The new threat in Linux operating system can have 'incalculable' consequences.
A new virus that appears to attack a Linux system, called "Linux / Shishiga", could become a major security threat.
On Tuesday, security company Eset revealed the threat, it is a new Lua group, but has nothing to do with the previously known type of LuaBot.
- Summary of the most frightening "virus worms" on computer systems
On an online post, engineer Michal Malik and security company Eset said: Linux / Shishiga uses four different protocols - SSH, Telnet, HTTP, BitTorrent - and Lua scripts for modules.
Cyphort senior director Nick Bilogorskiy said: "Lua is the programming language selected by the APT manufacturer . "
According to Cyphort discovered and for LinuxInsider good: Lua is used for Flame and EvilBunny.
Lua is a programming language characterized by its compactness and embedded nature, which turns Lua into an effective system programming language. It supports procedural programming, object-oriented programming, functional-oriented programming, data-driven programming and data description.
Jacob Ansari - PCI Director at Schellman & Company said: "Although this type of malware does not break any security holes, it will refine some existing techniques that it" borrowed. "from other malicious software."
Jacob / Ansari said: "Linux / Shishiga uses a series of modules in a scripting language called 'Lua', which gives it a more flexible design . " It is very likely that variants of this code and many other interesting capabilities will spread by designing this module.
You can consult: How to install and use Kali Linux on VmWare virtual machine
So what does Linux / Shishiga do?
Linux / Shishiga targeted GNU / Linux systems using a common type of infection based on Brute-force technology applied to built-in password lists. This technique is a kind of continuous error proofing on certain login sections, often using the password libraries available to automatically log in until successful. Because it is based on Brute-fore, the malware also uses the password list to try different types of passwords in order to try to access the system. This is the same approach that malicious software that Linux / Moose uses with the added ability of Brute-forcing attack.
If compared, Linux / Moose is a group of malware primarily targeting Linux-based routers, cable and DSL modems as well as other embedded computers. When poisoned, compromised devices were used by hackers to steal unencrypted network traffic and provide proxies for bonet operators.
Eset has found a number of Linux / Shishiga (binary) pairs for different architectures, including MIPS (both big-endian and little-endian), ARM (armv4l), i686 and PowerPC, commonly used in IoT devices. Other structures like SPARC, SH-4 or m68k can also be supported.
Details about Shishiga
Linux / Shishiga is a closed duo with UPX (Ultimate Packer Executable) 3.91. The UPX tool may have trouble extracting by Shishiga adding data at the end of compressed files. After extracting, it is statically linked to the Lua runtime library and removes all traces.
Mr. Malik and his colleagues have noticed some minor changes such as parts of some modules that have been rewritten, other modules being checked are added and backup files have been deleted. They also acknowledge, all these changes are not really remarkable.
Mr. Malik and his team also added: The main function of the server.lua module is to create an HTTP server with the port defined in config.lua as port 8888. The server only responds to requests / info and / upload.
" The combination of using scripting language and linking it to the Lua interpreter library is very interesting." Mr. Mounir Hahad - Senior director at Cyphort's laboratory said.
He told LinuxInsider: " This means the authors have chosen Lua as a scripting language for ease of use, or to get code from another malware group, then adjust it for each structure. specifically by linking static to Lua library ".
Differences of Linux / Shishiga
According to Malik and Eset's researchers: Despite the striking resemblance to LuaBot's versions that were spread on Telnet and SSH, Linux / Shishiga is still different. It uses BitTorrent protocol and Lua module.
Hahad said: "Unlike the malware Mirai of IoT is aimed at default information on IoT devices, this Brute-force attack technique targets attacks on protected Linux computers. by weak password ".
He also pointed out: "Normally, Linux users are quite knowledgeable and will not use such passwords for their registration activities. Therefore, it is not sure if this malware can spread widely. cobble."
Eset researchers have warned that the number of victims is currently low, but may increase in the future.
According to Mr. Ansari of Schellman & Company: This is likely to happen. This new malware exploits default or easy-to-guess passwords for Linux systems, usually via Telnet or SSH.
Keep safe
Mr. Vikram Kapoor, chief technology officer at Lacework, noted: Most Linux machines are running in data centers or embedded in IoT devices. And Shishiga seems to have been created to target those data centers and IoT devices.
Mr. Kapoor said: IoT devices are easily attacked by Brute-force technology via SSH / Telnet because there are too many default passwords. In addition, data centers are lucrative targets and if hackers successfully use Shishiga to attack data centers, businesses will have difficulty finding their traces unless they There are several solutions, such as VM activity analysis and east-west traffic (traffic from server to server).
Malik and team Eset suggested: To prevent your device from being infected by Shishiga and similar viruses, you should not use the default Telnet and SSH login information.
According to Ansari, fighting this malware requires modifying the administrator password, especially for the forgotten users who are hidden in the corners of the system. In order to combat this kind of threat, there is a need for extensive protection measures that security personnel have mentioned many times: positive recovery, careful consideration of data logs, file search, process Suspicious and strict inspection of feedback.
You should read it
- 12 best Linux server operating systems
- Compare the most popular Linux distributions today
- Is Linux really immune to viruses and malware?
- Why does Linux have so many distributions?
- The Linux Network Administration test has the answer P5
- The Linux Network Administration test has the answer P6
- Learn the file system and folders on Linux operating systems
- 8 best Linux distros for pentest
- Convert data, applications from Windows to Linux in minutes
- Distinguish Ubuntu and Linux Mint
- The Linux Network Administration test has a P3 answer
- 10 reasons to switch to Linux right in 2012