The surge of Linux infecting malware has caught the eye of VirusTotal – a tool designed for malware hunters owned by Google. The VirusTotal database is a Must-Have for any security researcher who wants to be aware of the top malware threats on the market.
VirusTotal can be used by anyone who wants to see if the major antivirus products detect a suspicious file uploaded in the tool. Naturally, the product is intended for use by security researchers and analysts, but, unfortunately, black hat hackers have been enjoying its perks lately. It was shortly discovered that cyber criminals have been testing their malware against antivirus programs before they start releasing it in the wild.
While VirusTotal can provide details about numerous malicious files that can compromise Windows, the tool does not maintain information about Linux malware, probably because it is not that common. All it can offer in such cases is basic information about the separate sample files for Linux. Additional data that is usually provided for Windows lacks.
This might have been all right in the past, but in the recent years a new type of Linux malware aiming for vulnerable servers has been designed.
Previous Attacks – Operation Mayhem
Operation Mayhem was one of the most popular attacks targeting *nix servers (Unix and Linux). A previous attack used Linux Cdorked malware to distribute Windows malware to web servers.
Probably because of the insufficient information antivirus companies responded too slowly to Linux malware samples. In most of the cases, the samples were submitted in the form of ELF files.
Recently the amount of the submitted ELF files is growing. In only one week over 35 000 suspicious files were submitted to VirusTotal. For comparison – the number of the Microsoft Word files for the same period is 44 000.
The issues with the web tool for Linux malware will be addressed as soon as possible. “Even though the popularity of the Windows OS among average end-user systems has meant that attackers have mostly focused on developing malware for Windows systems, ELF badness is a growing concern,” a representative of the company wrote on Tuesday.
Researchers with the Malware Must Die have discovered most of the malicious ELF files in the last two years. They have also provided detailed information about the Linux malware exploiting the Shellshock vulnerability in Bash, and the first ones who spotted Mayhem.
Additional information about malicious ELF files would raise the detection rates among the producers of antivirus products. “The Ukraine/Russia-based Mayhem and the cDorked ELF malware were all having very low detection rates among antivirus engines,” said the company’s spokesman.
At this point, the malware was detected only by four AV programs. After ELF- awareness had been raised, 15 to 20 antivirus products started recognizing it.
Lately, a group of Chinese hacker is suspected to use ELF malware in campaigns targeting web servers to launch DDoS attacks.