Linux-based computers are numerous and are an integral component of the internet backbone, but Linux malware has increasingly targeted low-power Internet of Things (IoT) devices. With billions of internet-connected devices such as vehicles, refrigerators, and network equipment online, IoT devices have become a prominent target for malware and distributed denial of service (DDoS) attacks, in which junk data is aimed at flooding a target and knocking it offline.
Although ransomware is currently wreaking havoc on the malware scene in a deluge of high-profile attacks, a recent study on Linux security finds it only ranks third among the top threat kinds. Such shift in attitude stems in part from an increasing recognition among Linux hobbyists and system administrators that a compromised Linux system, such as a web server, presents attackers with a high return on investment.' In addition, malware research has improved visibility into the dangers that Linux systems face in recent years.
In 2021, the XorDDoS, Mirai, and Mozi malware families and variants emerged to be the most prevalent, accounting for over 22% of all IoT Linux-targeting malware, according to an analysis of the current Linux threat landscape.
XorDDoS is a Linux trojan that has been developed for a variety of Linux architectures, including ARM, x86, and x64. It gets its name from the fact that it uses XOR encryption in malware and network connection with the C2 infrastructure. XorDDoS variations on Linux PCs demonstrate that operators monitor and hunt for Docker servers with the 2375 port open. The port provides an unencrypted Docker socket and remote root passwordless access to the host, both of which can be exploited by attackers to get root access to the machine.
Mozi is a P2P botnet network that uses the distributed hash table (DHT) architecture and implements its own expanded DHT. Mozi can mask C2 communication behind a significant volume of valid DHT traffic thanks to DHT's distributed and decentralized lookup method.
By brute-forcing SSH and Telnet ports, Mozi attacks computers. It then blocks those ports to prevent additional malicious actors or viruses from overwriting them.
Mirai virus has earned a name for itself in recent years, especially when its creator made the source code public. Mirai, like Mozi, employs brute-force assaults to infiltrate devices using weak protocols and passwords, such as Telnet.
Many business-critical applications use Linux as one of their core operating systems. Protecting Linux servers, which can be found on-premises as well as in private and public clouds, necessitates a solution that delivers runtime protection and visibility for all Linux hosts, independent of location.
