Linux Malware Deemed 'Nearly Impossible' to Detect:
Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit[sic] functionality and install a backdoor for remote access.
A new Linux malware that's "nearly impossible to detect" can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.
Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—"Symbiote." In biology, the word means an organism that lives in symbiosis with another organism.
"What makes Symbiote different ... is that it needs to infect other running processes to inflict damage on infected machines," he wrote. "Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine."
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.
In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.
[...] Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.
"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect," he explained. "Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware."
In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote " in highly targeted or broad attacks," he said.
Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won't pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.
(Score: 3, Informative) by janrinok on Thursday June 16 2022, @04:58AM
You are not very bright are you? It is how the internet works. We have to know the return IP address so that we can respond to your browser. But we don't store them. We store hashes of IP addresses. We have to store them because that is how we reconstruct pages showing the comments and moderations for all of our stories going back to 2014. Every story, comment, moderation, every password has a hash. (you wouldn't want us to know your password or to store them in clear in the database would you?). It is how databases work. We could use table index numbers, hashes, the IP addresses themselves (which the very early slashdot code did!) or random strings - but they would still link data items together in relationships.
Now it used to be that one could use a rainbow table to convert IP hashes back to IPs - have you tried doing that with IPv6? It would take billions of years to even create such a table assuming that you had enough computing power and storage space for the results./p>
My internet provider's network is all IPv6 nowadays. How come your host file doesn't use them? How do you block IPv6 addresses? Ah, your solution was not even good a decade or so back but now it is almost a museum piece. Have you made sure that it can cope with stone tablets or cave drawings as well? It must be great living in a technologically advanced nation.
Going back to 2015, where NCommander wrote: