It seems like nearly every week, sometimes every few days, security researchers discover a new crypto miner. The latest discovery is not only a crypto miner also installs a rootkit and another strain of malware that can execute DDoS attacks. Malware targeting Linux users is not as common an occurrence as Windows-based malware strains but as time goes by they appear to become far more complex and multi-functional. Security researchers at Dr.Web, a Russian based security firm, discovered the malware which as of yet has not been named. As it stands the malware is referred to by its generic detection name of Linux.BtcMine.174.
Calling the miner a crypto miner is incorrect. The malware is probably best described as a trojan given its multi-faceted nature. The trojan can be seen as a good example of the evolution currently seen in Linux malware as despite its generic name it more complex than the majority of Linux malware strains detected. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it writes permissions so it can copy itself and later use to download other modules.
Once the trojan has gained access to the system it exploits two vulnerabilities to get root permissions and have full access to the operating system. Those vulnerabilities being CVE-2016-5195, also known as Dirt Cow, and CVE-2013-2094. The trojan then sets itself up as a local daemon. A daemon is best described as a computer program that runs as a background process, rather than being under the direct control of an interactive user. It is for that reason, namely running as a background process, that they have been favored by malware developers.
After the trojan has a firm grasp on the infected host, it then moves on to executing its primary function for which it was designed for, which is cryptocurrency mining. The trojan first scans and terminates the processes of several rival cryptocurrency-mining malware families in an attempt to eliminate the competition. It will then download and start its own Monero-mining operation. It will also run the Bill.Gates trojan a malware strain known for enabling DDoS attacks but which also comes with many backdoor-like functions.
The trojan has another party trick to help get the job done. The malware will look for process names associated with Linux-based antivirus solutions, and kill their execution. Researchers noted that the trojan will stop antivirus processes that have names such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord. Given the malware's ability to gain privileged access to an infected system one would assume the developers would be content with their creation. Sadly, that is not the case.
The developers further enabled the trojan to add itself as an autorun entry to files like /etc/rc.local, /etc/rc.d/..., and /etc/cron.hourly; and then downloads and runs a rootkit. Researchers stated that the rootkit component has even more intrusive features which include, “the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.” Expert readers will notice that an ability to spread laterally across networks has not been mentioned. Here the generic trojan does not disappoint and includes a function to that collects information about all the remote servers the infected host has connected via SSH and will try to connect to those machines as well. Researchers believe that the use of this SSH self-spreading component is the main delivery method for the malware.
It is important to note that because the trojan relies on stealing valid SSH credentials even careful Linux system administrators are at risk. To that effect, Dr.Web has uploaded SHA1 file hashes for the trojan's various components on GitHub, in case some system administrators want to scan their systems for the presence of this relatively new threat.
Dangers Beyond Mining
When cryptominers burst onto the malware scene they were assumed to be relatively harmless especially when compared to ransomware. Your files are not encrypted or access to your system barred. Merely your CPU resources were used to mine cryptocurrencies for another morally ambivalent individual or group. As time passed this assumption is proving not to be merely false but dangerous.
In the above example the malware may be primarily a crypto miners but by disabling antivirus processes the infected system is now far more vulnerable to further infections. That is merely one scenario which does not include any other of the function mentioned above. In October 2018, Fortinet published a blog article hoping to dispel this assumption once and for all. In it, Fortinet warned that organizations should not underestimate the threat posed by cryptominers. Their argument centers on the fact that cryptominers give attackers a foothold into PCs which can be exploited to deliver more damaging malware in future.
Anthony Giandomenico, a senior security researcher at Fortinet's FortiGuard Labs told ZDNet that,
“What we're finding out is that this particular malware also has other nefarious activities that it does while it's mining for cryptocurrency… It will disable your antivirus, open up different ports to reach out to command and control infrastructure, it can download other malware. Basically, it's reducing or limiting your security shields, opening you up to lots more different types of attacks.”
Dr.Web’s research only further proves this point. Further, it is been seen more frequently than those distributing the crypto miners could easily use their malware to perform far more damaging attacks. Fortinet figures suggest that 2018 has seen a 38 percent jump in the number of platforms affected by cryptojacking, with 20 percent of the security firm's users coming under attack from a form of mining malware. These stats appear not to be slowing indicating that the threat is only likely to increase as more device are being connected to the internet.