During research into large scale attacks aimed at the free and open-source operating system, the researchers stumbled upon a new Linux virus that is connected to the SambaCry Trojan that took advantage of security vulnerabilities in the underlying systems of the program. Samba is a piece of free software that allows Linux and Unix to operate and communicate effectively with Windows.
Researchers have noted that the malware was built on the widely used QT toolset, and can quickly be ported to operating systems like macOS and Windows. The virus has a file size of around 3MB, which makes it difficult to distribute through traditional methods according to the group. However, once it finds itself on a vulnerable system, and is executed; it attempts to elevate the priority of the running thread or app. Once this is achieved, it connects to the command and control servers through an API call.
Once communication is established, the virus then becomes ‘dangerous’. However, the researchers noted that if the virus fails to connect to the C&C servers, it can execute predetermined parameters; or in some cases be configured by another piece of malware. The virus communicates through the use of IRC networks, which are still some of the most popular messaging protocols in use today.
The virus has some advanced features, as outlined by the research group; including automatic updates, allowing the hacking group behind it to issue new updates or commands. It also allows the hacking group to ‘remotely’ execute specific commands and even more alarming, allow it to be deployed as a system service, which makes it harder to manage or remove.
Submitted by: Arnfried Walbrecht