IoT Fuels Growth of Linux Malware

Malware targeting Linux systems is growing, largely due to a proliferation of devices created to connect to the Internet of Things.

That is one of the findings in a report WatchGuard Technologies, a maker of network security appliances, released last week.

The report, which analyzes data gathered from more than 26,000 appliances worldwide, found three Linux malware programs in the top 10 for the first quarter of the year, compared with only one during the previous period.

Linux attacks and malware are on the rise,” wrote WatchGuard CTO Corey Nachreiner and Security Threat Analyst Marc Laliberte, coauthors of the report. “We believe this is because systemic weaknesses in IoT devices, paired with their rapid growth, are steering botnet authors towards the Linux platform.”

However, “blocking inbound Telnet and SSH, along with using complex administrative passwords, can prevent the vast majority of potential attacks,” they suggested.

New Avenue for Hackers

Linux malware began growing at the end of last year with the Mirai botnet, observed Laliberte. Mirai made a splash in September when it was used to attack part of the Internet’s infrastructure and knock millions of users offline.

“Now, with IoT devices skyrocketing, a whole new avenue is opening up to attackers,” he told LinuxInsider. “It’s our belief that the rise we’re seeing in Linux malware is going hand in hand with that new target on the Internet.”

Makers of IoT devices haven’t been showing a great deal of concern about security, Laliberte continued. Their goals are to make their devices work, make them cheap, and make them quickly.

“They really don’t care about security during the development process,” he said.

Trivial Pursuits

Most IoT manufacturers use stripped-down versions of Linux because the operating system requires minimal system resources to operate, said Paul Fletcher, cybersecurity evangelist at Alert Logic.

“When you combine that with the large quantity of IoT devices being connected to the Internet, that equals a large volume of Linux systems online and available for attack,” he told LinuxInsider.

In their desire to make their devices easy to use, manufacturers use protocols that are also user-friendly for hackers.

“Attackers can gain access to these vulnerable interfaces, then upload and execute the malicious code of their choice,” Fletcher said.

Manufacturers frequently have poor default settings for their devices, he pointed out.

“Often, admin accounts have blank passwords or easy-to-guess default passwords, such as ‘password123,'” Fletcher said.

The security problems often are “nothing Linux-specific per se,” said Johannes B. Ullrich, chief research officer at the SANS Institute.

“The manufacturer is careless on how they configured the device, so they make it trivial to exploit these devices,” he told LinuxInsider.

Malware in Top 10

These Linux malware programs cracked the top 10 in WatchGuard’s tally for the first quarter:

  • Linux/Exploit, which catches several malicious trojans used to scan systems for devices that can be enlisted into a botnet.
  • Linux/Downloader, which catches malevolent Linux shell scripts. Linux runs on many different architectures, such as ARM, MIPS, and traditional x86 chipsets. An executable compiled for one architecture will not run on a device running a different one, the report explains. Thus, some Linux attacks exploit dropper shell scripts to download and install the proper malicious components for the architecture they are infecting.
  • Linux/Flooder, which catches Linux distributed-denial-of-service tools, such as Tsunami, used to perform DDoS amplification attacks, as well as DDoS tools used by Linux botnets like Mirai.”As the Mirai botnet showed us, Linux-based IoT devices are a prime target for botnet armies,” the report notes.

Web Server Battleground

A shift in how adversaries are attacking the Web has occurred, the WatchGuard report notes.

At the end of 2016, 73 percent of Web attacks targeted clients — browsers and supporting software, the company found. That radically changed during the first three months of this year, with 82 percent of Web attacks focused on Web servers or Web-based services.

“We don’t think drive-by download style attacks will go away, but it appears attackers have focused their efforts and tools on trying to exploit Web server attacks,” report coauthors Nachreiner and Laliberte wrote.

There’s been a decline in the effectiveness of antivirus software since the end of 2016, they also found.

“For the second quarter in a row, we have seen our legacy AV solution miss a lot of malware that our more advanced solution can catch. In fact, it has gone up from 30 percent to 38 percent,” Nachreiner and Laliberte reported.

“Nowadays, cybercriminals use many subtle tricks to repack their malware so that it evades signature-based detection,” they noted. “This is why so many networks that use basic AV become victims of threats like ransomware.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Software

LinuxInsider Channels