Alexandr Mitiuc - Fotolia

Get started Bring yourself up to speed with our introductory content.

How does Rekoobe Linux malware spread and avoid detection?

A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and how to mitigate attacks.

A type of Linux malware called Rekoobe that originally targeted SPARC-based Linux servers has reportedly been revamped to attack Linux PCs running Intel chips. The Linux malware is hard to detect and can download files to infected users' computers from command-and-control servers. What makes Rekoobe so difficult to detect, and how is this Linux malware able to download files to users' systems so easily?

Malware on Windows, Macs and mobile devices needs to be advanced or very successful to gather much attention. The number of potential targets for successful malware is in the billions of affected devices. While automation usually just adds malware to a malware definition database, it will gain more attention if it has some sort of unique aspect to it. The Rekoobe malware, as analyzed by Dr.Web, was found to have started out targeting Linux systems using the SPARC architecture. There are few pieces of Linux malware and even fewer that target the SPARC architecture, since the potential population of systems to infect is small. The malware authors behind Rekoobe have taken the standard step of expanding functionality of the malware to infect additional Linux platforms, including X86 and X86-64.

The Rekoobe malware doesn't appear to be very advanced, but has the key functionality for executing remote code, downloading files and uploading files. This functionality could be very useful in a targeted attack where an attacker wants to maintain persistence. The Linux malware also stores configuration data in a file encrypted with XOR algorithm to evade detection. Dr.Web's report doesn't mention how the malware gets on the infected systems or if it exploits any vulnerabilities to gain access to the system. Dr.Web now has detections and other network-based antimalware tools that could detect the malware's C&C communications. While Rekoobe is of low risk to enterprises, it is necessary to ensure that all systems have some antimalware protection, or a local security monitor. The signatures of all reported Rekoobe samples have been added to antivirus databases such as Dr.Web's, so enterprises should take the appropriate steps to make sure they are scanning for this malware.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Read about Google's fix for a Linux kernel vulnerability

Learn about Linux server software that every enterprise should consider

Find out how to use Linux commands to improve efficiency

This was last published in May 2016

Dig Deeper on Alternative operating system security