Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Linux IT

Linux Devices Are Under Attack By a Never-Before-Seen Worm 101

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.
This discussion has been archived. No new comments can be posted.

Linux Devices Are Under Attack By a Never-Before-Seen Worm

Comments Filter:
  • by Anonymous Coward
    It's your own fault if you have telnet access enabled...
    • Without telnet, how am I supposed to check http get responses?? And smtp helo tests????? And if that Chinese webcam spits out passwords in plain text???????
      • There's a bit of a difference between a telnet service and a telnet client.

        BTW, here's a quick way to install the latter on a Windows machine...
        dism /online /Enable-Feature /FeatureName:TelnetClient

        Or, if you prefer to use PowerShell...
        Install-WindowsFeature -name "Telnet-Client"

        • Install-WindowsFeature: The target of the specified cndlet cannot be a Windows client-based operating system.

    • It's your own fault if you have telnet access enabled...

      This has nothing to do with Telnet, as ssh is the entry point. It's all about weak passwords.

  • by JoeDuncan ( 874519 ) on Wednesday January 10, 2024 @01:06PM (#64147407)

    ...takes control of Linux-based internet-connected devices to...

    Yup - found the stupid! - that's it right there^!

    • I mean, connect your toaster to the internet and you pretty much get what you ask for...
      • by Osgeld ( 1900440 )

        the tubes run faster if you warm them up a little bit

      • by NFN_NLN ( 633283 )

        The acceptable shade of toast is actually controlled by DEI and ESG rules that are constantly changing. Hence the requirement to parse that information from the internet.
        You don't want to get called a racist for eating the wrong shade of toast do you?

  • Finally (Score:4, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Wednesday January 10, 2024 @01:07PM (#64147409) Journal

    Finally we Linux users are starting to achieve parity with Windows users in the hotly-contested "malware target" market!

    • Linux has been the primary OS infected by botnets since before 2012. In 2012 it was cheap routers, cameras and cable modems, now it is home appliances and other IoT devices in addition to the old standbys. 819 devices is a small fraction of the millions of Linux devices that are participating in a Botnet on any given day.
      • And all of that is unmaintained / unmonitored (for security of the purchaser) garbage. *Any* device that doesn't change in response to threats will fall to time. Regardless of what it runs. If you say anything with that statistic it's: Linux is the go-to OS for one-off production runs or building appliances, and is completely impractical to update afterwards.
  • ...unseen malware. Otherwise, detectors would have caught them earlier. And it's not entirely "new", as the TFA points out it's based on the Mirai line.

  • That's because of things like that that I think I would feel more safe if I had more options if anti-malware programs in my Linux machines.

  • by fph il quozientatore ( 971015 ) on Wednesday January 10, 2024 @01:20PM (#64147449)
    Download and run https://raw.githubusercontent.com/akamai/akamai-security-research/main/malware/noabot/noabot_detect.sh .
  • by Arnonyrnous Covvard ( 7286638 ) on Wednesday January 10, 2024 @01:28PM (#64147459)

    YOU'RE DOING IT WRONG! And I hate you for it, because you are part of the reason the logs are full of botnets making futile SSH password login attempts.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      If your ssh logs are full of bots making password login attempts you're doing it wrong too.
    • run your sshd on a random high port then.. or better yet, put it behind wireguard - nobody will ever know that you are even running wireguard
      • run your sshd on a random high port then

        Still gets attacked by brute force attempts.

        Rate-limiting either connections or login attempts is required for any directly Internet accessible ssh server.

        • nah, had been running sshd on something like 53491 for ages and never received a single unwanted connection attemp... it's simply not efficient for malware to scan ALL service ports - scanning just the known ports is a lot faster and obviously will get better results, because more hosts will get scanned in the given time
          • My logs say otherwise. I use a high port and it receives ssh brute force attempts.

            • ..maybe it's a known port for some other service then
              • ..maybe it's a known port for some other service then

                That would explain connection attempts, but not login attempts. But no, it's not a known port.

                It's only in the past few years that this has been happening. Before that, using a high non-standard port stopped all or almost all ssh login attempts.

    • by gweihir ( 88907 )

      Nope. Using low-security passwords with SSH is a problem. With proper passwords, ssh-login with password is entirely fine. Stop spreading FUD.

  • So, is all open source software malware, or just all crypto mining software?
  • Everybody wants to use "zero day" to describe every malware infection, even when it doesn't apply, because apparently calling it a "zero day" makes it seem more incredible or something.

    But here, when it actually is a zero day, apparently they don't want to call it that!

    • This isn't a "zero day", or any other kind of an exploit.
      It's just getting in with weak passwords.
      Why is anyone using passwords on SSH? We stopped doing that a long time ago.

      • Previously unknown **self-replicating malware** has been infecting Linux devices worldwide

        That's from the first line of the summary. I'd call that an exploit. And it was "previously unknown" making it a zero-day. It doesn't matter how stupid or simple the vulnerability is, just that there's an exploit and that it wasn't previously known.

        • There's no "previously unknown exploit" here. It's been known for many years that if you use a guessable password someone might guess it.

          • Was it known that these specific devices had weak passwords? Knowing about a class of weaknesses doesn't equate to being a "known vulnerability" for a specific device.

            • So you're referring to a password not chosen by a user? If that's what this is about, TFS didn't make it clear.
              I didn't even consider IoT-type embedded devices. When I think SSH, I think of actual servers.

              Well, if that's what's going on, it's still silly to call weak default passwords a "zero day".

    • by gweihir ( 88907 )

      Weak passwords logins into regular accounts are not even a software or system vulnerability, much less "zero day". These are a pure "user/sysadmin is an idiot" vulnerability.

      • For a zero-day to qualify as such, it doesn't have to attack a strong defense. It just has to be "previously unknown" and an exploit (malware).

        • by gweihir ( 88907 )

          A zero day has to be a software or system vulnerability. This is not. As to "previously unknown", this is not. Seriously.

          This is in no way, form or shape a "zero day". Deal with it.

          • I'd say that a system that *allows* weak or default passwords, is a system vulnerability.

            And I don't really care if it qualifies as "zero day"--the phrase doesn't actually mean anything anyway. And that's kind of the point.

  • These attacks need better marketing. I mean security researchers have been using catchy names and making logos for their big discoveries for a while, heartbleed comes to mind for me.

    I'm dubbing this one Big Worm. It has a face and a crypto mining relevant slogan (Playing with my money is like playing with my emotions):
    https://i.etsystatic.com/25705... [etsystatic.com]

    And slashdot reacts like this (What up big perm!):
    https://i.pinimg.com/originals... [pinimg.com]

    You worm writers need to get with it.
    https://i.pinimg.com/originals... [pinimg.com]

  • I am a complete novice with Linux, but I have a couple old computers that have the free version of ZORIN installed. With a default installation, are they vulnerable to this malware when connected to the internet through my local wireless router?
    • If your password is something stupid like, "password", "god", or "sex", then definitely yes. This is not a software vulnerability. This is a weak password vulnerability.

      • If I had a list of 10,000 most used passwords, even if not all of them are obviously weak, it's a short enough list to manage a useful attack. For example, I could send out bots to try it on 10 million systems in a day and probably get a hit or two. I think the scale is sufficient to warrant some caution with leaving services like SSH open to password guessing.

        My advice is when provisioning systems that part of that provisioning process include installation of SSH keys in the administrator accounts and do n

      • by dryeo ( 100693 )

        Don't you have to enable sshd? I haven't had a need to remotely log onto my computer, so assume things like sshd are not running.

        • by gweihir ( 88907 )

          Depends on the installer. A sane installer will ask you for passwords during the installation process and tell you that these accounts will be remotely reachable so you should select a good one. "SSH off" is not very common anymore as default, since many Linux systems run in VMs, where ssh is the only way to get in after installation.

  • I wonder if one could train something LLM-like to recognize intrusions similar to know vectors
    • by HiThere ( 15173 )

      Yes, but you'd probably get a lot of false positives and false negatives.

    • by gweihir ( 88907 )

      Not usefully. You need to have very high accuracy for anything like that to be useful. LLMs cannot do "very high accuracy".

  • Many large networks have been compromised after something has obtained user level access and used that users keys to hit other systems. SSH can be configured to require both a key and a password and so far the malware hasn't been able to break that combo yet. Note that is not the same as putting a password on the key.

  • Nobody in their right mind has those, much less on an internet-connected system. Gross negligence at work. Anybody claiming to be a "victim" here did it to themselves and should be liable for all damage caused. They can then try to sue the criminals to get that money back...

If you have a procedure with 10 parameters, you probably missed some.

Working...