A type of Linux malware called Rekoobe that originally targeted SPARC-based Linux servers has reportedly been revamped...
to attack Linux PCs running Intel chips. The Linux malware is hard to detect and can download files to infected users' computers from command-and-control servers. What makes Rekoobe so difficult to detect, and how is this Linux malware able to download files to users' systems so easily?
Malware on Windows, Macs and mobile devices needs to be advanced or very successful to gather much attention. The number of potential targets for successful malware is in the billions of affected devices. While automation usually just adds malware to a malware definition database, it will gain more attention if it has some sort of unique aspect to it. The Rekoobe malware, as analyzed by Dr.Web, was found to have started out targeting Linux systems using the SPARC architecture. There are few pieces of Linux malware and even fewer that target the SPARC architecture, since the potential population of systems to infect is small. The malware authors behind Rekoobe have taken the standard step of expanding functionality of the malware to infect additional Linux platforms, including X86 and X86-64.
The Rekoobe malware doesn't appear to be very advanced, but has the key functionality for executing remote code, downloading files and uploading files. This functionality could be very useful in a targeted attack where an attacker wants to maintain persistence. The Linux malware also stores configuration data in a file encrypted with XOR algorithm to evade detection. Dr.Web's report doesn't mention how the malware gets on the infected systems or if it exploits any vulnerabilities to gain access to the system. Dr.Web now has detections and other network-based antimalware tools that could detect the malware's C&C communications. While Rekoobe is of low risk to enterprises, it is necessary to ensure that all systems have some antimalware protection, or a local security monitor. The signatures of all reported Rekoobe samples have been added to antivirus databases such as Dr.Web's, so enterprises should take the appropriate steps to make sure they are scanning for this malware.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about Google's fix for a Linux kernel vulnerability
Learn about Linux server software that every enterprise should consider
Find out how to use Linux commands to improve efficiency
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.