Alexandr Mitiuc - Fotolia
A type of Linux malware called Rekoobe that originally targeted SPARC-based Linux servers has reportedly been revamped to attack Linux PCs running Intel chips. The Linux malware is hard to detect and can download files to infected users' computers from command-and-control servers. What makes Rekoobe so difficult to detect, and how is this Linux malware able to download files to users' systems so easily?
Malware on Windows, Macs and mobile devices needs to be advanced or very successful to gather much attention. The number of potential targets for successful malware is in the billions of affected devices. While automation usually just adds malware to a malware definition database, it will gain more attention if it has some sort of unique aspect to it. The Rekoobe malware, as analyzed by Dr.Web, was found to have started out targeting Linux systems using the SPARC architecture. There are few pieces of Linux malware and even fewer that target the SPARC architecture, since the potential population of systems to infect is small. The malware authors behind Rekoobe have taken the standard step of expanding functionality of the malware to infect additional Linux platforms, including X86 and X86-64.
The Rekoobe malware doesn't appear to be very advanced, but has the key functionality for executing remote code, downloading files and uploading files. This functionality could be very useful in a targeted attack where an attacker wants to maintain persistence. The Linux malware also stores configuration data in a file encrypted with XOR algorithm to evade detection. Dr.Web's report doesn't mention how the malware gets on the infected systems or if it exploits any vulnerabilities to gain access to the system. Dr.Web now has detections and other network-based antimalware tools that could detect the malware's C&C communications. While Rekoobe is of low risk to enterprises, it is necessary to ensure that all systems have some antimalware protection, or a local security monitor. The signatures of all reported Rekoobe samples have been added to antivirus databases such as Dr.Web's, so enterprises should take the appropriate steps to make sure they are scanning for this malware.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about Google's fix for a Linux kernel vulnerability
Learn about Linux server software that every enterprise should consider
Find out how to use Linux commands to improve efficiency
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading