Linux Malware Targets IoT Devices


In our previous article we referred to the possibility of existing OS malware damaging IoT devices. In the few months since that article was published, we were able to collect samples that show attackers targeting IoT devices that use Linux.

Linux malware flourishing

Until now, Linux had been considered as a safe OS for PCs and servers. However, it seems that this is only because there appeared to be no threats to non-Windows OSs, as malware threats had been mainly targeted at Windows, the predominant OS on most Internet users’ PCs.

Linux malware had already been observed 10 years ago, back in 2005. The figure below shows the number of Linux malware detection patterns and their incremental changes in Trend Micro virus detection pattern files. As of January 1 of this year, there are 1,339 Linux malware patterns. You can also see that incremental changes every quarter. In other words, the number of new types of malware appearing increase every year.

At the beginning of 2016, the quarterly incremental changes continued to reach record levels—244 patterns in the 4th quarter. These figures show that attackers targeting Linux are particularly active going into 2016.

Figure: Cumulative number of patterns, and incremental changes, of Linux malware (prefix ELF_) in Trend Micro pattern files

Figure 1. Cumulative number of patterns, and incremental changes, of Linux malware (prefix ELF_) in Trend Micro pattern files

In terms of market share, the majority of client PCs used by Internet users are Windows. However, in terms of OSs used on public servers such as web servers, etc., Linux has captured a big share.For this reason, many Linux malware targets public servers rather than an unspecified number of Internet users in shotgun attacks. Most of them are backdoor or bot-type malicious programs that enable the external remote control of breached servers.

The attackers enable remote control using a backdoor or a bot. They then use the server as a stepping stone for further illicit activity, such as modifying websites, stealing information from the server, organizing distributed denial of service (DDoS) attacks, and sending spam email. In particular, DDoS attacks have become the main objective of attackers trying to breach Linux.

For example, we know that more than 60% of the 129 new types of Linux malware that appeared between July and September 2016 had DDoS functionality. DDoS would appear to be one of the main objectives of recent attackers.

IoT devices targeted by Linux malware as a “stepping stone”

Recent attacks have demonstrated that targeting IoT devices, as well as existing Linux servers, is an extremely effective method of setting up DDoS attacks, which is a major objective of attackers.

Mirai, a malware that appeared in August, enabled the largest DDoS attack ever by targeting not just Linux servers, but also IoT devices on the Internet. Since the Mirai attack, there has been a clear move to target Linux running on ARM processors that are used by IoT devices. ARM processors consume less power than the x86/x64 processors that are used in most PCs and servers, which are now used in most smartphones and IoT devices.

There is Linux malware that can work on ARM processors and its attacks have been observed since 2015. However, in addition to its capability to work on ARM processors, Mirai has also clearly been targeting IoT devices, as it has attempted attacks using lists of accounts and default passwords used by IoT devices.

After that, the rootkit that was observed in September, “Unbreon” and the “LuaBot” bot also targeted ARM processors. The fact that many types of Linux malware have appeared in such a short span of time and that they all work on ARM processors shows that attackers are already actively treating IoT devices as targets. As the number of IoT devices in use is expected to increase massively in the future, there is a need for security that stops them being used as stepping stones for illicit activity.

Security measures for IoT users and developers

The Linux malware discussed in this article exploit vulnerabilities to attack IoT devices. If you want to use an IoT device, you must first consider whether or not it needs to be directly connected to the Internet.

Furthermore, as well as always enabling password-based authentication for connections to the devices, you should avoid using the default password or passwords that are easy to guess. If you have the option of automating device updates, you should enable that as much as possible and strive to always use the latest version.

Business operators, on the other hand, should try to supply safer IoT devices. Please refer to our guidelines when developing more secure IoT devices. For people who are unfamiliar with IoT security design, we have published: IoT Security Guidelines

Katsuyuki Okamoto
Katsuyuki Okamoto

Trend Micro Inc. Security Evangelist

Katsuyuki joined the Trend Lab Japan Virus Team in 1999 and did extensive product technical support work for many years. He now mainly deals with general network threats as a senior anti-threat analyst in Regional TrendLabs, a domestic specialized research institute established in 2007. As a security evangelist, he constantly strives to raise awareness of security issues and technology.

Recommended Video

Cybersecurity Risks in Complex IoT Environments

Company Information

Security Blog