Linux Malware

[jasoneckert]

I downloaded a malware binary for Linux lately and unpacked it. Tried to run it as root, but it didn't work. Googled for 2 hours and found out that instead of /usr/local/bin, the malware unpacked to /usr/bin, for which it doesn't have any write permissions. I found a patched .configure and .make file on some Chinese forum, recompiled and re-ran it, but the malware said it needed the cmalw-lib2.0 library, which ships with CentOS but not Ubuntu. Googled for hours again and found an instruction to build a .deb package from source and installed it. The malware finally started, wrote some logs, wrote a core dump, and crashed. After 1 hour of going through the logs I discovered the malware assumed an underlying ext4 filesystem and tried to call its disk encryption API (which is deprecated under the btrfs filesystem I use) - the kernel noticed and made the partition read-only to the process. So I got fed up, opened the sources, grep'ed the Bitcoin wallet and sent $5 out of pity.

And this is the typical Linux malware experience.
Pretty scary if you ask me...

 

[Jeff Strain]

I downloaded a malware binary for Linux lately and unpacked it. Tried to run it as root, but it didn't work. Googled for 2 hours and found out that instead of /usr/local/bin, the malware unpacked to /usr/bin, for which it doesn't have any write permissions. I found a patched .configure and .make file on some Chinese forum, recompiled and re-ran it, but the malware said it needed the cmalw-lib2.0 library, which ships with CentOS but not Ubuntu. Googled for hours again and found an instruction to build a .deb package from source and installed it. The malware finally started, wrote some logs, wrote a core dump, and crashed. After 1 hour of going through the logs I discovered the malware assumed an underlying ext4 filesystem and tried to call its disk encryption API (which is deprecated under the btrfs filesystem I use) - the kernel noticed and made the partition read-only to the process. So I got fed up, opened the sources, grep'ed the Bitcoin wallet and sent $5 out of pity.

And this is the typical Linux malware experience.
Pretty scary if you ask me...

Sounds to me like it was not well-engineered. Granted linux has so many flavors, so it may work better on a certain family. Centos is from the redhat family and ubuntu is not. As for the filesystem... once again, poorly engineered. Looks like it was a get it working and ship it out type of job with no real quality control. I have seen some pretty wicked stuff. You know you have some good stuff when it no only runs on multiple systems, but looks for other malware that may be installed and kicks it off since it wants to be king of the system. I have some old examples I documented from a client, but I do not think I should share them. That time was a bit of a wild ride.