Linux malware turns victim's machines into crypto-currency miners

News by Rene Millman

Linux.Lady malware exploits flaw in Redis NoSQL to infect servers and turn them into crypto-currency miners working for the attackers.

Security researchers have discovered a new malware looking to turn Linux-based machines into crypto-currency miners.

Dubbed Linux.Lady, the malware exploits Redis servers that have been put online by systems administrators without setting a password.

The malware was discovered by Russian antivirus software vendor Dr Web and was written by hackers using Google's Go programming language.

The malware does three things: Collect information about an infected computer and transfer it to the command and control (C&C) server; download and launch a crypto-currency mining utility; and attack other computers on the network in order to install its own copy on them.

The Trojan receives a configuration file containing information necessary for the Trojan's operation. Then it downloads and launches a crypto-currency mining program. This finds out an external IP address of the infected computer using special websites specified in the configuration file.

It then downloads Linux.Downloader.196 to download the main payload after infection. Linux.Lady then sends data about the system to the C&C server.

"This malware possesses the ability to collect information about an infected computer and transfer it to the C&C server, download and launch a crypto-currency mining utility, and attack other computers on the network to install its own copy on them," said the Dr Web advisory.

The malware affects misconfigured Redis database servers for which administrators haven't set a password. There are around 30,000 Redis servers online at present. The trojan mines for a crypto-currency named Monero.

Giovanni Vigna, CTO and co-founder at Lastline, told that Linux machines are less ubiquitous but might give access to more resources, especially if the machines are servers.

“It is not therefore surprising that the Trojan program is used to mine crypto-currency,” he said.

“Organisations should follow best practices in configuring and maintaining their Linux hosts. Best practices include being up-to-date with software distributions, using internal firewalls to limit access to only the services needed, and preventing users from being authenticated with passwords and, instead, force them to use keys for authentication.”

Craig Young, security researcher at Tripwire, told SC that a side channel attack capable of predicting TCP sequence numbers is a pretty serious problem. 

“This can allow attackers to launch the TCP hijacking attacks which were so prominent in the 1990s hacking scene.  Back then the problem was that many computers would generate initial sequence values from the clock thereby greatly reducing the number of guesses needed to take control of a remote session. Kevin Mitnick is known for use of this type of attack.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews