Humans love to place themselves in certain tech tribes. Whether it is programming languages, console versus PC gaming, and operating systems themselves, we place ourselves in one camp or the other and are willing to rigorously defend our opinion online and to whoever will listen. This seemingly natural stance for us to take has led to several cyber security myths developing over the years that, despite being disproved conclusively on several occasions, still persist. It is hoped that this article series goes some way toward dispelling the security myths that persist stubbornly despite tons of evidence to the contrary.
A quick perusal of these myths will enable one to see that similar myths are sprinkled into the mythos of both Linux and macOS malware; regardless, they will be covered independently as the myth-busting events seen in the wild are different. With that somewhat of a disclaimer out of the way, the first Linux myth deals with its supposed invulnerability.
Linux is invulnerable to malware.
Before we go any further, I want to make it clear that using Linux is not a god-mode cheat code that will protect you from all threats. There are indeed malware strains that target the Linux operating system. A case in point is the Linux-specific rootkit Troj/SrvInjRk-A, with Sophos researchers summarizing the malware’s capabilities by stating,
“The functions vfs_read and vfs_readdir deal with access to files and directories (vfs stands for virtual file system). Casually modifying those kernel functions like this is horrendously risky, of course, but for a malware author, it’s good enough…And by hooking tcp_sendmsg, the malware is able to inspect network packets after they’ve been transmitted by your web server, and modify them “in flight” to include malicious content. This means the malicious content never even exists in userland—neither on disk nor in memory.”
Secondly, it is important to remember that Linux systems are built on the same, if not incredibly similar, hardware as Windows machines and older Macs. This means that Linux malware is still susceptible to major hardware vulnerabilities. Shellshock and Heartbleed make for interesting examples of this concept, and if a threat actor can gain privileged access to a machine, a malware payload being dropped is not out of the question.
The Great Low Market Share Myth
This myth will crop up again in the section dealing with macOS myths, but it is worth covering twice for separate reasons. The basis of the myth goes something like this: because Linux has a smaller share of the market compared to Microsoft’s Windows, there is little point in developing malware that targets Linux users.
If this was ever true, it certainly wasn’t true after the internet became a fixture in every house and business. Linux is the primary operating system for many web servers, Internet of Things devices, supercomputers, and now cloud computing instances. This means that it is certainly worthwhile for malware developers to develop Linux-specific malware. In this regard, it is also important to remember that a lot of Google Android’s foundation is based on Linux architecture. That’s at least 2.5 billion users globally, and that’s a conservative estimate.
This reality can be seen in a shift by advanced persistent threat actors and state-sponsored groups developing Linux focused malware to carry out operations similar to their Windows malware toolset. APT27, also known as Iron Tiger, has been hard at work creating Linux-oriented versions of their toolset. Trend Micro researchers noted that
“While investigating SysUpdate’s infrastructure, we found some ELF files linked to some C&C servers. We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform. The ELF samples were also written in C++, made use of the Asio library, shared common network encryption keys, and had many similar features. For example, the file handling functions are almost the same. It is possible that the developer made use of the ASIO library because of its portability across multiple platforms.”
And, “In 2022, we already noticed that this threat actor was interested in platforms other than Windows, with the rshell malware family running on Linux and Mac OS. For these reasons, we would not be surprised to see SysUpdate samples for the Mac OS platform in the future. Interestingly, most of the Linux samples we found used the new DNS tunneling feature we detailed in Figure 2, while only one of the Windows’ samples used it.”
There is enough of a market share for Linux that people who make malware don’t waste their time and money making it.
Windows-based malware won’t run on Linux.
This one can be considered partly true, as malware developed specifically for Windows will not run on Linux and vice versa. However, in recent years, malware developers have developed cross-platform malware strains capable of running on Windows, Linux, and macOS. With multi-platform frameworks written in the world’s most popular programming languages to facilitate the creation of applications that run across multiple operating systems, malware developers noticed this as a possible way to develop cross-platform malware.
Ransomware developers are one group of threat actors who have been able to make ransomware that works on more than one platform.The developers behind RedAlert and Monster have adopted cross-platform capabilities to make attacks easier to execute against multiple operating systems and environments. This trend has seen many malware developers adopt the Rust and GoLang programming languages due to their inherent cross-platform abilities.
Linux repositories are inherently safe.
Linux users will download software and app packages via repositories. Many of these are safe and monitored for malicious activity, but this is not universally the case. Often, security researchers will discover malicious repositories on trusted platforms. In one example, Cobalt Strike, a toolset heavily used by ransomware gangs to facilitate the deployment of malware, was seen distributed via a popular Python repository.
In the next article in this series, we will look at macOS myths and disprove them as we have done here with Linux malware.