New Malware Found Lurking In 64-Bit Linux Installs

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.

At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.

There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

Detection?

[Anonymous Coward]

It'd be nice if they provided some hints as toward detection:

ps aux | grep gvfsd-helper

Seems they named it similarly to a common set of programs.

Re:

[kwalker]

Why would they want to do that? You won't be as likely to panic and buy their "virus scanner" if you can more easily kill and remove the malware.

BTW, disguising malware as common program names is an OLD trick. I worked at a large hosting provider about a decade ago and I found two to six trojans per day masquerading as things we never installed on our servers, or system utilities running from non-system directories.

Re:

[lsllll]

encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities

If it's doing all that, having a few copies of it around on the system can't be that hard. Cut a limb and it grows back.

Re: Detection?

[BAReFO0t]

Polymorphic viruses also are *ancient*.

Using full AES and such for that almost feels silly, because back then, that would get the virus caught quickly due to its high resource usage.

I wonder when the first gigabyte-sized malware will emerge...

Re: Detection?

[The123king]

Insert sarcastic reply referring to Windows

Re:

[aitikin]

I laughed entirely too hard at that...

Re:

[theshowmecanuck]

You don't need them. Linux never gets viruses or malware.

Re: Detection?

[BAReFO0t]

You don't need them, period.

You think the virus author will just ignore this news?
No. You can probably count the time until he released an updated version that isn't detected by anything mentioned here in hours.
A skilled virus writer usually already has an improved version lying around.

Malware detections software by definition only detects abandonware, and never the malware that the author still actively cares about. It is security theater, and its only job is to keep the malware author on his toes and take out his thrash.

Proper malware prevention is done by fixing bugs and learning from the lessons of those who came before us. Plus behavior-based rule-based acess control as a kind of security unit testing / API firewall.
And there never is a 100% guarantee. Not for Linux either.
That doesn't mean you need any malware "detection" software.

Re:

[Hognoxious]

Never heard of systemd?

Re:

[theshowmecanuck]

Yeah that is a bit of a dog's arsehole isn't it. That ship has sailed unfortunately.

Re:Detection?

[fph il quozientatore]

PSA for linux noobs: that command line will always provide *one* match, the grep instance that you just launched. If you find *more than one*, then you're (likely) infected.

Re:

[Anonymous Coward]

No need for all that boilerplate. Simply:

pgrep somecrap

Or pgrep or "[something]"

[raymorris]

The pgrep command is specifically for this purpose.
It replaces ps, grep, grep -v and is more reliable.

Alternatively:

ps | grep "[s]omething"

The brackets make it not match itself.

Re:

[Anonymous Coward]

You must not work in tech. Durrr

Re:

[quonset]

noun - person, place or thing

You are done installing (verb) the software so now it is an install (noun).

Re:

[NateFromMich]

noun - person, place or thing

You are done installing (verb) the software so now it is an install (noun).

Installation. It's an installation.

Re:

[iggymanz]

Yes it is, when used that way. Language is defined by use and users, pedant.

Re:

[ISayWeOnlyToBePolite]

Not when it's gender! Language is defined by he HR people who majored in the trendy post-modern politics of victimization known as "Critical Theory", who demand that the "I am a victim, see how powerless I am!" speak from their safe space to demand genderqueer, pan-gender, furry, and elkin.

"The question is,' said Humpty Dumpty, 'which is to be master — that's all."
A child could teach you this.

Re:

[iggymanz]

oh but that's not English, that's the language family that includes woke-speak and SJW virtue signalling twatish. The name of the branch I think has to do with what they identify as this week.

Re: Install is not an noun.

[Anonymouse Cowtard]

It is when you're counting the number of installs

Re:

[bill_mcgonigle]

It's a contraction of "installations" which has been used in tech for half a century at least. Old telco guys would use the term frequently.

Re:

[beanpott]

Looking forward to the next instalment.

Re:

[hcs_$reboot]

Install is not a noun.

It was not in 1975. Are you still using Multics?

Re:

[beanpott]

The joys of a living language.

Re: Install is not an noun.

[BAReFO0t]

The one and ONLY rule for determining if something is a word:

Is it understood by the reader/listener and writer/speaker to mean the same thing?

If yes, ... then it is a word! Period.

So you can quit your snobist meme parroting now. Your attempt to make yourself look and feel superior... failed.

I'm safe; not worried

[Anonymous Coward]

Win10 user here, unaffected and business as usual.

Re:

[ebvwfbw]

The BSD fan club again. Do we need to port some old Linux hacks to BSD to prove the point again? You're not more secure. Far from it. BSD doesn't even have mandatory access control. Hardly any advancement from the 1990s.

Re:I'm safe; not worried

[hcs_$reboot]

Out of curiosity, how much did you pay during your last ransomware attack?

Re:

[Coren22]

$0, I have never been hit by one.

Re:

[4wdloop]

WSL..WSL...WSL...

Told you...

[dknj]

...systemd was a virus

Re:

[hcs_$reboot]

"was"? How did you escape it??

Re:

[Mononymous]

FreeBSD, of course!

Re:

[laktech]

me too!

Re:

[ebvwfbw]

Sounds like we need to port some old Linux hacks to BSD again to prove the point BSD is not more secure. I guess it's been about 15 years since we did that last time and proved just how insecure BSD is. Remember that? LOL

Re:

[retiredJan]

Slackware.

Re:

[_0x0nyadesu]

Gentoo

Re:

[DaveV1.0]

Devuan [devuan.org]

Re: Told you...

[ganjubas]

Absolutely, Devuan! Run most of my non-job related stuff on devuan and itâ(TM)s smooth

Re:

[lsllll]

It's not the kernel. It's the installation. I do wonder how many eyes are on the installation code for each distribution.

Re:

[lsllll]

Actually, I don't know why I thought it was installed during the installation process. Either way, the "how many eyes" may not apply. We don't know how the systems were infected and the prevalence here.

Re:

[clickclickdrone]

Does the source matter?

Is that you, Luke?

Which ones?

[quonset]

There are 100 different versions of Linux. Are they all compromised? If only some, which ones?

Re:

[hcs_$reboot]

Are our systems compromised? How to detect it? All the obvious questions that won't have answers in TFA

Re:Which ones?

[bill_mcgonigle]

> Are our systems compromised? How to detect it? All the obvious questions that won't have answers in TFA

What are you on about?

1. Read the blog post. It's quite the fancy malware.
2. Scan your backup server for the known filenames.
3. Compare the hashes if you have any filename matches.

Re:Which ones?

[hcs_$reboot]

As said in a blog comment

Anyone can write an executable to do nefarious things, but what is the entry path onto the system? What compromise is used to install it? Who uses that packages and has it misconfigured to allow this executable to be installed? Without this key information, this admittedly excellent analysis of the payload is useless.

Re: Which ones?

[BAReFO0t]

I'm gonna tell my grandma she can write software, now.
Boy is she gonna be surprised! :D

Re:

[hcs_$reboot]

I'm gonna tell my grandma she can write software, now.

I'm pretty sure she make nefarious things (against her will ;)

Re:

[CODiNE]

That's what the forensics and IR guys figure out next.

Slashdot effect, cam't load blog post.

[Larsen E Whipsnade]

Here is where TFA could really do a better job.

Could someone please curt-and-paste here at earliest opportunity?

Re:

[dowhileor]

Time to define browser support as NOT meaning ad support, 3rd party app support, stateless support,.... AT least until the distribution adds those features thermselves? And treat a browser more like a terminal?

Good thing they say "64-bit linux"

[RightSaidFred99]

That really narrows it down and lets you know you only need to check if you run 64-bit linux. The 5 people running 32-bit linux are laughing at all those whippersnappers and their fancy extra 32-bits.

64-bit ARM or 64-bit x86

[johnjones]

64bit ARM is pretty popular being Android Phones and more of an issue

32-bit has other advantages

[couchslug]

When I migrated my Ubuntu install from A31 to T61 the 32-bit RAM limit ensured Firefox would not hang my machine.

Re:

[hcs_$reboot]

The 5 people running 32-bit linux

You mean the 5 millions? Running Linux embedded in routers etc...

*Shakes fist*

[The Evil Atheist]

University of Minnesota!!!!

Re:

[ebvwfbw]

University of Minnesota!!!!

No kidding man. They could end up being blamed for a lot of things.

Linux FUD from the Microsoft ZDNET

[takionya]

Linux FUD from the Microsoft ZDNET and repeated on the Microsoft slashdot.

Any clue how this malware installs onto the Linux systems. Apart from someone downloading it from VirusTotal?

Re:

[Merk42]

Lol. yeah of course it Must be evil M$ fault. Couldn't actually be a flaw in your beloved OS, no, everything you like is perfect.

Re:Linux FUD from the Microsoft ZDNET

[fuzznutz]

Unless someone identifies an injection vector, it can be assumed to be a trojanized install by a privileged user. Ask a grownup to explain that to you.

Re:

[Merk42]

Yes, the privileged user being M$! Anything bad for Linux is solely their fault!

The lack of detection here is the real scandal.

[Myself]

So what happens to files submitted to VirusTotal, then? I thought they were made available to AV researchers.

These files were submitted several times over the years. Are you telling me everyone who ever checked it out, failed to find its behavior suspicious?

Or were they told/paid to keep it off the detection list?

Hides in systemd

[gweihir]

Not a surprise. Systemd is a complex mess that nobody really understands (I strongly suspect that includes its developers) and hence cannot really analyze. "init" is just 53k (Debian), you basically cannot hide anything in there without blowing it up massively.

But systemd? That is an 1.5MB abomination that changes all the time.

Re:Hides in systemd

[Antique Geekmeister]

It's also not merely prone to feature creep. It was _designed_ to feature creep, to be the basis of a "stateless Linux" designed not to have the "/etc" or "/var" directories.

Re:

[gweihir]

Indeed. An abomination I most decidedly do not want on my servers and desktops. Now, I would have absolutely no issue with it if it stayed in its niche. But the people behind it try to push it everywhere and that is both a very bad idea and completely unacceptable.

Re:

[Antique Geekmeister]

There are thing it does well. Getting system logging able to monitor the boot process was valuable, as was a more robust "keep this daemon and its dependencies alive" system. There have been other candidates for each of those, none of which got the robust corporate support from Red Hat which systemd received.

Re:

[rahvin112]

It doesn't "hide in sytemd'. It pretends to be a systemd process along with several other processes including a gnome app. And given its sophistication if systemd isnt present it probably pretends to be sysv or something else.

The researchers were simply running a stretch release so thats what it did on stretch, with a single sample size we have no idea what it does on other systems.

Re:

[gweihir]

Look at what was uploaded to VT...

i dont know if this will help

[FudRucker]

0.0.0.0 news.thaprior.net 0.0.0.0 blog.eduelects.com 0.0.0.0 cdn.mirror-codes.net 0.0.0.0 status.sublineover.net

ad the above four lines to your hosts file

Re:

[Teun]

You mean you are interested in security yet run (Google) Chrome?

Misleading headline

[CrankyOldEngineer]

...suggests that the backdoor is in a fresh installation, which is highly unlikely. Like most (all?) Linux viruses, the victim must download a script from an unofficial source, enable it to run, and then run it as root. I'm not ready to panic yet.

Re:

[WallyL]

Oh, you mean:
curl http://somewhere.com/ [somewhere.com] | sudo bash -
That's way too popular these days...