“This is very embarrassing.” So began a post by the developers of UnrealIRCd server after finding that their software was infected with a Trojan. Another example of why enterprises should consider the safe haven of Linux? Just the opposite: The Trojan infected only the Linux version of the server software, but its Windows counterpart was clean.
Although Linux malware is relatively rare compared to attacks on Windows, it exists, and it’s steadily increasing. In fact, as far back as 2005, the amount of known Linux malware had already doubled over the course of a year to 863 programs. As Linux’s popularity grows among consumers and enterprises, so does its attractiveness to hackers.
In the process, the strategy of security by obscurity becomes less viable. So far, Linux servers appear to be targeted more frequently than Linux PCs partly because there’s a larger installed base. The risks aren’t limited to servers and desktops, either. One recent example is Backdoor.Linux.Foncy.a, which attacks smartphones running the Linux-based Android operating system. Kapersky Lab calls Backdoor.Linux.Foncy.a “the most striking example of a malicious program used by cybercriminals to remotely control an infected device by sending a variety of commands.”
In a sense, Linux malware today is like mobile malware circa 2002: Many businesses, consumers and analysts scoffed at warnings simply because attacks were so few and far between. But as the attacks mount, so does the need for a strategy that’s more robust than simply betting that the odds are in your favor.
Developing a Security Strategy
The good news is that many successful strategies from the Windows world are applicable to Linux.
1. Think twice about downloading free software and content even when it, the source or both appear innocuous. Ignoring that advice has facilitated hacks such as screensavers that use Ubuntu PCs for distributed denial-of-service attacks. Backdoor.Linux.Foncy.a passed itself off as the “Madden NFL 12” game.
2. Run a Windows antivirus program. Because Linux PCs are still a minority, there’s a good chance that a file is headed for a Windows machine. Windows antivirus software minimizes the chances that the Linux PC or server will facilitate malware’s spread.
3. Borrow from Ronald Reagan: Trust, but verify. For example, many Linux users trust Ubuntu’s Personal Package Archives. The potential catch is that although there’s a code of conduct, there’s no guarantee that a secretly malicious signatory won’t leverage that trust. Verification could include using only entities that have proven themselves to be trustworthy, or inspecting the files in a package for anything suspicious before installation.
There’s also a growing selection of books and Web tutorials for developing an enterprise Linux security strategy. For example, CyberCiti.biz advises: “Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall.”
4. Explore vendors offering Linux security services and products. There’s a good reason why they’re worth paying attention to: They wouldn’t have those lines of business if there weren’t enough threats already out there.
5. Don’t let managers and other supervisors blindly sign off on the wireless portion of expense reports. This advice is as low-tech as it gets, but it’s also highly effective — not just for Android malware, but types that target all other mobile OSs, too. Although a lot of malware is designed to harvest credit card numbers and other personal information, Backdoor.Linux.Foncy.a is an example of the types that send messages to premium-rate text message and other data services. By simply questioning why an expense report has an unusually high wireless bill that month, you could catch an infected smartphone before it has several months or more to incur unnecessary charges. In the case of Backdoor.Linux.Foncy.a, only about 2,000 Android phones were infected, but that was enough for the hackers — later arrested — to run up an estimated 100,000 Euros in unauthorized charges.