Malware targeting Linux devices increased 35% in 2021

Darkcrizt

4 minutes

Una of the big lies and myths that we usually hear and read very often is that in “Linux there are no viruses”, "Linux is not a target for hackers" and other things related to "Linux is immune", which is totally false...

What if we can put half truth and half lie, is that Linux does not have the same amount of malware and attacks by hackers. This is due to a simple and simple reason, since in the linux market it does not represent even 10% of all desktop computers, so it is basically not profitable (so to speak) to spend a large amount of time and effort.

But far from it, that has not set the tone for the number of malware infections targeting Linux devices continues to rise and it is that for what was 2021 the amount increased by 35% and this is because IoT devices are reported more frequently for DDoS attacks (distributed denial of service).

IoTs are often "smart" devices with low power that run various Linux distributions and are limited to specific functionality. But nevertheless, when their resources are combined into large groups, they can launch massive DDoS attacks even in well-protected infrastructure.

In addition to DDoS, Linux IoT devices are recruited to mine cryptocurrency, facilitate spam campaigns, act as relays, act as command and control servers, or even act as entry points to data networks.

A report from Crowdstrike analyzing attack data from 2021 summarizes the following:

  • In 2021, there was a 35% increase in malware targeting Linux systems compared to 2020.
  • XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all malware attacks targeting Linux seen in 2021.
  • Mozi, in particular, has seen explosive growth in business, with ten times as many samples circulating in the last year compared to the year before.
  • XorDDoS also saw a remarkable 123% year-over-year increase.

In addition, it provides a brief general description of the malware:

  • XordDoS: is a versatile Linux Trojan that works on multiple Linux system architectures, from ARM (IoT) to x64 (servers). It uses XOR encryption for C2 communications, hence its name. When attacking IoT devices, brute force XorDDoS vulnerable devices via SSH. On Linux machines, use port 2375 to gain passwordless root access to the host. A notable case of distribution of the malware was shown in 2021 after a Chinese threat actor known as “Winnti” was observed deploying it along with other spin-off botnets.
  • Cinema: is a P2P (peer-to-peer) botnet that relies on the Distributed Hash Table Lookup (DHT) system to hide suspicious C2 communications from network traffic monitoring solutions. This particular botnet has been around for quite some time, continually adding new vulnerabilities and expanding its reach.
  • Look: it is a notorious botnet that has spawned many forks due to its publicly available source code and continues to plague the world of IoT. The various derivatives implement different C2 communication protocols, but they all often abuse weak credentials to force themselves into devices.

Several notable Mirai variants were covered in 2021, such as "Dark Mirai," which focuses on home routers, and "Moobot," which targets cameras.

"Some of the most prevalent variants followed by CrowdStrike researchers involve Sora, IZIH9, and Rekai," CrowdStrike researcher Mihai Maganu explains in the report. "Compared to 2020, the number of samples identified for these three variants increased by 33%, 39%, and 83%, respectively, in 2021."

Crowstrike's findings are not surprising, as confirm a continuing trend that has emerged in previous years. For example, an Intezer report looking at 2020 statistics found that Linux malware families grew 40% in 2020 compared to the previous year.

In the first six months of 2020, there was a hefty 500% increase in Golang malware, showing that malware writers are looking for ways to make their code work across multiple platforms.

This programming, and by extension the targeting trend, has already been confirmed in cases in early 2022 and is expected to continue unabated.

Source: https://www.crowdstrike.com/


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Zentoles said
    ago 2 years

    the difference is that a zero day on linux is usually patched in less than a week (at most) and on Windows some are never resolved.
    The difference is that Linux's architecture and permissions system make it much more difficult to get elevated permissions from a user account...
    And the difference is that most of this work is done by open source volunteers and not by large corporations that create proprietary code to hide from us what is happening underneath. The Opensource is easily auditable.
    But hey, you're right about one thing, if your users increase, the resources to attack them and explore vulnerabilities will increase if you can get economic returns with it.
    So it's good news that Linux malware is on the rise. :)

    Reply to Zentolas
    1.    Nasher_87 (ARG) said
      ago 2 years

      And in IoT it will be 100% the fault of the manufacturer, the patch for many Xiaomi routers that use OpenWRT was released 2 days after they were infected by Mirai, Xiaomi was updated every week. Many others like TP-Link that also use OpenWRT were never updated
      To this day there are washing machines infected by Mirai and they are not updated, being only a patch that they must launch
      As happened with HP servers, they never patched Java and it was a covered vulnerability 2 years ago

      Reply to Nasher_87 (ARG)