{"id":155986,"date":"2024-05-08T00:12:35","date_gmt":"2024-05-07T21:12:35","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=155986"},"modified":"2024-05-08T00:12:38","modified_gmt":"2024-05-07T21:12:38","slug":"detect-and-analyze-linux-malware-and-attacks","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/detect-and-analyze-linux-malware-and-attacks\/","title":{"rendered":"How to Detect and Analyze Linux Malware and Attacks: Botnets, Miners, and More"},"content":{"rendered":"\n<p>Linux is built on open-source code. This, however, introduces many security risks. Just take an emerging trend among attackers of creating fake repositories containing malware disguised as real software. There are also traditional threat vectors, such as phishing emails that make Linux systems vulnerable in the face of malware. Here are three common types of attacks targeting Linux systems.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Botnets&nbsp;<\/h2>\n\n\n\n<p>Botnets are a type of malware that is capable of gaining full control of compromised devices. Attackers then can manipulate these endpoints via their command-and-control (C2) infrastructure, forcing them to engage in malicious activities. Some of the most widespread use cases for botnets include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Distributed denial of service (DDoS) attacks<\/li>\n\n\n\n<li>Spam campaigns<\/li>\n\n\n\n<li>Traffic forwarding<\/li>\n<\/ul>\n\n\n\n<p>In many cases one infected device continues spreading malware across other systems connected to the same network. This allows botnets to reach sizes of thousands of infected devices, allowing attackers to carry out large-scale operations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Analyzing a Mirai Botnet Attack <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/3zjklklSt5Q721qWFk0zWsVKaCae7JyN4UhdL7v1rqsMyMpBjHTZb22jz0US_x0bGQdkcEw0sVvvSOxocH98pk_VHUfx2g8hgBSycqt-ssGKTDRfDUJUNQTRAH36YipJX_rPaKIQv7mPZizswc7qQg\" width=\"602\" height=\"332\" alt=\"\" title=\"\"><\/h3>\n\n\n\n<p><em>Users can learn more about the threats identified during the analysis process<\/em><\/p>\n\n\n\n<p>Out of botnets affecting Linux-based devices, Mirai stands as one of the most widespread. It targets internet-of-things (IoT) devices, such as routers, protected by default passwords, which allows it to easily hijack them. These days there are dozens of Mirai variants, as the original authors behind it published its source code on GitHub, available to any threat actor for free.<\/p>\n\n\n\n<p>Thanks to tools like <a href=\"https:\/\/any.run\/?utm_source=computingforgeeks&amp;utm_medium=article&amp;utm_campaign=botnets-miners&amp;utm_content=landing&amp;utm_term=080524\" rel=\"noopener\" target=\"_blank\" rel=\"noreferrer noopener\">the ANY.RUN sandbox<\/a>, we can study the behavior of botnets like Mirai in real time and get invaluable insights into its operation in seconds.&nbsp;<\/p>\n\n\n\n<p>All we need to do is to upload <a href=\"https:\/\/app.any.run\/tasks\/1d643d97-e689-4f73-a9de-de125d86228a\/?utm_source=computingforgeeks&amp;utm_medium=article&amp;utm_campaign=botnets-miners&amp;utm_content=tasks1&amp;utm_term=080524\" rel=\"noopener\" target=\"_blank\" rel=\"noreferrer noopener\">a sample of the malware<\/a> (click to view the sandbox analysis session) to the service and observe the activity related to its execution.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/HSRnF_65zovoQirSux52uo-2mkAESAZyCLh6m1on1KLkWo6Dxz_Y0BZ06n6fwwgCyMAqbmV68-L4LB36XOJb74kExLYxDP3M8mj3nNG40PdOVT_pNdNxkFmSysQRTDMhzO-qmXTPiWOg0cnMc-ahfg\" alt=\"\" title=\"\"><\/figure>\n\n\n\n<p><em>The <a href=\"https:\/\/computingforgeeks.com\/how-to-install-suricata-ids-ips-on-debian\/\">Suricata<\/a> rule employed by the service to detect Mirai\u2019s presence<\/em><\/p>\n\n\n\n<p>ANY.RUN lays out the network traffic related to the threat, quickly labeling it as malicious using the built-in <a href=\"https:\/\/computingforgeeks.com\/install-suricata-on-rocky-linux-8almalinux-8\/\">Suricata<\/a> engine, a tool that detects malware based on existing rules that feature known information on threats.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Try malware analysis in ANY.RUN yourself. It\u2019s completely free for all users with a business email.<a href=\"https:\/\/app.any.run\/?utm_source=computingforgeeks&amp;utm_medium=article&amp;utm_campaign=botnets-miners&amp;utm_content=register&amp;utm_term=080524#register\" rel=\"noopener\" target=\"_blank\" rel=\"noreferrer noopener\">Sign up now<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">2. Crypto Malware (Cryptojacking)<\/h2>\n\n\n\n<p>Crypto malware uses the processing power of infected endpoints to mine crypto. Since mining requires solving complex algorithms such threats are known for worsening the performance of the host devices, draining their computational resources.<\/p>\n\n\n\n<p>Miners can be installed on Linux machines through various means, including phishing emails, infected software downloads, and vulnerabilities in unpatched software. Once installed, crypto malware may perform its actions silently.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Analyzing Crypto Malware<\/h3>\n\n\n\n<p>Check out <a href=\"https:\/\/app.any.run\/tasks\/ef737605-7b0e-44b1-ba0e-58763694caba\/?utm_source=computingforgeeks&amp;utm_medium=article&amp;utm_campaign=botnets-miners&amp;utm_content=tasks2&amp;utm_term=080524\" rel=\"noopener\" target=\"_blank\" rel=\"noreferrer noopener\">this analysis in a sandbox<\/a>, where you can <a href=\"https:\/\/computingforgeeks.com\/install-monit-on-centos-rocky-alma-rhel\/\">monit<\/a>or the execution process of a miner in an Ubuntu cloud VM.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/EJc14BQyk2nYWfhVk_6pRPa2i4YJ1V9qnqc9LZAiSe3BtCqCD5-ULh_p-dISYL7Nu3kyDKTQeot2oKfJHcGnh_pzBFohKz27-vzxKFDSsrvW0bdZSXxh0Y-JcJn4KxJled1TF5R2fezo6Jt1hFVSWg\" alt=\"\" title=\"\"><\/figure>\n\n\n\n<p><em>CPU and RAM graphs showing maximum usage<\/em><\/p>\n\n\n\n<p>The CPU and RAM usage graphs show an immediate spike in activity after the launch of the malware. This is a clear sign that the miner is operating on the system, using all resources available.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/3ib203j7r3vXF-sagR6nbVlBr0PdSQtZwt2So_zda3PN-kO8EJ5Zza90yBIVHbh3qfZr7Y7ic4DTFlYU8XrEh4Skif_17PkKiljBP4qP-d2chucZ4dLpTuJy1FByQ9aYZHKij9SDEmc56e91dKbUdg\" alt=\"\" title=\"\"><\/figure>\n\n\n\n<p><em>The DNS requests tab displays numerous entries<\/em><\/p>\n\n\n\n<p>We can also view the crypto malware\u2019s network traffic. Within 4 minutes, it attempts to make over 270,000 requests.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/5nFYKpJdCaih2c3BBpkTdUFgLAxOutKIa6zZEUKdZJC2Ynr4MkhkVkbxVxpX6wmUqx1oY7Hq7OBaT3xffGQDu-gcgVe66aBN4fywhy2Gl9QPK3WPRXDOtH3WlVjuOwS5nl5XBUKto8kvIfoLLZC4RA\" alt=\"\" title=\"\"><\/figure>\n\n\n\n<p><em>The service offers a transparent view of the malicious activity<\/em><\/p>\n\n\n\n<p>The malicious process related to the miner reveals the actions it takes in the form of signatures, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cChecks DMI information\u201d, which is potentially performed to detect a virtual machine environment.<\/li>\n\n\n\n<li>\u201cChecks active cgroups controllers (like CPU time, system memory, network bandwidth)\u201d.<\/li>\n\n\n\n<li>\u201cExecutes commands using command-line interpreter\u201d.<\/li>\n<\/ul>\n\n\n\n<p>All these tactics have the purpose of solidifying the crypto malware\u2019s presence on the device and adjusting the resource consumption to avoid blowing its cover.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. DDoS Attacks<\/h2>\n\n\n\n<p>As mentioned, botnets frequently engage in DDoS attacks that aim to overwhelm a network or server with a high volume of traffic, rendering it unavailable to users. This is a particularly serious cybersecurity risk for organizations. Their infrastructure can become both a target of such attacks as well as a means of conducting them in case it gets infected by a botnet. To protect against DDoS attacks, it is crucial to have a robust network security strategy.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Understanding and Analyzing DDoS Attacks on Linux Systems<\/h3>\n\n\n\n<p>A sandbox can help you see all the steps of a DDoS attack. <a href=\"https:\/\/app.any.run\/tasks\/27d96717-028e-4cbb-a9f1-ad94e762b5eb\/?utm_source=computingforgeeks&amp;utm_medium=article&amp;utm_campaign=botnets-miners&amp;utm_content=tasks3&amp;utm_term=080524\" rel=\"noopener\" target=\"_blank\" rel=\"noreferrer noopener\">The session<\/a> features a Linux system that has been compromised and has joined a botnet in a DDoS attack.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/7yEQG-hGOwZMCJ42DJA9EPT3fHIfBRt9Tfe3n-ZHSw55qQOh8pOQOTjniqt8HsMKak2jQHZ-YAF7Vr57Ssz2S--rwz0_LkvH4eDCeXahMEZfsf4TVkwsiCAUOEAToIuBdAqtHVmsWC1_PwSLAfRIcA\" alt=\"\" title=\"\"><\/figure>\n\n\n\n<p><em>The Connections tab exposes the DDoS attack details<\/em><\/p>\n\n\n\n<p>The service lists over thousands of connections made by the device within seconds. Such an analysis can enable you to understand DDoS attacks and improve your organization&#8217;s security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyze Linux and Windows Malware with Ease<\/h2>\n\n\n\n<p>Thanks to ANY.RUN, sandbox for analyzing malware, you can get a conclusive verdict on any malicious file or link in under 40 seconds and without any hassle. If you want to for an in-depth analysis, the service offers customizable Windows and Linux virtual machines for comprehensive investigations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with the VM like you would on an actual computer<\/li>\n\n\n\n<li>View network and registry activities, processes, and other attack details\u00a0<\/li>\n\n\n\n<li>Download reports with IOCs<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/?utm_source=computingforgeeks&amp;utm_medium=article&amp;utm_campaign=botnets-miners&amp;utm_content=register&amp;utm_term=080524#register\" rel=\"noopener\" target=\"_blank\" rel=\"noreferrer noopener\">Sign up for a free account now<\/a> and analyze unlimited malware samples!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Linux is built on open-source code. This, however, introduces many security risks. Just take an emerging trend among attackers of creating fake repositories containing malware disguised as real software. There are also traditional threat vectors, such as phishing emails that make Linux systems vulnerable in the face of malware. Here are three common types of &#8230; <a title=\"How to Detect and Analyze Linux Malware and Attacks: Botnets, Miners, and More\" class=\"read-more\" href=\"https:\/\/computingforgeeks.com\/detect-and-analyze-linux-malware-and-attacks\/\" aria-label=\"Read more about How to Detect and Analyze Linux Malware and Attacks: Botnets, Miners, and More\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":155990,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[299,119,75,832],"tags":[39129],"class_list":["post-155986","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-news","category-security","category-tech","tag-analyze-linux-malware-and-attacks"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/155986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=155986"}],"version-history":[{"count":0,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/155986\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/155990"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=155986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=155986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=155986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}