Why You Shouldn't Use Microsoft Windows11.

...

LMDE5 - Linux Mint Debian.

LMDE5 - Linux Mint...

Why Should I Not Use Windows10?

Here are a...

Linux Malware - An ever growing list 2022

English

Linux Malware - An ever growing list 2022.

Most Linux users are happily unaware of the everyday problems that Windows users face with different kinds of Malware.

Malware is a catch-all term for various malicious software, including viruses, adware, spyware, browser hijacking software, fake security software and ransomware.

Now if I would write about all the Windows Malware that exist, I would never be able to end this article.

Note: This list might be incomplete, but I will continue to update this as and if I find more.

Some statistics from attacks on Linux systems in 2021:

Trend Micro reported more than 13 million malware attacks on Linux systems between January and June of 2021.
The attacks by Linux distributions, CentOS Linux was the most targeted, second in place came CloudLinux, then Ubuntu and Red Hat Enterprise rounding out the top four.

Lets meet the Linux Malware:

According to a study published by Crowdstrike, Linux malware grew 35% in 2021 compared to 2020.

Botnets:

A botnet is a network of private computers that hackers have infected with malicious software. The hackers then control these computers remotely without the knowledge of their owners. Cybercriminals might then use the computers they've infected to flood other servers with traffic to shut down targeted websites.

Known Linux Botnets:

  • Anchor_Linux - TrickBots Anchor - Originally for Windows but was ported to Linux in 2020. When installed it automatically runs the following crontab entry: */1 * * * * root [filename]. There are over 28 different plugins developed for it. To infect Windows devices, Anchor_Linux will copying the embedded TrickBot malware to Windows hosts on the same network using SMB and $IPC. Read more here from ESET.
     
  • EnergyMech 2.8 overkill mod - designed to infect servers with its bot and operated through IRC protocol for the DDoS and spreading purpose.
  • GafGyt/BASHLITE/Qbot - a DDoS botnet spreads through SSH and Telnet service weak passwords, firstly discovered during bash Shellshock vulnerability.
  • Hydra, Aidra,LightAidra and NewAidra – another form of a powerful IRC botnet that infects Linux boxes.
  • Linux.Remaiten – a threat targeting the Internet of things.
  • LuaBot – a botnet coded with modules component in Lua programming language, cross-compiled in C wrapper with LibC, it aims for Internet of Things in ARM, MIPS and PPC architectures, with the usage to DDoS, spreads Mirai (malware) or selling proxy access to the cyber crime.
  • Mayhem – 32/64-bit Linux/FreeBSD multifunctional botnet.
  • Mirai – a DDoS botnet spreads through telnet service and designed to infect Internet of Things (IoT).
     
  • Mozi - Mozi was discovered in 2019 by 360 Netlab.Mozi is a peer-to-peer (P2P) botnet that uses the Distributed Hash Table (DHT) system to implement its own extended DHT. the distributed decentralised lookup mechanism provided by the DHT allows Mozi to hide C2 traffic behind a large amount of legitimate DHT traffic. the DHT allows Mozi to rapidly grow a P2P network. Furthermore, because it uses an extension on the DHT, it is not associated with normal traffic, making it more difficult to detect C2 traffic.
     
  • Panchan Botnet - was discovered 2022. From Japan comes a new peer-to-peer (P2P) botnet written in GoLang that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory. It also contains a worm.To avoid detection and reduce traceability, the malware drops its cryptominers as memory-mapped files, without any disk presence. It also kills the cryptominer processes if it detects any process monitoring. Read more at Akamai blog.
     
  • RapperBot - Discovered 2022. Focusing on brute-forcing its way into Linux SSH servers. It is based on the Mirai trojan, but deviates from the the original.RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. Read more at Fortinet.
     
  • Roboto - The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions.
     
  • Sysrv-K - Monero-mining botnet targets Windows, Linux web servers. "A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server,"
     
  • Tsunami IRC botnet - Tsunami botnet can build a parasitic relationship with a widely deployed P2P system.
     
  • Windigo - ESET report.
    Windigo’s components:
    - Linux/Ebury runs mostly on Linux servers. It provides a root backdoor shell and has the ability to steal SSH credentials.
    - Linux/Cdorked runs mostly on Linux web servers. It provides a backdoor shell and distributes Windows malware to end users via drive-by downloads.
    - Linux/Onimiki runs on Linux DNS servers. It resolves domain names with a particular pattern to any IP address, without the need to change any server-side config.
    - Perl/Calfbot runs on most Perl supported platforms. It is a lightweight spam bot written in Perl.
    - Win32/Boaxxe.G, a click fraud malware, and Win32/Glubteta.M, a generic proxy, run on Windows computers.
    - "These are the two threats distributed via drive-by download."

Malware:

  • BPFDoor - 2018 - An active Chinese global surveillance tool for Linux. So far there exists 21 different versions of it. It allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the existing port 443, and the implant can be reached over the webapp port (even with the webapp running). This is because it uses a BPF packet filter.
     
  • Capoae - Discovered 2021. Written in Go and this strain targets Linux systems and WordPress installations.
     
  • Lightning Framework Malware - Discovered 2022. Has modular plugins and the ability to install multiple types of rootkits. The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine. The downloader module starts by checking if it is located in the working directory /usr/lib64/seahorses/ under the name kbioset. Read more at Intezer.
     
  • OrBit - July 2022 - New Undetected Linux Threat Uses Unique Hijack of Execution Flow.
     
  • Skidmap - Linux Malware. This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar.The malware installs itself via crontab. Read more at TrendMicro.

Ransomware:

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

In 2020, approximately 1,300 ransomware victims had their data exposed on leak sites. This almost doubled in 2021, with 2,435 victims exposed. Source here.

Known Linux Ransomware:

  • AvosLocker Ransomware - AvosLocker seems to be targeting the VMware ESXi virtual machines and Virtual Machine File System (VMFS) files.
     
  • Babuk Locker, also known internally as Babyk ( Babuk V2 ) - The Babuk group hires hackers with knowledge of pentesting tools — including winPEAS, Bloodhound, and SharpHound — or hacking frameworks such as CobaltStrike, Metasploit, Empire, or Covenant to run targeted attacks on big enterprises. Read more at McAfee.
     
  • BlackBasta - Discovered 2021. Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumes folder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable. Kaspersky reports attacks in the US, Brazil, a few in Europe and Asia.

    Note: If it cannot find this folder, however, the ransomware exits.
     

  • BlackCat - First discovered November 2021. Ransomware-as-a-Service (RaaS) by ALPHV. The BlackCat ransomware provides many standard behaviors and processes that have become accepted as standard ransomware fare, such as the following: Implementing AES or CHACHA20 for encryption, Automatic deletion of shadow copies. Cli-based and the first Ransomware to incorporate the RUST programming language. Threat actors using BlackCat are demanding ransoms totaling several million U.S. dollars to be paid with Bitcoin or Monero cryptocurrency.
     
  • Blackmatter - First discovered July 2021. Ransomware-as-as-Service (RaaS). Read more here.
     
  • Cheerscrypt Ransomware - Based on leaked Babuk source code. Specifically targets VMware ESXi servers. Read more at TrendMicro.
     
  • Conti - Exploits VMware vCenter Server instances through the Log4j vulnerabilities. The U.S. State Department has put up a reward of $10 million for information related to the identity or location of Conti's leaders as well as $5 million for information leading to the arrest of any Conti co-conspirator from any country. A report on this Ransomware group here.
     
  • DarkRadiation - Targets Red Hat and Debian-based Linux Distributions. Read more at TrendMicro.
     
  • Darkside - First discovered in October 2020. DarkSide is a newer ransomware-as-a-service (RaaS). Targets virtual machine-related files on VMware ESXI servers. Read more at TrendMicro.
     
  • GwisinLocker Ransomware - Discovered 4th of August, 2022. Encrypts Linux VMware ESXi servers. Besides this it has support for encrypting virtual machines and Windows. So far it only targets South Korean healthcare, industrial, and pharmaceutical companies. The threat actor seems to be of Korean origin. Read more ReversingLabs.
     
  • HelloKitty Ransomware - Targets VMware ESXi Servers and is used by Vice Society. Read more at Heimdal Security.
     
  • Hive Ransomware - Written in GoLang and according to ESET Research Labs its Linux version is buggy with the encryption completely failing when the malware was executed with an explicit path.
     
  • Linux.Encoder - Also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A) is considered to be the first ransomware Trojan targeting computers running Linux.
  • Lilocked Ransomware - Also known as Lilu, Lilocked stealthily infiltrates the system and encrypts stored data. It adds .lilocked" extension to files.
     
  • Lockbit Linux-ESXI Locker - First discovered in 2019. The newest version of Lockbit specifically targets ESXi servers and encrypts vCenter infrastructure as well as the VMs themselves. The group behind it sells it operates it on a ransomware-as-a-service (RaaS) model. The software exfiltrate vast amounts of data prior to encrypting the assets of the target.
    Version 2.0 exploits publicly-exposed RDP ports, relys on phishing emails to download malicious payloads or uses unpatched server flaws to allow its affiliates to gain remote access to the targeted network. Read more here.
     
  • Luna Ransomware - Russian made for Russian speaking affiliates. It is a simple ransomware written in Rust with limited capabilities and it uses a not-so-common encryption scheme, combining fast and secure X25519 elliptic curve Diffie-Hellman key exchange using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm. Infects Linux, Windows and VMware ESXi systems. Read more at Kaspersky.
     
  • PYSA - Discovered in December 2019. Added Linux support using the ChaChi backdoor allowing them access to millions of websites hosted on the platform. Using a Golang-based DNS tunneling backdoor.
     
  • RansomEXX - Also known as Defrat777. RansomEXX is human operated. Read more at TrendMicro.
     
  • Ransom.Linux.SODINOKIBI.AA - Read more at TrendMicro.
     
  • RedAlert - ( N13V ) encrypts both Windows and Linux VMWare ESXi servers. The Linux encryptor is created to target VMware ESXi servers, with command-line options that allow the threat actors to shut down any running virtual machines before encrypting files. The group only accept Monero.
     
  • Tycoon Ransomware - Discovered December 2019. The Tycoon payload arrives with a booby-trapped ZIP archive that contains a malicious Java Runtime Environment (JRE) component and infects both Linux and Windows machines.

Rootkits:

Rootkit are a set of applications, designed to infect a target PC and allow an attacker to install a set of tools that grant him full admin persistent remote access to the computer. This type of Malware typically hides in plain sight, thus most Antivirus software will not detect it. This is why it is important you download chrkrootkit and rkhunter and run them on your system.

Known Linux Rootkits:

  • 55808 Trojan - Variant A
  • 64-bit Linux Rootkit
  • ADM Worm
  • Adore Rootkit
  • AjaKit rootkit
  • Ambient (ark) Rootkit
  • Anonoying rootkit
  • aPa Kit
  • Balaur Rootkit
  • BeastKit Rootkit
  • beX2 Rootkit
  • BOBKit Rootkit
  • cb Rootkit
  • Danny-Boy's Abuse Kit
  • Devil RootKit
  • Diamorphine LKM
  • Dica-Kit Rootkit
  • Dreams Rootkit
  • Duarawkz Rootkit
  • Ducoci rootkit
  • Ebury backdoor ( Ebury SSH )
  • ENYELKM rootkit
  • ESRK rootkit
  • Flea Linux Rootkit
  • Fuck`it Rootkit
  • Fu Rootkit
  • GasKit Rootkit
  • Gold2 rootkit
  • Heroin LKM
  • HjC Kit
  • ignoKit Rootkit
  • IntoXonia-NG Rootkit
  • Irix Rootkit
  • Jynx2 Rootkit
  • Jynx Rootkit
  • KBeast Rootkit
  • Kitko Rootkit
  • Knark Rootkit
  • ld-linuxv.so Rootkit
  • LKM Rootkit
  • Lockit / LJK2 Rootkit
  • LOC rootkit
  • Madalin rootkit
  • Mokes backdoor
  • Mood-NT Rootkit
  • MRK Rootkit
  • Ni0 Rootkit
  • Ohhara Rootkit
  • Oz Rootkit
  • Phalanx2 Rootkit
  • Phalanx Rootkit
  • Portacelo Rootkit
  • ProcessHider Rootkit - ProcessHider is a rootkit that is widely used in various malicious software programs.
  • R3dstorm Toolkit
  • RH-Sharpe's Rootkit
  • Romanian Rootkit
  • RSHA's Rootkit
  • Sebek LKM
  • ShKit Rootkit
  • Shutdown Rootkit
  • SHV4 Rootkit
  • SHV5 Rootkit
  • Sin Rootkit
  • Snakso – a 64-bit Linux webserver rootkit
  • Sneakin Rootkit
  • Spanish Rootkit
  • Suckit Rootkit
  • Superkit Rootkit
     
  • Symbiote Rootkit - Discovered November 2021. Symbiote is different from other Linux malware in that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file, it is a shared object library that is loaded into all running processes. Once installed, it gives full rootkit functionality. Credentials are stored locally before being hex encoded, chunked up and transmitted disguised as a DNS request.

    “In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.”

    The researchers have two recommendations: First, keep an eye on network telemetry and watch anomalous DNS requests. Second, statically link all AV and EDR software so Symbiote can't render itself invisible from them as well. Read more here.
     

  • Syslogk Linux Rootkit - Discovered June 2022. The malware is currently under heavy development, and its authors appear to base their project on Adore-Ng, an old open-source rootkit. Syslogk can force-load its modules into the Linux kernel versions 3.x, hide directories and network traffic and eventually load a backdoor called "Rekoobe" discovered by Avast.
     
  • T0rn Rootkit
  • TBD (Telnet BackDoor)
  • TeLeKiT Rootkit
  • trNkit Rootkit
  • Trojanit Kit
  • Tuxtendo Rootkit
     
  • Umbreon Linux Rootkit - ( named after a Pokémon creature ) Can't be installed automatically. The hacker needs to have either physical or remote access to the machine if an infection is to happen. Umbreon is a Level 3 rootkit. It works on the user level, and it doesn't place objects deeper within the system, which, in theory at least, means that it should be easier to deal with compared to some other threats. Umbreon injects itself in the libc and libcap libraries.
     
  • URK Rootkit
  • Vampire Rootkit
  • VcKit Rootkit
  • Volc Rootkit
  • Xzibit Rootkit
  • zaRwT.KiT Rootkit
  • ZK Rootkit           

Trojans:

A Trojan horse is a type of malicious code or software that looks legitimate, but it can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network. However it can't replicate like a virus. For a Trojan to work it needs user interaction.

There are several different trojans:

Backdoor Trojans - Creates a “backdoor” on your computer and lets the attacker access your computer and control it. Your data can be downloaded by a third party and stolen. Or more malware can be uploaded to your device.

Distributed Denial of Service (DDoS) attack Trojan - Performs DDoS attacks to take down a network by flooding it with traffic.

Downloader Trojan - Uses an already infected computer to download and install new versions of malicious programs.

Fake Antivirus Trojan - Behaves like antivirus software, but demands money from you to detect and remove faked threats on your computer. "Windows systems".

Game-thief Trojan - This Trojan seeks to steal their account information. "Windows systems".

Infostealer Trojan - It is after data on your infected computer.

Mailfinder Trojan - Seeks to steal the email addresses on your device.

Ransom Trojan - Seeks a ransom to undo damage it has done, including blocking your data or impairing your computer’s performance.

Remote Access Trojan - ( RAT ) can give an attacker full control over your computer via a remote network connection. Its uses include stealing your information or spying on you.

Trojan banker - It’s designed to steal your account information for all the things you do online. That includes banking, credit card, and bill pay data.

There are other examples, but most Malware are made for Windows or Android smartphones.

Known Linux trojans:

  • Backdoor.Linux.KINSING.A - First discovered in 2020 - aka Linux/Shmusho!MSR. Read more at TrendMicro.
     
  • Effusion – 32/64-bit injector for Apache/Nginx webservers, (7 Jan 2014)
  • Hand of Thief – Banking trojan, 2013,
  • Hummingbad – has infected over 10 million Android operating systems. User details are sold and adverts are tapped on without the user's knowledge thereby generating fraudulent advertising revenue.
  • Kaiten – Linux.Backdoor.Kaiten trojan horse
     
  • Linux.BtcMine.174 - Discovered 2018. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS. The trojan first scans and terminates the processes of several rival cryptocurrency-mining malware families, and then downloads and starts its own Monero-mining operation.
     
  • Linux.ProxyM - Discovered 2017. Cybercriminals use it to send spam and to hack websites. Read more at Dr.Web.
     
  • Manjusaka - Remote Access Trojan - Discovered 2022. Chinese made. Can give an attacker full control over your computer via a remote network connection. Its uses include stealing your information or spying on you. Written in Rust and its features include executing arbitrary commands, harvesting browser credentials from the following browsers: Google Chrome, Microsoft Edge, Qihoo 360, Tencent QQ Browser, Opera, Brave, and Vivaldi.

    Plus gathering Wi-Fi passwords, capturing screenshots and obtaining system information. Read more here at Cisco Talos Intelligence.
     

  • NyaDrop – a small Linux backdoor compiled from a Linux shellcode to be used to infect Linux boxes with bigger size Linux malware.
  • PNScan – Linux trojan designed to aim routers and self-infecting to a specific targeted network segment in a worm-like form.
  • Rexob – Linux.Backdoor.Rexob trojan.
  • SpeakUp – a backdoor trojan that infects six different Linux distributions and macOS devices.
     
  • SysJoker Trojan - SysJoker Malware installs a backdoor: Discovered Jan, 2022.
    The malware is written in C++, and while each variant is tailored for the targeted operating system, they are all undetected on VirusTotal, an online malware scanning site that uses 57 different antivirus detection engines. SysJoker disguises as a system update and generates its command and control (C2) infrastructure ‘by decoding a string retrieved from a text file hosted on Google Drive.

    On Linux, the files and directories are created under "/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem). It needs to be removed manually !
     

  • Tsunami.gen – Backdoor.Linux.Tsunami.gen
  • Turla – HEUR:Backdoor.Linux.Turla.gen
  • Waterfall screensaver backdoor – on gnome-look.org
  • XorDDoS – a trojan malware that hijacks Linux systems and uses them to launch DDoS attacks which have reached loads of 150+ Gbps.

Viruses:

Viruses which are the most commonly-known form of malware and potentially the most destructive. They can do anything from erasing the data on your computer to hijacking your computer to attack other systems, send spam, or host and share illegal content.

Known Linux viruses:

  • Alaeda – Virus.Linux.Alaeda
  • Arches
  • Binom – Linux/Binom
  • Bliss – "Requires root privileges"
  • Brundle
  • Bukowski
  • Caveat
  • Cephei – Linux.Cephei.A (and variants)
  • Coin
  • Hasher
  • Lacrimae (aka Crimea)
  • MetaPHOR (also known as Simile)
  • Nuxbee – Virus.Linux.Nuxbee.1403
  • OSF.8759
  • PiLoT
  • Podloso – Linux.Podloso (The iPod virus)
  • RELx
  • Rike – Virus.Linux.Rike.1627
     
  • RotaJakito Backdoor - First discovered in 2018. It went unnoticed for three years. It behaves differently if it is installed in a normal user account or a root account. The Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication.Read more at Netlab360.
     
  • RST – Virus.Linux.RST.a (known for infecting Korean release of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005.)
  • Staog
  • Vit – Virus.Linux.Vit.4096
  • Winter – Virus.Linux.Winter.341
  • Winux (also known as Lindose and PEElf)
  • Wit virus
  • Zariche – Linux.Zariche.A (and variants)
  • ZipWorm – Virus.Linux.ZipWorm

Worms:

A Worm is a form of malware that replicates itself and can spread to different computers via Network. The main objective of worms to eat the system resources. However they can be detected and removed by Antivirus solutions.

Known worms for Linux:

  • Adm – Net-Worm.Linux.Adm
  • Adore
  • Bad Bunny – Perl.Badbunny
  • Cheese – Net-Worm.Linux.Cheese
  • Devnull
  • Kork
  • Linux.Darlloz – targets home routers, set-top boxes, security cameras and industrial control systems.
  • Linux/Lion
  • Linux/Lupper.worm
  • Mighty – Net-Worm.Linux.Mighty
  • Millen – Linux.Millen.Worm
  • Ramen worm - "Targets only Red Hat Linux distributions versions 6.2 and 7.0"
  • Slapper
  • SSH Bruteforce

Now compare the above with this information for Malware on Windows:

According to AV-Test, 83.45 percent of all newly developed malware programs concentrated on the Windows operating system in 2020.

That was in back in 2020, but during 2021 Over 100 Million Pieces of Malware Were Made for Windows Users.

The data used in Atlas VPN’s analysis was compiled by independent research institute AV-TEST GmBH.

Windows was never really designed with security in mind, even though there would be plenty Windows fans out there to claim different.

In Linux, if you want to execute a file, you yourself have to make it executable with certain permissions, so malware can’t just auto-execute itself once downloaded.

Something to think about....

Note: This page will be updated with more Malware for Linux, should I discover some.

Library categories: 
 

Games For Linux

Windows has always been the preferred platform for gaming, but after STEAM's interest in Linux more game developers are making their games natively available for Linux.

Disclaimer

All information on this website is published in good faith and for general educational purposes and for use in safe testing environments only. While linuxexperten.com strives to make the information on this site as accurate as possible, linuxexperten.com does not warrant its completeness, reliability and accuracy.

We are not responsible for any losses or damages associated with the use of our website. While we strive to provide only links to useful websites, we have no control over the content of these sites and links to other sites do not constitute a recommendation for all content contained on these websites.

 

Site Information

This is a professional review site that receives compensation from the companies whose products reviewed. Each service or product are thoroughly tested and given high marks if considered to be the very best. Independently owned and the opinions expressed here are no one elses.