El malware it is becoming more and more sophisticated, and GNU / Linux is not entirely immune to these types of threats. In fact, more and more malicious codes are being detected that affect this operating system. Therefore, do not make the mistake of thinking that it is an invulnerable system and that you are completely safe, since it would be reckless ...
Cybersecurity threats are getting stranger and stranger, and now I'll show you one that has been worrying you for a while and that you may not have known about. Its about fileless malware, that is, a new type of malicious code that does not need files to infect. And this has been alerted by AT & T's Alien Labs security research center. In addition, they warn that cybercriminals are increasingly using it against Linux machines, although initially it has been used in Windows.
Table of Contents
What is fileless malware?
Unlike conventional malware, which takes advantage of executable files to infect systems, fileless does not depend on these files for infection. Therefore, it can be a somewhat more stealthy type of attack that focuses on trusted processes. loaded into RAM to take advantage of them and run malicious code.
This type of malware is commonly used to encrypt or to filter confidential data and transfer them directly to the attacker remotely. And the worst thing is that they leave no traces on infected systems, running everything in the main memory without the need for files on the hard drive that can be detected by antimalware tools. Also, when you restart or shut down the system, all the malicious code disappears, but the damage has already been done ...
It may not be so persistent due to its characteristics, but it can be quite dangerous on servers and other devices that are rarely shut down or rebooted, where it can run for long periods of time.
How does this malware work?
Well, for infect a system, fileless malware performs several steps:
- The system is infected by exploitation of some vulnerability or user error. Whether due to vulnerabilities in the software used, phishing, etc.
- Once infected, the following is modify a process of those currently running in memory. For that you will use a system call or syscall like ptrace () on Linux.
- Now is the time to be insert malicious code or malware in RAM, without the need to write to the hard drive. This is achieved by exploiting buffer overflow, overwriting memory locations adjacent to the manipulated process.
- Malicious code runs and compromises the system, whatever it is. In general, these types of malware take advantage of interpreters of languages such as Python, Perl, etc., to run, since they are written in those languages.
How to protect myself from malware?
The best advice is common sense. Of course, having proactive security systems, isolation, critical data backups, etc., will help you prevent threats from causing major damage. As for prevention, it would happen to do the same as for other threats:
- Update the operating system and installed software with the latest security patches.
- Uninstall applications / services that are not needed.
- Restrict privileges.
- Check system logs frequently and monitor network traffic.
- Use strong passwords.
- Don't download from unreliable sources.