News from the Linux malware honeypot

As you might expect, we run various honeypots here at SophosLabs. As you might also expect, our Windows honeypots are attacked more frequently than our Linux ones, but Linux malware is far more interesting to blog about, isn’t it?

Since Linux malware is pretty unusual, I thought I’d report on the types of malware we actually capture on our honeypot and give you a rough idea of our setup.

We basically have an up-to-date Linux distribution running a modified SSH daemon. This daemon records attempted username/passwords and is also the entry point for the attacker (via a deliberately weak username / password combination). When the attacker logs in their activities and downloaded files are recorded. We then analyse the data and create detection for any new malware.

We typically see attack type tools being downloaded, such as SSH & FTP scanners as well as IRC bots/bouncers, UDP flooders and process renaming tools. Occasionally the attacker downloads various exploits in order to try and gain root access, but most, from our experience anyway, seem happy to stay in the account they logged into and run their tools from there (after setting a stronger password for the account).

Interestingly, several hackers have downloaded tools which are infected with Linux/Rst-B, a virus which we’ve detected since February 2002! Unusually for Linux viruses, this particular virus actually replicates on up-to-date distributions. It is unlikely they are trying to infect files with this particular virus since this would make their presence more obvious, which is not what they want. The chances are they have simply downloaded an infected hacking tool (which isn’t an uncommon hax0r trait, we often see Windows hacking tools infected with W32/Parite-B).

AV companies who talk about Linux malware are commonly accused of scaremongering and overhyping the Linux malware threat. Not true. Our honeypot is deliberately trying to become infected by using a weak username and password combination. We are doing this so we can protect against malware that is being used on real systems.

SSH is one entry point to the system, and probably one of the easier to defend against (via a sensible password policy). Entry via a new vulnerability or an insider attack are harder to prepare for yet still lead to a hacker having access to your box.

So what can administrators do to reduce the risk of system compromise? Simply running an on-access scanner and glancing at the logfiles occasionally would certainly help prevent the majority of attacks we see from happening.