A type of Linux malware called Rekoobe that originally targeted SPARC-based Linux servers has reportedly been revamped...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
to attack Linux PCs running Intel chips. The Linux malware is hard to detect and can download files to infected users' computers from command-and-control servers. What makes Rekoobe so difficult to detect, and how is this Linux malware able to download files to users' systems so easily?
Malware on Windows, Macs and mobile devices needs to be advanced or very successful to gather much attention. The number of potential targets for successful malware is in the billions of affected devices. While automation usually just adds malware to a malware definition database, it will gain more attention if it has some sort of unique aspect to it. The Rekoobe malware, as analyzed by Dr.Web, was found to have started out targeting Linux systems using the SPARC architecture. There are few pieces of Linux malware and even fewer that target the SPARC architecture, since the potential population of systems to infect is small. The malware authors behind Rekoobe have taken the standard step of expanding functionality of the malware to infect additional Linux platforms, including X86 and X86-64.
The Rekoobe malware doesn't appear to be very advanced, but has the key functionality for executing remote code, downloading files and uploading files. This functionality could be very useful in a targeted attack where an attacker wants to maintain persistence. The Linux malware also stores configuration data in a file encrypted with XOR algorithm to evade detection. Dr.Web's report doesn't mention how the malware gets on the infected systems or if it exploits any vulnerabilities to gain access to the system. Dr.Web now has detections and other network-based antimalware tools that could detect the malware's C&C communications. While Rekoobe is of low risk to enterprises, it is necessary to ensure that all systems have some antimalware protection, or a local security monitor. The signatures of all reported Rekoobe samples have been added to antivirus databases such as Dr.Web's, so enterprises should take the appropriate steps to make sure they are scanning for this malware.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about Google's fix for a Linux kernel vulnerability
Learn about Linux server software that every enterprise should consider
Find out how to use Linux commands to improve efficiency
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.