Home > News > Linux Worm Alert: Unprecedented Threat! 馃毃馃惂

Linux Worm Alert: Unprecedented Threat! 馃毃馃惂

: linux worm alert: unprecedented threat! 馃毃馃惂

Linux Devices Under Attack by Never-Before-Seen Worm: What You Need to Know

A new worm has been discovered that has been targeting Linux devices for a year. The previously unknown self-replicating malware installs cryptomining malware using unusual concealment methods. Researchers have identified the worm as a customized version of Mirai, the botnet malware that infects Linux-based servers, routers, web cameras, and other devices.

The worm has been infecting Linux devices worldwide, compromising them and attempting to crack the telnet password by guessing default and commonly used credential pairs. The worm is a dime-a-dozen malware with a twist, as it installs cryptomining malware using unusual concealment methods. This article will provide a brief overview of the new worm and answer frequently asked questions about the attack on Linux devices.

Key Takeaways

  • A new worm has been discovered that has been targeting Linux devices for a year.
  • The self-replicating malware installs cryptomining malware using unusual concealment methods.
  • The worm is a customized version of Mirai and has been infecting Linux devices worldwide.

Based on Mirai malware, self-replicating NoaBot installs cryptomining app on infected devices.

For over a year, a self-replicating malware has been attacking Linux devices worldwide and installing cryptomining malware that is designed to conceal its activities. Researchers have identified the worm as a customized version of Mirai, a botnet malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices. Mirai was first discovered in 2016 when it was used to launch distributed denial-of-service attacks that paralyzed key parts of the Internet. The creators of Mirai released the underlying source code, allowing cybercriminals worldwide to use it for their own attack campaigns. NoaBot, the customized version of Mirai, uses infected Linux devices as platforms to infect other vulnerable devices, making it a worm. Once infected, the malware installs cryptomining malware such as Xmrig, which mines Monero cryptocurrency.

Dime-a-dozen malware with a twist

In the past, botnets like Mirai have spread by scanning the internet for devices that accept Telnet connections and then attempting to crack the Telnet passwords by guessing default and commonly used credential pairs. Once successful, newly infected devices would target additional devices using the same technique. Mirai has primarily been used to wage DDoS attacks, which can be massive due to the large amounts of bandwidth available to many such devices.

However, a previously unknown Mirai-based network called NoaBot has been targeting Linux devices since at least last January, as revealed by researchers from network security and reliability firm Akamai. Instead of targeting weak Telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Moreover, the botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims鈥 computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, a piece of legitimate open-source software being abused by the threat actor.

NoaBot has been monitored by Akamai for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that鈥檚 already infected.

Although NoaBot isn't a very sophisticated campaign, it has a few twists and obfuscations that paint a vastly different picture of the threat actors鈥 capabilities. One of the most advanced capabilities of NoaBot is how it installs the XMRig variant. Typically, when crypto miners are installed, the wallets' funds are distributed to are specified in configuration settings delivered in a command line issued to the infected device. This approach has long posed a risk to threat actors because it allows researchers to track where the wallets are hosted and how much money has flowed into them.

NoaBot uses a novel technique to prevent such detection. Instead of delivering the configuration settings through a command line, the botnet stores the settings in encrypted or obfuscated form and decrypts them only after XMRig is loaded into memory. The botnet then replaces the internal variable that normally would hold the command line configuration settings and passes control to the XMRig source code.

The XMRig open source code can accept configurations in one of two ways, either via the command line or via environment variables. In the case of NoaBot, the threat actors chose not to modify the XMRig original code and instead added parts before the main function. To circumvent the need for command line arguments, which can be an indicator of compromise and alert defenders, the threat actors had the miner replace its own command line with more 鈥渕eaningful鈥 arguments before passing control to the XMRig code. The botnet runs the miner with (at most) one argument that tells it to print its logs. Before replacing its command line, however, the miner has to build its configuration. First, it copies basic arguments that are stored plaintext, such as the rig-id flag, which identifies the miner with three random letters, the threads flags, and a placeholder for the pool鈥檚 IP address.

Next, the miner decrypts the pool鈥檚 domain name. The domain name is stored, encrypted, in a few data blocks that are decrypted via XOR operations. Although XMRig can work with a domain name, the attackers decided to go the extra step and implemented their own DNS resolution function. They communicate directly with Google鈥檚 DNS server (8.8.8.8) and parse its response to resolve the domain name to an IP address.

The last part of the configuration is also encrypted in a similar way, and it is the passkey for the miner to connect to the pool. All in all, the total configuration of the miner looks something like this:

-o --rig-id --threads 鈥損ass espana*tea

Notice anything missing? Yep, no wallet address. The threat actors chose to run their own private pool instead of a public one, thereby eliminating the need to specify a wallet. However, in the samples, Akamai observed that miner鈥檚 domains were not resolving with Google鈥檚 DNS, so it can't be proven whether the theory is true or not. No recent incident has dropped the miner, so it could also be that the threat actors decided to depart for greener pastures.

In conclusion, NoaBot is a Mirai variant with a twist. It targets weak passwords connecting SSH connections and installs cryptocurrency mining software instead of performing DDoS attacks. The botnet is not very sophisticated, but it has obfuscations and twists that paint a vastly different picture of the threat actors鈥 capabilities. The most advanced capability of NoaBot is how it installs the XMRig variant, which uses a novel technique to prevent detection by storing configuration settings in encrypted or obfuscated form.

linux devices under attack by never-before-seen worm: what you need to know" is created, this time focusing on the community's response and resilience. it visualizes a unified effort by linux devices and users to stand strong against the worm attack, incorporating symbols of collaboration and cybersecurity defense. the imagery conveys a sense of solidarity and determination within the digital realm of linux, highlighted by a color scheme that emphasizes the community's strength and preparedness.
Linux Devices Under Attack By Never-Before-Seen Worm: What You Need To Know&Quot; Is Created, This Time Focusing On The Community's Response And Resilience. It Visualizes A Unified Effort By Linux Devices And Users To Stand Strong Against The Worm Attack, Incorporating Symbols Of Collaboration And Cybersecurity Defense. The Imagery Conveys A Sense Of Solidarity And Determination Within The Digital Realm Of Linux, Highlighted By A Color Scheme That Emphasizes The Community's Strength And Preparedness. : Linux Worm Alert: Unprecedented Threat! 馃毃馃惂

Frequently Asked Questions

How to check for worm infection on a Linux device?

Users can check their Linux devices for the new worm infection by using a malware scanner such as ClamAV, which can detect and remove the worm from infected devices. Users can also use the ps command to check for any suspicious processes running on their device.

What are the signs of a worm attack on a Linux system?

The signs of a worm attack on a Linux system include slow system performance, high CPU usage, and unusual network activity. Users may also notice changes in system files, unauthorized access to files, and the creation of new user accounts.

What steps should be taken to protect Linux devices from worm attacks?

Users can protect their Linux devices from worm attacks by keeping their software up to date, using strong passwords, and disabling unnecessary services. Users should also avoid clicking on suspicious links or downloading files from unknown sources.

Are there specific Linux distributions that are more vulnerable to this worm?

While all Linux distributions are vulnerable to this new worm, older versions of the Linux kernel may be more susceptible to attack. Users should ensure that their Linux kernel is up to date to avoid vulnerabilities.

How does this new worm spread between Linux devices?

This new worm spreads between Linux devices by exploiting vulnerabilities in the SSH protocol and using brute force attacks to guess weak passwords. Once the worm infects a device, it can then spread to other devices on the same network.

What tools are available for removing the worm from infected Linux devices?

Users can use malware scanners such as ClamAV or Sophos to detect and remove the worm from infected Linux devices. Additionally, users can manually remove the worm by deleting any suspicious files and processes and changing their SSH passwords.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.