A new strain of malware targeting Linux systems, dubbed “Linux/Shishiga,” could morph into a dangerous security threat.
Eset on Tuesday disclosed the threat, which represents a new Lua family unrelated to previously seen LuaBot malware.
Linux/Shishiga uses four different protocols — SSH, Telnet, HTTP and BitTorrent — and Lua scripts for modularity, wrote Detection Engineer Michal Malik and the Eset research team in an online post.
“Lua is a language of choice of APT makers,” noted Nick Bilogorskiy, senior director of threat operations at Cyphort.
It has been used for Flame and, as Cyphort discovered, EvilBunny, he told LinuxInsider.
Lua is a programming language characterized by its lightweight, embeddable nature, which makes it an efficient scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming and data description.
“While this new strain of malware doesn’t break any new ground in terms of exploits, it refines some existing techniques it borrowed from other strains of malware,” observed Jacob Ansari, PCI/payments director at Schellman & Company.
Linux/Shishiga “uses a series of modules in a scripting language called ‘Lua,’ which gives it a more flexible design,” he told LinuxInsider.
Because of its modular design, it’s likely that variants of this code with a lot of interesting capabilities will circulate, Ansari warned.
What It Does
Linux/Shishiga targets GNU/Linux systems using a common infection vector based on brute-forcing weak credentials on a built-in password list. The malware uses the list to try a variety of different passwords in an effort to gain access. This is a similar approach used by Linux/Moose, with the added capability of brute-forcing SSH credentials.
By comparison, Linux/Moose is a malware family that primarily targets Linux-based consumer routers, cable and DSL modems, and other embedded computers. Once infected, the compromised devices are used to steal unencrypted network traffic and offer proxying services for the botnet operator.
Eset found several binaries of Linux/Shishiga for various architectures, including MIPS (both big- and little-endian), ARM (armv4l), i686, and PowerPC, which are commonly used in IoT devices, Malik and the Eset research team noted. Other architectures, like SPARC, SH-4 or m68k, also could be supported.
Linux/Shishiga is a binary packed with UPX (ultimate packer for executables) 3.91. The UPX tool potentially has trouble unpacking it because Shishiga adds data at the end of the packed file. After unpacking, it is linked statically with the Lua runtime library and stripped of all symbols.
There have been some minor changes over the past few weeks, Malik et al observed. For example, parts of some modules were rewritten, other testing modules were added, and redundant files were removed.
None of those modifications were especially noteworthy, though, they acknowledged.
The server.lua module’s main functionality is to create an HTTP server with the port defined in config.lua as port 8888, Malik and the team noted. The server responds only to /info and /upload requests.
The combination of using Lua scripting language and linking it statically with the Lua interpreter library, is interesting, suggested Mounir Hahad, senior director at Cyphort Labs.
“This means the authors either chose Lua as a scripting language for its ease of use,” he told LinuxInsider, “or inherited the code from another malware family, then decided to tailor it for each targeted architecture by linking statically the Lua library.”
Despite a striking similarity to LuaBot instances that spread through weak Telnet and SSH credentials, Linux/Shishiga is different, according to Malik and the Eset researchers. It uses the BitTorrent protocol and Lua modules.
Shishiga still might evolve and become more widespread, they said. The low number of victims so far — as well as the constant adding, removing and modifying of components, code comments and even debug information — clearly indicate that it is a work in progress.
“Unlike the IoT malware Mirai, which targeted default credentials on IoT devices, this brute force attempt to compromise Linux computers is targeting weak passwords people would have chosen,” said Hahad.
Typically, Linux users are fairly savvy and would not use such passwords in the first place, he pointed out. “Therefore, it is unlikely that we’ll see a large spread of this malware in its current state.”
Still, Eset researchers have cautioned that the number of victims, which is now low, could increase.
That could happen, said Schellman & Company’s Ansari. This new malware exploits default or easily guessed passwords for Linux systems, typically over telnet or SSH.
“Future variants could contain modules that attempt other means of entry or just expand on this with more password attempts — or both,” he said.
Most Linux machines either are running in data centers or embedded in IoT devices, noted Vikram Kapoor, chief technology officer at Lacework.
Shishiga looks like it is targeted toward data centers or IoT devices, he told LinuxInsider.
“IoT devices are especially vulnerable to brute force password attacks over SSH/Telnet since many have default passwords,” Kapoor said. “Also, data centers hold crown jewel targets, and if attackers use Shishiga successfully against a data center, enterprises will have a difficult time finding their traces unless they have some solution that analyzes inside the VM activity, and east-west traffic.”
To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials, suggested Malik and the Eset research team.
Countering this exact piece of malware requires changing the administrator passwords, particularly for forgotten users hiding in the corners on forgotten systems, according to Ansari.”Defending against this category of threat requires the kind of defense in depth that security people have been talking about for a long time: aggressive patching, carefully reviewing log data, looking for suspicious files or processes, and rigorously tested incident response.”