A new strain of Linux malware has been detected. Dubbed Linux/Shishiga, the malware could transform into a dangerous piece of malware. Linux/Shishiga was officially discovered and examined by researchers at Eset.
“Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot,” the researchers wrote. After they analyzed it, they discovered that it was indeed a bot written in the lightweight scripting language Lua but is in fact a brand new family, not related to known Luabot malware. Thus, the malware was given a new name – Linux/Shishiga. The malware uses four different protocols, SSH, Telnet, HTTP, and BitTorrent, and Lua scripts for modularity.
Systems Targeted by Linux/Shishiga
Linux/Shishiga targets GNU/Linux systems. The infection process is initiated via a widely-abused technique: brute-forcing weak credentials using a password list. Another piece of malware, Linux/Moose, has been known to do this in a similar way. However, Shishiga has an added capability to brute-force SSH credentials. The researchers found several binaries for the malware for various architectures common for IoT devices (such as MIPS, ARM, i686, PowerPC). Other architectures, however, may be supported as well (SPARC, SH-4 or m68k).
Linux/Shishiga Technical Description
Shishiga is a binary packed with the UPX tool (ultimate packer for executable files) which may have trouble unpacking it as the malware adds data at the end of the packed file. Once unpacked, it will be linked statically with the Lua runtime library and will be stripped of all symbols.
Researchers have observed some parts of the malware to have been rewritten over the last couple of weeks. Other testing modules have been added, too, and redundant files have been removed.
Researchers also believe that the combination of using Lua scripting language and statically linking it with the Lua interpreter library is intriguing. This combination could mean two things – that the attackers inherited the code and decided to tailor it for various targeted architectures. Or they chose this language because it is easy to use.
There are definitely quite a few similarities to LuaBot instances but researchers believe Linux/Shishiga to be different. The malware is expected to evolve and become more widespread, even though the number of victims is low so far. The constant modifications of code are a clear indication that the malware is being improved.
In conclusion, Linux/Shishiga might appear to be like most Linux malware, spreading through weak Telnet and SSH credentials, but the implementation of the BitTorrent protocol and Lua modules makes it somewhat unique. BitTorrent was used in Hajime, the Mirai-inspired worm, and thus it may become more popular in the months to come.