Symbiote, a new, dangerous and stealthy virus that affects Linux

symbiote

Just yesterday we published an article in which we reported that they had fixed 7 vulnerabilities in GRUB of Linux. And it is that we are not used to it or simply wrong: of course there are security flaws and viruses in Linux, as in Windows, macOS and even iOS/iPadOS, the most closed systems that exist. The perfect system does not exist, and although some are more secure, part of our security is due to the fact that we use an operating system with little market share. But little is not zero, and this is known by malicious developers like those who have created symbiote.

It was Blackberry last Thursday who sounded the alarm, although he doesn't start very well when he tries to explain the name of the threat. He says that a symbiont is an organism that lives in symbiosis with another organism. So far we're doing fine. What's not so cool is when he says that sometimes a symbiote can be parasitic when it benefits and harms the other, but not, or one or the other: if both benefit, like the shark and the remora, it is a symbiosis. If the remora harmed the shark, then it would automatically become a parasite, but this is not a biology class or a marine documentary.

Symbiote infects other processes to cause damage

Explained the above, Symbiote can not be more than a parasite. His name must come, perhaps, from that we do not notice your presence. We could be using an infected computer without noticing it, but if we don't notice it and it is stealing data from us, it is harming us, so there is no possible "symbiosis". Blackberry explains:

What makes Symbiote different from other Linux malware that we usually encounter is that it needs to infect other running processes in order to inflict damage on infected machines. Rather than being a stand-alone executable file that is run to infect a machine, it is a shared object (OS) library that loads itself into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all running processes, it provides the threat actor with rootkit functionality, the ability to collect credentials, and remote access capability.

It was detected in November 2021

Blackberry first spotted Symbiote in November 2021, and it looks like their destination is the financial sector of Latin America. Once it has infected our computer, it hides itself and any other malware used by the threat, making it very difficult to detect infections. All your activity is hidden, including network activity, making it almost impossible to know it's there. But the bad thing is not that it is, but that it provides a backdoor to identify itself as any user registered on the computer with a password with strong encryption, and can execute commands with the highest privileges.

It is known to exist, but it has infected very few computers and no evidence has been found that very targeted or broad attacks have been used. Symbiote uses Berkeley Packet Filter to hide malicious traffic of the infected computer:

When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote first adds its bytecode so that it can filter network traffic that it doesn't want packet capture software to see.

Symbiote hides as the best Gorgonite (little warriors)

Symbiote is designed to be loaded by the linker via LD_PRELOAD. This allows it to load before any other shared objects. Being loaded earlier, it can hijack imports from other library files loaded by the application. The symbiote uses this to hide their presence hooking into libc and libpcap. If the calling application attempts to access a file or folder within /proc, the malware removes the output of the process names that are on its list. If it doesn't try to access anything inside /proc, then it removes the result from the file list.

Blackberry ends its article saying that we are dealing with a very elusive malware. Their goal is to get credentials and provide a backdoor to infected computers. It is very difficult to detect, so the only thing we can hope for is that the patches will be released as soon as possible. It is not known to have been used much, but it is dangerous. From here, as always, remember the importance of applying security patches as soon as they are available.


A comment, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   ja said

    and that you need to give previous root permissions to be able to install it, right?