Linux is built on open-source code. This, however, introduces many security risks. Just take an emerging trend among attackers of creating fake repositories containing malware disguised as real software. There are also traditional threat vectors, such as phishing emails that make Linux systems vulnerable in the face of malware. Here are three common types of attacks targeting Linux systems.
1. Botnets
Botnets are a type of malware that is capable of gaining full control of compromised devices. Attackers then can manipulate these endpoints via their command-and-control (C2) infrastructure, forcing them to engage in malicious activities. Some of the most widespread use cases for botnets include:
- Distributed denial of service (DDoS) attacks
- Spam campaigns
- Traffic forwarding
In many cases one infected device continues spreading malware across other systems connected to the same network. This allows botnets to reach sizes of thousands of infected devices, allowing attackers to carry out large-scale operations.
Analyzing a Mirai Botnet Attack 
Users can learn more about the threats identified during the analysis process
Out of botnets affecting Linux-based devices, Mirai stands as one of the most widespread. It targets internet-of-things (IoT) devices, such as routers, protected by default passwords, which allows it to easily hijack them. These days there are dozens of Mirai variants, as the original authors behind it published its source code on GitHub, available to any threat actor for free.
Thanks to tools like the ANY.RUN sandbox, we can study the behavior of botnets like Mirai in real time and get invaluable insights into its operation in seconds.
All we need to do is to upload a sample of the malware (click to view the sandbox analysis session) to the service and observe the activity related to its execution.
The Suricata rule employed by the service to detect Mirai’s presence
ANY.RUN lays out the network traffic related to the threat, quickly labeling it as malicious using the built-in Suricata engine, a tool that detects malware based on existing rules that feature known information on threats.
| Try malware analysis in ANY.RUN yourself. It’s completely free for all users with a business email.Sign up now |
2. Crypto Malware (Cryptojacking)
Crypto malware uses the processing power of infected endpoints to mine crypto. Since mining requires solving complex algorithms such threats are known for worsening the performance of the host devices, draining their computational resources.
Miners can be installed on Linux machines through various means, including phishing emails, infected software downloads, and vulnerabilities in unpatched software. Once installed, crypto malware may perform its actions silently.
Analyzing Crypto Malware
Check out this analysis in a sandbox, where you can monitor the execution process of a miner in an Ubuntu cloud VM.
CPU and RAM graphs showing maximum usage
The CPU and RAM usage graphs show an immediate spike in activity after the launch of the malware. This is a clear sign that the miner is operating on the system, using all resources available.
The DNS requests tab displays numerous entries
We can also view the crypto malware’s network traffic. Within 4 minutes, it attempts to make over 270,000 requests.
The service offers a transparent view of the malicious activity
The malicious process related to the miner reveals the actions it takes in the form of signatures, including:
- “Checks DMI information”, which is potentially performed to detect a virtual machine environment.
- “Checks active cgroups controllers (like CPU time, system memory, network bandwidth)”.
- “Executes commands using command-line interpreter”.
All these tactics have the purpose of solidifying the crypto malware’s presence on the device and adjusting the resource consumption to avoid blowing its cover.
3. DDoS Attacks
As mentioned, botnets frequently engage in DDoS attacks that aim to overwhelm a network or server with a high volume of traffic, rendering it unavailable to users. This is a particularly serious cybersecurity risk for organizations. Their infrastructure can become both a target of such attacks as well as a means of conducting them in case it gets infected by a botnet. To protect against DDoS attacks, it is crucial to have a robust network security strategy.
Understanding and Analyzing DDoS Attacks on Linux Systems
A sandbox can help you see all the steps of a DDoS attack. The session features a Linux system that has been compromised and has joined a botnet in a DDoS attack.
The Connections tab exposes the DDoS attack details
The service lists over thousands of connections made by the device within seconds. Such an analysis can enable you to understand DDoS attacks and improve your organization’s security.
Analyze Linux and Windows Malware with Ease
Thanks to ANY.RUN, sandbox for analyzing malware, you can get a conclusive verdict on any malicious file or link in under 40 seconds and without any hassle. If you want to for an in-depth analysis, the service offers customizable Windows and Linux virtual machines for comprehensive investigations:
- Interact with the VM like you would on an actual computer
- View network and registry activities, processes, and other attack details
- Download reports with IOCs
Sign up for a free account now and analyze unlimited malware samples!
