Linux Security: A Closer Look at the Latest Linux Threats


In many ways, Linux is similar to other operating systems such as Windows, and OS X. Like other operating systems, Linux has a graphical user interface, as well as comparable versions of software commonly used on other operating systems. Its uses are as diverse as any other OS, making Linux a favored platform for use in certain areas such as web serving, networking, and databases.

However, Linux is also different from other operating systems in a number of significant ways. It is open source software, which means that the code used to create Linux is free and available for the public to view, edit, and—for users with technical skills—contribute to. The Linux kernel creator, Linus Torvalds, encouraged contributors to keep their contributions free, and because it’s free and runs on PC platforms, it gained a considerable audience among hardcore developers quickly.  This has made Linux incredibly customizable as users can choose core components to fit their needs.

Companies and organizations have adopted Linux as an important—if not the primary—component of their enterprise platform. However, the platform's ever-growing popularity has also revealed an increased number of security risks, as evidenced by a recent string of attacks. Here are some of the most recent Linux-based threats:

Rex (August 2016) – the Rex Linux ransomware (detected by Trend Micro as RANSOM_ELFREXDDOS) initially emerged in May 2016 and was found targeting Drupal websites with site admins claiming that their websites were “being locked.” This ransomware has reportedly been updated over the past three months, however, and now appears to be known as Rex.

According to Trend Micro analysis, the new version of Rex is capable of turning infected systems into bots that it uses to perform DDoS attacks. Rex launches Remote Procedure Control (RPC) plug-ins and scans for vulnerabilities in common Linux server software, such as, DrupalRESTWS scanner, WordPress scanner, ContactScanner scanner, Magento scanner, Kerner scanner, Airos scanner, Exagrid scanner, Jetspeed scanner, and RansomScanner scanner. Rex is also known to request bitcoins as payment. Upon failure to pay the ransom, the server is made more susceptible to DDoS attacks, and payment price is increased.

Mirai (August 2016) – Mirai (identified by Trend Micro as ELF_GAFGYT), discovered in early August, targets both Linux servers and IoT devices, mainly DVRs running Linux-based firmware to use infected systems as botnets to launch DDoS attacks. According to findings, Mirai is a spinoff of an older Trojan also used for DDoS attacks known under names such as Gafgyt, Bashdoor, Torlus, BASHLITE, and others.

Umbreon (September 2016)– the Trend Micro Forward-looking Threat Research team recently obtained samples of a new rootkit family apparently named after a Pokemon. Called Umbreon (detected by Trend Micro as ELF_UMBREON), this rootkit family targets Linux systems, including systems running both Intel and ARM (Raspberry Pi) processors, thus expanding the scope of this threat to include embedded devices. Umbreon is capable of persisting between reboots, intercepting network traffic, intercepting and altering terminal commands, and opening a connection that gives an attacker access to the victim’s device.

Umbreon’s development began in early 2015, but its developer has been known to be active in the cybercriminal underground since at least 2013. The researchers also stressed that Umbreon is very difficult to detect, as rootkits are designed to be stealthy, keeping itself and other malware hidden from administrators, analysts, users, scanning, forensic, and system tools.

LuaBot (September 2016) – LuaBot (detected by Trend Micro as ELF_LUABOT) is the latest addition to the recent string of malware designed to affect Linux systems. Based on initial findings, like Mirai, LuaBot compromises both Linux servers and IoT devices, and is most likely used to create bots for DDoS attacks. The LuaBot trojan is packed as an ELF binary that targets ARM platforms, which are usually found on IoT devices. Details on LuaBot’s distribution and infection mechanism are still limited.

Defense against threats that target Linux systems

The latest Linux threats highlight the importance of securing the system just like any other system in the enterprise network. Server administrators and system admins should use a multi-layered approach as it is not enough to exclusively rely on network security; endpoint attack vectors such as smartphones must also be secured where possible. Trend Micro ServerProtect effectively protects against malware, rootkits, and other data-stealing malware while simplifying and automating security operations on Linux servers, and storage systems.

Trend Micro Deep Security can also protect Linux servers from attacks like Fairware. It protects enterprise file servers—which house large volumes of valuable corporate data from attacks via a compromised end user, alerting administrators, and stopping suspicious activity in its tracks. It also provides early detection of an attack, including brute force and lateral movement from server to server, enabling immediate action to be taken to mitigate the potential impact.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.