The myth of *nix security

15 May 2009

minute read

Authors

Sergey Golovanov

It’s often argued that *nix systems are secure, and there aren’t any viruses or malware for such systems. This hasn’t been true for a long time, as two recently detected malicious programs prove.

The first is Trojan-Mailfinder.Perl.Hnc.a, a perl script which connects to a command server to get text and a recipient list for spam mailings.

The second program is Trojan-Dropper.Linux.Prl.a, an executable for Linux and FreeBSD. The file decrypts the perl script, launches the perl interpreter and then gives it the decrypted script.

This malware has been detected on servers infected with Trojan-Downloader.JS.Iframe.auy (shown in the screenshot below).

This redirects site visitors to a site that will download exploits and other malicious programs in the guise of a video codec:

The site which spreads spam also contains a page advertising a rogue antivirus which claims it will clean the user’s computer for $60. (We classify the rogue app as not-a-virus:FraudTool.Win32.MalwareDoctor.e):

At the moment we know of around 1000 cases of sites infected with Trojan-Downloader.JS.Iframe.auy. There are also several hundred servers infected with Trojan-Mailfinder.Perl.Hnc.a and Trojan-Dropper.Linux.Prl.a, which are actively spreading spam.

The days of *nix systems not being targeted by malware writers are long gone. In my view, admins need to wake up; they should be on top of all of today’s threats, rather than letting their systems – and worse, visitors to their sites – get infected. Shame on you, guys.

Authors

Sergey Golovanov

The myth of *nix security

Latest Posts

Latest Webinars

Reports

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. We created offline backups of the devices, inspected them and discovered traces of compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

The myth of *nix security

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

DarkVishnya: Banks attacked through direct connection to local network

KoffeyMaker: notebook vs. ATM

Happy IR in the New Year!

ATMitch: remote administration of ATMs

Online Banking Faces a New Threat

Evil Telegram doppelganger attacks Chinese users

Dissecting TriangleDB, a Triangulation spyware implant

Satacom delivers browser extension that steals cryptocurrency

Minas – on the way to complexity

Not quite an Easter egg: a new family of Trojan subscribers on Google Play

Latest Posts

From Caribbean shores to your devices: analyzing Cuba ransomware

Evil Telegram doppelganger attacks Chinese users

IT threat evolution in Q2 2023. Non-mobile statistics

IT threat evolution in Q2 2023. Mobile statistics

Latest Webinars

2023 APT Landscape Unveiled: Trends, Challenges, Solutions

Cybersecurity risks in alternative energy sources

Securing ICS Workstations: Vulnerability Identification with OVAL

Unveiling the Darknet’s Malware-as-a-Service model

Reports

Focus on DroxiDat/SystemBC

APT trends report Q2 2023

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

Subscribe to our weekly e-mails