Alexandr Mitiuc - Fotolia
A type of Linux malware called Rekoobe that originally targeted SPARC-based Linux servers has reportedly been revamped to attack Linux PCs running Intel chips. The Linux malware is hard to detect and can download files to infected users' computers from command-and-control servers. What makes Rekoobe so difficult to detect, and how is this Linux malware able to download files to users' systems so easily?
Malware on Windows, Macs and mobile devices needs to be advanced or very successful to gather much attention. The number of potential targets for successful malware is in the billions of affected devices. While automation usually just adds malware to a malware definition database, it will gain more attention if it has some sort of unique aspect to it. The Rekoobe malware, as analyzed by Dr.Web, was found to have started out targeting Linux systems using the SPARC architecture. There are few pieces of Linux malware and even fewer that target the SPARC architecture, since the potential population of systems to infect is small. The malware authors behind Rekoobe have taken the standard step of expanding functionality of the malware to infect additional Linux platforms, including X86 and X86-64.
The Rekoobe malware doesn't appear to be very advanced, but has the key functionality for executing remote code, downloading files and uploading files. This functionality could be very useful in a targeted attack where an attacker wants to maintain persistence. The Linux malware also stores configuration data in a file encrypted with XOR algorithm to evade detection. Dr.Web's report doesn't mention how the malware gets on the infected systems or if it exploits any vulnerabilities to gain access to the system. Dr.Web now has detections and other network-based antimalware tools that could detect the malware's C&C communications. While Rekoobe is of low risk to enterprises, it is necessary to ensure that all systems have some antimalware protection, or a local security monitor. The signatures of all reported Rekoobe samples have been added to antivirus databases such as Dr.Web's, so enterprises should take the appropriate steps to make sure they are scanning for this malware.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about Google's fix for a Linux kernel vulnerability
Learn about Linux server software that every enterprise should consider
Find out how to use Linux commands to improve efficiency
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.