Computer security experts have uncovered a new dangerous malware designed for Gnu/Linux distributions that has been labeled Linux/Rakos. To learn more about the way the virus works continue reading our guide.
Linux/Rakos Infects Via SSH Attacks
Security experts have identified a new and very dangerous malware for Linux that has been named Linux/Rakos. This is a virus that is written in the Go language and targets both consumer devices and servers.
The attack is carried out via SSH brute force attacks. The criminal operators target open SSH ports on various Linux devices and use brute force methods to compromise the targets. Immediately after that Linux/Rakos recruits the hosts into a botnet that can be used for a variety of different malicious activities including large-scale DDOS campaigns.
According to the conducted security analysis the virus starts by scanning the Web from a limited number of IP addresses while growing incrementally. With each new host the scanning speed is increased which makes it an ever growing security threat.
In some of the identified Linux/Rakos campaigns the attackers compromised the devices with stronger passwords. Upon infection the virus engine changed the account credentials. The attacks are initiated with a configuration file loading using the stand input in the YAML format. The inputted data include variable information like the C&C servers list, credential to brute force and any other relevant settings.
The Attack Vector of Linux/Rakos
The attack starts an SSH dictionary/brute force attack on the predefined victim machines. Previous versions of the Linux/Rakos also scanned for any running SMTP service. Newer builds have this feature disabled which is believed to mean that the criminal developers are currently implementing advanced network scanning and exploit options.
If an username-password pair from the list results in a login session then two commands are immediately run on the host machine:
- id – prints real and effective user and group IDs
- uname -m – prints the machine hardware name
Several demonstrations were made against local machines and depending on the successful intrusion the bot marks the machines with FORGET or INSTALL flags. The backdoor can update the configuration file from a remote malicious file and to upgrade itself.
Linux/Rakos Mitigation Steps
The malware is not capable of setting up a persistent installation. However the target hosts can be attacked repeatedly by the criminal operators.
There are several steps which can be used to clean up the virus from the infected systems:
- Connect to the machine using the SSH/Telnet protocol
- Look for a process named .javaxxx
- Execute commands like netstat to confirm any suspicious network connections
- Collect evidence by dumping the memory space of the corresponding process.
- End the process using kill
For more detailed information you can read the detailed blog post on the matter available on We Live Security.