Mar 21, 2019

When a Malware attacks a Linux System....


It is now a fact  that Linux is quietly taking over the world as a trusted and easy to use Operating Systems.  Its being used widely both in  a Server and a desktop environment.  As gaining popularity has its advantages and disadvantages.  When we talk of disadvantages  in any OS, it is about any vulnerability that can be exploited or loop holes that can be hacked. And then we see different methods to hack these vulnerabilities.  The Malwares! Nowadays, the most common  malwares attacking the LINUX OS are  the Trojans, Bitcoin Miners. They have become an headache for a Linux system administrator.

When a Trojan / Bitcoin miner  attacks a linux system, it starts increasing the CPU utilization and generates heavy network traffic.  The strength of these processes are its  capability  to regenerate with different names. These malware initiates entry via network services mostly via any web services running on the system.

Some common methods used by Malware:
1) creates a cron job in /etc/cron.d/ or /etc/cron.hourly. Adds an entry in /etc/crontab
2) Starts creating services in /etc/init.d/ and then creates starting of the services at various system run levels i.e in /etc/rc.*.d
3) Some adds a file in /lib/libudev.so . This is a 32 bit file also found in a 64 bit machine.

4) Some malware executes behind another binary
5) Some randomly generated binaries found in /bin and /usr/bin

Mitigation Strategies: In Linux,  with great easiness such malwares can be handled. Commands that can be used to analyse and take necessary actions:  
1) When a server utilization is very high without reason, the first command to use is TOP. 
           #top -H -c
            -H  shall display all individual threads
            -c   shall display the command line process
Check for the process that uses the highest cpu utilization.

2) Check for any unusual suspected cronjobs in /etc/cron.d/  and or /etc/cron.hourly. Check any entry  in /etc/crontab.
3) Any binaries in /bin and /usr/bin.
4)  Check for any internet network traffic, connecting to any C&C servers or any  other blacklisted ip's.  Check with the below command:
          
            #netstat -tunpl

           #lsof -i
   This will show files connecting the internet.

Lastly but not the least, there could be many other ways to detect and be in action against malwares.