness of Linux machines and threats. As defenders, we lack research and critical IOCs that can help us to better comprehend, detect and respond to Linux threats, more consistently, and on a greater scale.

As evidenced by the recent discoveries of HiddenWasp and QNAPCrypt, with improved visibility and detection rates we can expect to see new and advanced malware being created to target the Linux platform. However, we must also remember that Linux is an open-source ecosystem, where attackers will continue to reuse publicly available code to deploy new instances of malware. This is what makes indexing code seen in previous attacks so important for detecting future Linux threats.

By applying a genetic malware analysis approach, and adhering to the mitigation recommendations outlined in this blog, users of Linux-based systems — particularly organizations hosting their data on Linux cloud servers — can better protect themselves from the threats posed by this emerging landscape.


Additional Resources:

  • Webinar replay: For more info on the types of threats you might find in the Linux threat landscape, watch the recording to our webinar:
  • EvilGnome: Rare Malware Spying on Linux Desktop Users: Intezer researcher Paul Litvak recently identified a backdoor implant spying on Linux desktop users. This discovery is interesting in that Linux desktop makes up only about 2% of the total desktop market share. More notably, the toolset belongs to an alleged Russian APT, known as Gamaredon Group. EvilGnome uses functionalities rarely seen in Linux malware, such as taking desktop screenshots, stealing files, and capturing audio recording from the user's microphone.
  • Detect Linux and Windows threats: Take advantage of the free Intezer Analyze community edition. Thousands of users leverage our community version to detect and classify advanced cyber threats. Sign up at:


Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.