securitybreach Posted May 31, 2019 Share Posted May 31, 2019 Interesting article Overview • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems. • The malware is still active and has a zero-detection rate in all major anti-virus systems. • Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control. • Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance. • HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. In addition, there are some similarities between this malware and other Chinese malware families, however the attribution is made with low confidence. • We have detailed our recommendations for preventing and responding to this threat. 1. Introduction Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild. Unlike Windows malware, Linux malware authors do not seem to invest too much effort writing their implants. In an open-source ecosystem there is a high ratio of publicly available code that can be copied and adapted by attackers. In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar. Nevertheless, malware with strong evasion techniques do exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilize strong evasion techniques and can be easily adapted by attackers. We believe this fact is alarming for the security community since many implants today have very low detection rates, making these threats difficult to detect and respond to. We have discovered further undetected Linux malware that appear to be enforcing advanced evasion techniques with the use of rootkits to leverage trojan-based implants. In this blog we will present a technical analysis of each of the different components that this new malware, HiddenWasp, is composed of. We will also highlight interesting code-reuse connections that we have observed to several open-source malware. https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ 3 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted May 31, 2019 Share Posted May 31, 2019 Interesting. I did a search for ld.so files in my /etc. I have two: ld.so and ld.so.cache. I could not find an ld.so.preload. Oh, my! I'm not at all sure what this means. From the article: 2.3. Prevention and Response In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 31, 2019 Author Share Posted May 31, 2019 That has to be a mistake as I searched seven installations including 4 different distros and none of them had ld.so.preload. Plenty of these but nothing else: /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/50-lib32-libva1.conf /etc/ld.so.conf.d/50-libva1.conf /etc/ld.so.conf.d/fakeroot.conf /etc/ld.so.conf.d/lib32-glibc.conf 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted June 1, 2019 Share Posted June 1, 2019 I read somewhere today (can't remember where) that some of the more UNIX-like distros may not have the ld.so.preload because they don't function like the mainstream Linuxes. Wish I could find where I read that. It's a glibc related thing, I think. 2 Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted June 1, 2019 Share Posted June 1, 2019 (edited) OMG. Any remaining hunches as to 'security by obscurity' now endangered. As if I need any more stress in my life right now... Nice link. Very impressive work. Trouble is, it reads basically as Greek to me. I doubt there is anything actionable for me here. This is way above my pay grade... One question that comes up for me is wondering how one would acquire this nasty in the wild? Would you have to get suckered into clicking an a spearfishing link? Or do they just sneak this past all your defenses? Including routers? I hear there is generalized advice to power down reset all your routers in the mainstream media lately... I am reminded of the classic Charlie Chaplin skit where the waiter holding a tray laden with food keeps getting knocked over by some guy carrying a ladder. In the final hilarious scene, in Pavlovian conditioned response to merely *Seeing* the guy with the ladder, the waiter tosses his tray of food in the air and throws himself to the floor- before even being struck by the ladder. So does it feel to me, a mere user. Vulnerable. Naked... And frickin' Mozilla just disabled NoScript and Adblock Plus in my older copies of FF... Oh joy... I can't get 'em back because I refuse to upgrade these particular copies of FF because I will lose some extension functionality I am just not willing to give up... (Session Manager) Clutter Edited June 1, 2019 by Cluttermagnet 3 Quote Link to comment Share on other sites More sharing options...
sunrat Posted June 1, 2019 Share Posted June 1, 2019 @Clutter - you probably will never get touched by Linux malware as a normal user. The most likely way it could get in is by using an insecure old version of a browser! Firefox has come a long way since they deprecated the old extensions system. A lot of old extensions have been updated or new extensions have appeared to take over their functions. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 1, 2019 Author Share Posted June 1, 2019 Also, since this is linux, it will be patched pretty soon anyway. Quote Link to comment Share on other sites More sharing options...
raymac46 Posted June 2, 2019 Share Posted June 2, 2019 I've never been a fan of the "security by obscurity" hypothesis. There are a lot of Linux servers out there. What security Linux offers has to be through the difficulty any attacker would have to get root access on your system. This HiddenWasp stuff appears to infect systems that have already been compromised. It is scary that AV apps aren't finding it but that'll get fixed. I still believe that Linux is pretty safe - if you are sensible, don't allow root access to anything you don't understand, get your software from the repository. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 2, 2019 Author Share Posted June 2, 2019 Agreed Quote Link to comment Share on other sites More sharing options...
raymac46 Posted June 2, 2019 Share Posted June 2, 2019 ESET has already added detection for HiddenWasp to their NOD32 AV. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 2, 2019 Author Share Posted June 2, 2019 Nice, Quote Link to comment Share on other sites More sharing options...
raymac46 Posted June 6, 2019 Share Posted June 6, 2019 Pah! I installed Clam AV and ran a scan on my Linux system. Most of the "threats" were Libre Office macros - a couple of Windows tracking cookies. Clam AV is OK to disinfect emails sent to Windows users I guess. If I really wanted to have effective Linux AV I'd buy ESET. But smart Linux use is still the best security. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.