Research botnet helped describe the new Linux-backdoors


ESET experts discovered 21 new family of malicious systems operating in the Linux ecosystem. All programs from the collected list provide hidden access to the affected computer with the ability to steal sensitive data.
The discovery happened accidentally when analysts were studying the botnet Ebury (Windigo). This stench combines the functions of a backdoor, keylogger, and SSH spy. In his code, experts found references to 40 different Trojans with a similar set of functions. As it turned out, Ebury searched for their traces on the infected machine to assign the data collected by competitors upon detection.
Experts were forced to admit that the creators of botnet are better oriented among Linux-pests-more than half of the families listed in the list were unfamiliar to the authors of the report. At the same time, judging by the domains on which the control servers are located, some Trojans have been active for several years.
Among the stench were both simple programs and more advanced. Experts have identified a number of common traits for all representatives: the lack of any code clipping, storing collected data in a local file, similar methods of encryption and removal of traces of malicious activity. Some spies also know how to send stolen information via email or a direct connection to a remote server.
Analysts say that security professionals often focus too much on protecting Windows infrastructure, forgetting about threats to Linux. On the other hand, with the development of the Internet of things, the use of this OS has grown considerably, and criminals have become increasingly used in their attacks. For example, on Linux-devices in 2016 was built IoT-botnet Mirai, and today its heirs already threaten high-performance server clusters.
The authors of the report did not specify how the described backdoors fall into the system. The experience of previous similar campaigns shows that their organizers either pick up passwords for brute-forts or use various vulnerabilities of Linux-servers. In this regard, experts recommend that administrators install software updates in time, use multi-factor authentication, and provide root access rights to quickly determine the attack vector if it does happen.

Leave a Reply

Your email address will not be published. Required fields are marked *