Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Linux

Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat (blackberry.com) 43

Ars Technica reports: Researchers have unearthed a discovery that doesn't occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.

On Thursday, researchers and the BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.

Researchers for Intezer and BlackBerry wrote:

"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability...."

So far, there's no evidence of infections in the wild, only malware samples found online. It's unlikely this malware is widely active at the moment, but with stealth this robust, how can we be sure?

"When hooked functions are called, the malware first dynamically loads libc and calls the original function..." according to Blackberry's blog post. "If the calling application is trying to access a file or folder under /proc, the malware scrubs the output from process names that are on its list.... If the calling application is not trying to access something under /proc, the malware instead scrubs the result from a file list....

"Symbiote also has functionality to hide network activity on the infected machine."
This discussion has been archived. No new comments can be posted.

Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat

Comments Filter:
  • by Anonymous Coward on Saturday June 11, 2022 @01:37PM (#62611922)

    We all TOLD YOU this would happen. This is what happens when you use a UNIX wannabe cobbled together by weekend hobbyists, instead of using an industrial strength OS like Windows or OSX that is rigorously crafted by professional coders.

  • by ffkom ( 3519199 ) on Saturday June 11, 2022 @01:43PM (#62611938)
    Any statically linked executable you start should have no problem seeing "LD_PRELOAD" variables set in environments or the shared object files they are pointing to.

    Sounds way less "stealthy" than those "trust zone" or UEFI based viruses that exploit CPU's/BIOS's malware-helping features.
  • by fahrbot-bot ( 874524 ) on Saturday June 11, 2022 @01:53PM (#62611962)

    In the author picture at the bottom of the Arstechnica article (TFAA), the guy is, literally, wearing a white hat. #SledgehammerSymbolism :-)

  • by ctilsie242 ( 4841247 ) on Saturday June 11, 2022 @02:06PM (#62611992)

    Yes, this thing is new and improved... but it still has to get root access in order to hook at the kernel level. It also has to get past AppArmor or SELinux which would stop such an item cold, even if it did manage to get UID 0. With the logs generated, admins would know something is up, when something like Apache starts spewing into syslog about a bunch of attempts to hook in at the kernel level.

    If it gets root, that is bad... but we have had decades of rootkits, and Linux is pretty good at handling privilege escalation attacks.

    However, this attack, in combination with a rowhammer attack, or something on the CPU level (Spectre/Meltdown) can be devastating, because it could easily be injected by a number of means, even a webpage. So, it is a great attack for keeping gained territory, and having a bastion for future attacks... or just quietly inserting a shim which auto-decrypts files, so ransomware can quietly encrypt files without the user knowing for a few months (which will ensure backups are unusable), then at a certain date, drop the keys and present the demand for cash.

  • This isn’t new (Score:4, Interesting)

    by nbvb ( 32836 ) on Saturday June 11, 2022 @02:07PM (#62611996) Journal

    Stuff like this has been around for decades. I remember dealing with a kit like this on Solaris decades ago. Not only did that bugger scrub itself from process listings etc. but it also replaced some of the static binaries in /sbin.

    So why is a kit like this news? Seems kinda run of the mill to me.

    • by hAckz0r ( 989977 )

      Where are the mod points when you need them?

      What, LD_PRELOAD again? This technique goes back many decades. Its one of the oldest black-hat tricks in the book, and its so easy to do. But its what happens afterward hooking a service that is so important. There is no lack of rootkits out there that play these games so this article is very anti-climatic to the older geeks out there that have been around the block a time or two.

      Wake me when it starts injecting trampolines in the dynamic portions of the kernel

    • by gweihir ( 88907 )

      Stuff like this has been around for decades. I remember dealing with a kit like this on Solaris decades ago. Not only did that bugger scrub itself from process listings etc. but it also replaced some of the static binaries in /sbin.

      So why is a kit like this news? Seems kinda run of the mill to me.

      Indeed. The real story here is that "forensic investigators" seem to be incompetent today.

  • why this is systemd's fault.
  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Saturday June 11, 2022 @02:25PM (#62612028)
    Comment removed based on user account deletion
    • ...I don't think I need to worry about apt-upgrade or yum update just yet.

      I'd be much more impressed by your post if it didn't refer to a package manager (yum) that was replaced by dnf seven years ago. If you're going to pontificate about Linux, you'd better keep yourself up-to-date.
  • by Great_Geek ( 237841 ) on Saturday June 11, 2022 @04:01PM (#62612214)
    Where is the history of code submission? At what version did the code change?
  • by gweihir ( 88907 ) on Saturday June 11, 2022 @06:14PM (#62612386)

    A _competent_ forensic analysis does of course look at all shared libraries on the system and looks at which ones get loaded. Yes, if you load it into _everything_ you can prevent tools already on the system form seeing it. But what abysmally incompetent "forensic" investigator does it like that? What you do is look at an image from outside. There you will find the LD_PRELOAD setting and see the dynamic library. And if you really need to run something in the system itself (obviously on a copy, never the life system) you will use something that comes with its own libraries or, better, is statically compiled. Also, do this with your own kernel and make sure the kernel is not compromised.

    As to network activity, of course you look for that _outside_ of the machine using a network tap. Do I have to tell these people the very basics???

    This really is a story about what incompetents call themselves "forensic investigators" these days, not about a particular insidious malware.

    • by DamnOregonian ( 963763 ) on Saturday June 11, 2022 @10:32PM (#62612616)
      Unless I've lost my mind, they seem to wave their hands and say, "The attackers set LD_PRELOAD..." as if someone amok javascript process in your browser can accomplish this task.

      For this to be worth a shit, it needs to be set as root (Linux dynamic linker will not LD_PRELOAD for an escalated process) and it needs to be done for each and every process spawned by your init. Contained as any user-account is pointless.
      Otherwise, it's rather trivial to detect.

      I'm less interested in abuse of LD_PRELOAD, as I am having a discussion about how the fuck the environment variable was set to begin with, and by pid 1.
      I mean, if you can arbitrarily execute code that early in the boot process, who the fuck cares what trickery you do to hide yourself? Your shit is fucking pwned, period.

      Anyway, the forensics guys aren't incompetent. They're just focusing on an already-infected machine, and how to find out that it is.
      I spent some time and earned some e-fame in my reverse engineering exploits, and these guys seem competent in that domain, which is a domain that a fraction of a hundredth of a percent of the human population is skilled in.
    • What you do is look at an image from outside. There you will find the LD_PRELOAD setting and see the dynamic library. And if you really need to run something in the system itself (obviously on a copy, never the life system) you will use something that comes with its own libraries or, better, is statically compiled. Also, do this with your own kernel and make sure the kernel is not compromised.

      Your analysis method assumes three things:
      1. You have the ability to access the cleartext of the code in question directly.

      2. The code in memory on the target device is not under suspicion.

      3. Any potential threat / "unauthorized" code will show up on disk.

      Number one can fail with most modern devices. A.K.A. Anything with hardware based DRM. (Video game consoles, media players, phones, PCs with a TPM chip and SecureBoot.) These tend to have exploitable entry points that affect the "secure" sections

  • 1. Were financial institutions using host intrusion detection systems?
    2. Were these machines leaving critical directories open to writes by other users?
    3. Were mandatory access controls enabled?
    4. How did the payload get onto the infected machine?
    5. Were these companies using hardened kernels?
    6. Were the systems up to the standards you'd expect of such institutions?

    If these questions indicate that poor choices were made, then the real vulnerability would have been those choices.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...