Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024
  • Security & Privacy News

    Linux hit by a rather nasty persistent virus

    aum

    By aum,
    Published Date:

    • 284 views
    • 2 minutes
     Share
    • 284 views
    • 2 minutes

    TIme for a lock down


    Intezer Labs security researchers have identified a sophisticated new malware that targets Linux devices.


    OrBit is rather nasty and can hide its presence in network activity by manipulating logs. The module hooks functions called in shared libraries, which is pretty common for malware, but it implements “advanced evasion techniques” and “remote capabilities over SSH.”


    OrBit extracts the output of executed commands in specific files on the targeted machine. It accepts arguments to customize the installation path and other configurations such as payload content. OrBit has two installation modes: /lib/ for persistence and /dev/shm/ (shim-memory) for volatile.


    The dropper prepares the environment and writes Python scripts that interact with the filesystem to deliver the payload and execute it with high privileges. It uses the environment variable LD_PRELOAD to hijack shared libraries. This approach can be found in other Linux malware, such as Symbiote. It also stores stolen data in specific files on the targeted machine.


    The module “hooks multiple functions to prevent them from outputting information that might reveal the existence of the malicious shared library in the running processes or the files that are being used,” the researchers wrote.


    However, by hooking functions in the Linux Pluggable Authentication Module to steal information from SSH connections, attackers can gain remote access while hiding network activity. The malware is hard to remove while the machine is running because of the two methods used to achieve persistence “in case one of them goes away.”


    If administrators delete the file or restore the original version, the malware will either recreate or repatch it. In addition, the malware can monitor its own network activity and filter its own traffic. To achieve that, it hooks functions such as bind, connect, or pcap_packet_callback to log IP addresses and ports in the .ports file within the malware folder.


    Classic antivirus software can't catch threats like OrBit that are specifically meant to evade them. Threat actors behind the malware seem to master Linux internals, as you would expect from such hackers, and their approach might inspire other groups. Some security vendors have updated their mapping after Intezer’s publication, but others are still not detecting the threat.

     

    Source

    • flash13 and Karlston
    • Like 2
     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...