Linux Devices Are Under Attack By a Never-Before-Seen Worm

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.

Telnet...

[Anonymous Coward]

It's your own fault if you have telnet access enabled...

Re:

[Narcocide]

Don't use passwords at all. Disable them in the sshd config and use keys instead.

Re:Telnet...

[innocent_white_lamb]

You can also disable passwords for all external connections and still allow them for internal connections if you wish.

I would post the exact method but the Slashdot security blocker that I didn't know existed until right now says that I am not allowed to do that so you'll have to look it up on Google. Sorry about that, folks!

Hint: Look up the PasswordAuthentication and Match Address directives.

Now everyone logging in remotely (and the bad guys) need a key but local users can still use a password if they wish.

Re:Telnet...

[logjon]

They can't keep the fucking ASCII swastikas out, but by God, they're on top of filtering the actual useful information.

Re: Telnet...

[drinkypoo]

Yep, I sure do miss the good old days when you could post code on this alleged site for nerds.

Re:

[ArsenneLupin]

They can't keep the fucking ASCII swastikas out,

And they can't keep out iPhone spittle either.

Re:

[gweihir]

Nonsense. Just stop using weak-ass passwords.

Re:Telnet...

[nuckfuts]

what about SSH, since that is what this thing is using fucknuts

Why are you dragging me into this?

Re:

[Netcraft Confirms It]

Why are you dragging me into this?

I know how you feel. It happens to me all the time.

Re:

[angularbanjo]

Without telnet, how am I supposed to check http get responses?? And smtp helo tests????? And if that Chinese webcam spits out passwords in plain text???????

Re:

[nuckfuts]

There's a bit of a difference between a telnet service and a telnet client.

BTW, here's a quick way to install the latter on a Windows machine...
dism /online /Enable-Feature /FeatureName:TelnetClient

Or, if you prefer to use PowerShell...
Install-WindowsFeature -name "Telnet-Client"

Re: Telnet...

[z0]

Install-WindowsFeature: The target of the specified cndlet cannot be a Windows client-based operating system.

Re:

[StormReaver]

It's your own fault if you have telnet access enabled...

This has nothing to do with Telnet, as ssh is the entry point. It's all about weak passwords.

Re:

[Tablizer]

> I am sure the Linux "community" will come up with no less than 12 variations on how to deal with this, and none of them will fully work right.

That's the Genetic Algorithm way to solve problems: create bunches of candidates, select the most successful ones (or least failures), randomly merge features together, rinse, repeat...

Eventually it'll probably be good enough.

Re:dont worry

[Tarlus]

There is one way to deal with and it has already very well-documented for decades:

Don't use weak passwords.

You can take it a step farther and eliminate the use of passwords altogether or I don't know, keep port 22 behind a firewall unless you absolutely need it. But this isn't a Linux flaw at all.

Re:

[ls671]

Add random ports to the mix if you must accept external connections to mathematically reduce exposure.

Re:

[logjon]

"Adding random ports" is security theater.

Re:

[ls671]

Still part of a security strategy just like any obfuscation in general, you can't rely solely on it although obviously. Also with random ports, you get a lot less resource waste. I look at my logs.

Re:

[Tarlus]

Slows the skids down. Most of them don't know (or don't want to spend the time) fiddling with NMAP on every public IP address.

Re:

[markdavis]

>"Add random ports to the mix if you must accept external connections to mathematically reduce exposure."

Might help a bit. But if you expose sshd to the internet, you *MUST* have some type of rate limiting to prevent brute-force attacks. You can do this even with just iptables. It can be done with just two lines (three lines if you want to log it too):

/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack

Re:

[ls671]

Great! Here is what I use, the problem I seem to see with what you use is that somebody could prevent you from logging into your own machine, there is no "by IP" in what you posted I suspect, not sure you prevent being flooded with logs either..

see srcip below. I also only accept connections from restricted ip:
SCAN_LOG_LIMIT=120/minute
CA_AND_OUR_NETWORKS="-m set --match-set CAnetworks src"

REDIR_PORT=66631
TARGET_PORT="22"
LIMIT="10/minute"
EXPIRES="600000" # this is in miliseconds

Re:

[markdavis]

Kewl. Mine is just to show that it can be really simply. It does track the IP (that is "recent" flag, I believe). And yes, mine certainly does fill the logs (at least with no source IP filtering) if one chooses the 3 line version instead of omitting the middle-line rule. I can't take credit for the rules, since I stole them from somewhere :)

Re:

[ls671]

I remember writing this myself after looking at many others. I seem to remember that at the firewall level like I do, this was the optimal way to do it.

Cheers!

Re:

[NFN_NLN]

I thought you aren't supposed to use passwords at all and that passphrases are the new cool.

Re:

[Mononymous]

You're certainly not supposed to use passwords on SSH.
It's weird to have all that cryptographic capability and secure it with 12345.

Re:

[Major_Disorder]

You're certainly not supposed to use passwords on SSH. It's weird to have all that cryptographic capability and secure it with 12345.

That's the combination to my luggage.

Re:

[NFN_NLN]

Must be nice to have the extra security of a 5th digit. My combination is much less secure at 1234.

Re:

[HiThere]

Correct horse staple battery.

Re:

[TheRealMindChild]

The strength of a password is practically irrelevant if the attacker is just guessing and they only get a few tries to login. If the password was compromised elsewhere, then it doesn't matter if it is "poop" or "xXx_SOOPERP00P_XxX"

Re:

[Mononymous]

And if you don't use passwords, no person or program gets a chance to try to guess them.

Re:

[markdavis]

>"There is one way to deal with and it has already very well-documented for decades: Don't use weak passwords."

Stronger passwords will *not* stop a brute-force attack on a machine allowing ssh in from the Internet. With fast speeds, lots of connections, and some time, something can be cracked. To prevent that, you need rate-limiting. This will deny the time needed and will likely protect even weak (but reasonable) passwords. I posted a simple example iptables script elsewhere on this article's comme

Found your problem...

[JoeDuncan]

...takes control of Linux-based internet-connected devices to...

Yup - found the stupid! - that's it right there^!

Re:

[JoeDuncan]

I mean, connect your toaster to the internet and you pretty much get what you ask for...

Re:

[Osgeld]

the tubes run faster if you warm them up a little bit

Re:

[NFN_NLN]

The acceptable shade of toast is actually controlled by DEI and ESG rules that are constantly changing. Hence the requirement to parse that information from the internet.
You don't want to get called a racist for eating the wrong shade of toast do you?

Finally

[JustAnotherOldGuy]

Finally we Linux users are starting to achieve parity with Windows users in the hotly-contested "malware target" market!

Re:

[laughingskeptic]

Linux has been the primary OS infected by botnets since before 2012. In 2012 it was cheap routers, cameras and cable modems, now it is home appliances and other IoT devices in addition to the old standbys. 819 devices is a small fraction of the millions of Linux devices that are participating in a Botnet on any given day.

Re:

[codebase7]

And all of that is unmaintained / unmonitored (for security of the purchaser) garbage. *Any* device that doesn't change in response to threats will fall to time. Regardless of what it runs. If you say anything with that statistic it's: Linux is the go-to OS for one-off production runs or building appliances, and is completely impractical to update afterwards.

I thought most datacenter attacks use

[Tablizer]

...unseen malware. Otherwise, detectors would have caught them earlier. And it's not entirely "new", as the TFA points out it's based on the Mirai line.

Antivirus?

[Flavianoep]

That's because of things like that that I think I would feel more safe if I had more options if anti-malware programs in my Linux machines.

Re: Antivirus?

[Flavianoep]

Please, ignore "That's".

How to check if you're infected

[fph il quozientatore]

Download and run https://raw.githubusercontent.com/akamai/akamai-security-research/main/malware/noabot/noabot_detect.sh .

Re: How to check if you're infected

[Flavianoep]

Is this code for real? There are the words "pussy" and "mommy" in it

Re: How to check if you're infected

[OrangeTide]

it seems like it is looking for magicPussy in crontab, /lib, and ps. And an ssh key for a server @mommy in your authorized_keys.
I think this script is legit.

Re:

[fph il quozientatore]

Uh, the script is legit, the worm does contain those markers. Or at least so says Akamai, the owner of that Github organization. You know, the CDN and cybersecurity company with $3B yearly revenue.

Re:

[93 Escort Wagon]

Is this code for real? There are the words "pussy" and "mommy" in it

Well, it was written by a Linux user so...

(I kid, I kid)

If you're still using passwords with SSH

[Arnonyrnous Covvard]

YOU'RE DOING IT WRONG! And I hate you for it, because you are part of the reason the logs are full of botnets making futile SSH password login attempts.

Re:

[Anonymous Coward]

If your ssh logs are full of bots making password login attempts you're doing it wrong too.

Re: If you're still using passwords with SSH

[svx]

run your sshd on a random high port then.. or better yet, put it behind wireguard - nobody will ever know that you are even running wireguard

Re:

[whoever57]

run your sshd on a random high port then

Still gets attacked by brute force attempts.

Rate-limiting either connections or login attempts is required for any directly Internet accessible ssh server.

Re: If you're still using passwords with SSH

[svx]

nah, had been running sshd on something like 53491 for ages and never received a single unwanted connection attemp... it's simply not efficient for malware to scan ALL service ports - scanning just the known ports is a lot faster and obviously will get better results, because more hosts will get scanned in the given time

Re:

[whoever57]

My logs say otherwise. I use a high port and it receives ssh brute force attempts.

Re: If you're still using passwords with SSH

[svx]

..maybe it's a known port for some other service then

Re:

[whoever57]

..maybe it's a known port for some other service then

That would explain connection attempts, but not login attempts. But no, it's not a known port.

It's only in the past few years that this has been happening. Before that, using a high non-standard port stopped all or almost all ssh login attempts.

Re:

[gweihir]

Nope. Using low-security passwords with SSH is a problem. With proper passwords, ssh-login with password is entirely fine. Stop spreading FUD.

Re:

[gweihir]

Allowing ssh root login is not a bad practice at all. Not properly securing that login is.

Re:

[gweihir]

I understand perfectly well what the situation is: A meaningless, faulty "security ritual", nothing else. If you secure it properly, there is absolutely nothing wrong with direct ssh to root. In fact, it is _more_ secure than going via user account. If you do not secure your logins properly, this intermediate step will not save you at all.

I am just wondering where this nonsense comes from. Probably a stupid attempt to emulate Windows "security".

 

Re:

[gweihir]

Simple: User accounts are, in any sane set-up, less secured than root, simply because they are more exposed. For example because they are typically used frequently for work. The meaningless ritual of going via them lowers root security. This is so obvious I should not even have to explain it at all.

XMRig is malware?

[manithree]

So, is all open source software malware, or just all crypto mining software?

Isn't that kind of like a "zero day" exploit?

[Tony Isaac]

Everybody wants to use "zero day" to describe every malware infection, even when it doesn't apply, because apparently calling it a "zero day" makes it seem more incredible or something.

But here, when it actually is a zero day, apparently they don't want to call it that!

Re:

[Mononymous]

This isn't a "zero day", or any other kind of an exploit.
It's just getting in with weak passwords.
Why is anyone using passwords on SSH? We stopped doing that a long time ago.

Re:

[Tony Isaac]

Previously unknown **self-replicating malware** has been infecting Linux devices worldwide

That's from the first line of the summary. I'd call that an exploit. And it was "previously unknown" making it a zero-day. It doesn't matter how stupid or simple the vulnerability is, just that there's an exploit and that it wasn't previously known.

Re:

[Mononymous]

There's no "previously unknown exploit" here. It's been known for many years that if you use a guessable password someone might guess it.

Re:

[Tony Isaac]

Was it known that these specific devices had weak passwords? Knowing about a class of weaknesses doesn't equate to being a "known vulnerability" for a specific device.

Re:

[Mononymous]

So you're referring to a password not chosen by a user? If that's what this is about, TFS didn't make it clear.
I didn't even consider IoT-type embedded devices. When I think SSH, I think of actual servers.

Well, if that's what's going on, it's still silly to call weak default passwords a "zero day".

Re:

[gweihir]

Weak passwords logins into regular accounts are not even a software or system vulnerability, much less "zero day". These are a pure "user/sysadmin is an idiot" vulnerability.

Re:

[Tony Isaac]

For a zero-day to qualify as such, it doesn't have to attack a strong defense. It just has to be "previously unknown" and an exploit (malware).

Re:

[gweihir]

A zero day has to be a software or system vulnerability. This is not. As to "previously unknown", this is not. Seriously.

This is in no way, form or shape a "zero day". Deal with it.

Re:

[Tony Isaac]

I'd say that a system that *allows* weak or default passwords, is a system vulnerability.

And I don't really care if it qualifies as "zero day"--the phrase doesn't actually mean anything anyway. And that's kind of the point.

marketing

[awwshit]

These attacks need better marketing. I mean security researchers have been using catchy names and making logos for their big discoveries for a while, heartbleed comes to mind for me.

I'm dubbing this one Big Worm. It has a face and a crypto mining relevant slogan (Playing with my money is like playing with my emotions):
https://i.etsystatic.com/25705... [etsystatic.com]

And slashdot reacts like this (What up big perm!):
https://i.pinimg.com/originals... [pinimg.com]

You worm writers need to get with it.
https://i.pinimg.com/originals... [pinimg.com]

NOVICE.

[RossCWilliams]

I am a complete novice with Linux, but I have a couple old computers that have the free version of ZORIN installed. With a default installation, are they vulnerable to this malware when connected to the internet through my local wireless router?

Re:

[StormReaver]

If your password is something stupid like, "password", "god", or "sex", then definitely yes. This is not a software vulnerability. This is a weak password vulnerability.

Re:

[OrangeTide]

If I had a list of 10,000 most used passwords, even if not all of them are obviously weak, it's a short enough list to manage a useful attack. For example, I could send out bots to try it on 10 million systems in a day and probably get a hit or two. I think the scale is sufficient to warrant some caution with leaving services like SSH open to password guessing.

My advice is when provisioning systems that part of that provisioning process include installation of SSH keys in the administrator accounts and do n

Re:

[dryeo]

Don't you have to enable sshd? I haven't had a need to remotely log onto my computer, so assume things like sshd are not running.

Re:

[gweihir]

Depends on the installer. A sane installer will ask you for passwords during the installation process and tell you that these accounts will be remotely reachable so you should select a good one. "SSH off" is not very common anymore as default, since many Linux systems run in VMs, where ssh is the only way to get in after installation.

AI?

[LindleyF]

I wonder if one could train something LLM-like to recognize intrusions similar to know vectors

Re:

[HiThere]

Yes, but you'd probably get a lot of false positives and false negatives.

Re:

[gweihir]

Not usefully. You need to have very high accuracy for anything like that to be useful. LLMs cannot do "very high accuracy".

SSH can require both a key and a password

[thogard]

Many large networks have been compromised after something has obtained user level access and used that users keys to hit other systems. SSH can be configured to require both a key and a password and so far the malware hasn't been able to break that combo yet. Note that is not the same as putting a password on the key.

Re:

[gweihir]

This malware does not even crack reasonable passwords...

"weak passwords connecting SSH"

[gweihir]

Nobody in their right mind has those, much less on an internet-connected system. Gross negligence at work. Anybody claiming to be a "victim" here did it to themselves and should be liable for all damage caused. They can then try to sue the criminals to get that money back...