Linux Malware on the Rise: A Look at Recent Threats


Over the past few years, anecdotal evidence has suggested that security threats to Linux devices are on the rise. Last fall’s Mirai botnet attacks, which turned thousands of Linux devices into a zombie army used to attack infrastructure via Distributed Denial of Service (DDoS), were particularly effective in waking up the Linux community.

Now, we’re seeing quantitative statistics to support the Linux malware trend. On the heels of a WikiLeaks release detailing the CIA’s OutlawCountry and Gyrfalcon hacking tools aimed at Linux, both AV-Test and WatchGuard have released reports claiming that Linux computers are among the fastest growing targets of malware over the past year and a half.  

According to AV-Test, MacOS computers saw the largest increase in malware targeting in 2016 with a 370 percent increase, but Linux was close behind with a 300 percent rise from the previous year — triple the number in 2015. WatchGuard’s Internet Security Report, which instead focuses on Q1 2017, claims that Linux malware made up more than 36 percent of the top threats.

A decade ago, Linux was obscure outside the server world, but Tux lovers could at least console themselves with the security of their beloved OS compared to Windows. This helped reinforce the generally true, but somewhat counterintuitive, claim that by inviting anyone to bug check the code, you could build a more secure platform than with a proprietary OS.

A worthy target

The first crack in the Linux armor came in the Android world where many apps revealed themselves to be pestilent. It wasn’t just the app platform — and Android fragmentation — that fueled the increase, however, but Android’s popularity. In recent years, as more and more Linux-based routers, home automation gizmos, and other devices entered the relatively unprotected home scene, hackers have increasingly found Linux to be a worthy target.

The problem is not that Linux is unsafe compared to other platforms. The Linux kernel and other components are regularly updated to meet the latest threats, which are more easily identified thanks to the greater participation afforded by open source. Developers are continually improving system update and integrity protection mechanisms, and protecting against other emerging security threats.

Although more remains to be done, the main issue is that vendors release routers, consumer electronics, and IoT gear with outdated Linux kernels and either no or limited security protections on top of the Linux stack. IoT vendors rarely offer kernel updates, and if they do, there’s usually no over-the-air (OTA) mechanism. The user must be sufficiently motivated to find out about the update, and then download and install it. In addition, consumers tend to leave their devices unprotected by passwords or else use easily hacked passwords.

CIA’s OutlawCountry and Gyrfalcon exposed

The CIA’s OutlawCountry exploit, which was exposed in a Vault7 release by WikiLeaks on June 30, focuses on Red Hat Embedded Linux (RHEL) and the RHEL-based CentOS in their 6.x versions, which primarily run on servers. On July 6, WikiLeaks added a report detailing the CIA’s Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms.

As described in a ZDNet story on OutlawCountry, the mechanism takes advantage of the Red Hat distributions’ aged 64-bit 2.6.32 version of the Linux kernel. Before OutlawCountry can do its work, however, the server must have already been compromised with the infiltration of a malicious module, as well as the acquisition of root privileges. OutlawCountry then redirects outbound traffic to a CIA-controlled server by creating a hidden iptables or netfilter table in the Linux kernel’s networking stack. Red Hat is working on a resolution for OutlawCountry, which was internally documented by the CIA two years ago, and has released a command so users can check for infections.

Earlier this year, WikiLeaks released info on the CIA’s Weeping Angel exploit, which attacks Samsung’s Tizen-based Smart TVs, as well as a CIA Dark Matter project that affects the Mac. A few others are general networking exploits that could affect Linux devices, but most of the 15 CIA exploits detailed in WikiLeaks’ 8,000-plus Vault7 documents target Windows.

According to AV-Test, Windows represented 70 percent of the online threats detected by AV-Test anti-malware security systems in 2016. There was a 15 percent drop in Windows attacks in 2016 as malicious hackers turned their attention to Linux and the Mac. Yet, any relief in the Windows world may be short lived — Windows made up 77 percent of attacks in Q1 2017.

The WannaCry ransomware attacks were the biggest scourge on Windows in 2016, but these have slowed greatly. While ransomware is often the most devastating malware, it represents a very small number of attacks, says AV-Test.

In the Linux world, the Mirai botnet appears to have faded somewhat, but other malware is targeting the same IoT devices. These include the Bashlite malware and the older, but ever resilient, Tsunami backdoor. The overall percentage of Linux or MacOS attacks were not listed, but presumably both make up the bulk of the 24.4 percent of 2016 attacks not represented by Windows or Android.

Android attacks

The Linux numbers do not include Android, which represented 5.65 percent of all malware in 2016. That may not seem like much, but it was double the number of attacks in 2015, says AV-Test.

The most infamous Android malware of the last two years — StageFright — has actually infected very few devices, or so Google claims. However, security firm Check Point reports that a type of Android malware called CopyCat last year infected 14 million devices, despite never making it to Google Play. CopyCat ended up rooting more than half of them, or about eight million devices. Most victims were in Southeast Asia, but 280,000 were in the United States. The CopyCat creators earned about $1.5 million, primarily through ad fraud.

Security threats in general dropped by 14 percent in 2016 compared to the 2015 high water mark. However, that’s still the second highest total since AV-Test started its surveys, and Q1 has shown an uptick. The company estimates that some 640 million malware programs were active in 2016.

The WatchGuard Technologies Internet Security Report, which was based on feedback from 26,500 WatchGuard UTM appliances worldwide, suggests that Linux malware is growing even faster than the AV-Test measurements indicate. Linux was said to be the target of 36 percent of malware detected in the first quarter, with IoT devices and servers receiving the lion’s share of attacks.

Other trends include an increase in attacks on web servers, totaling 82 percent of all network attacks. The report also detected seasonal trends: Most malware hits in Q4, followed by a Q1 slowdown.

It’s probably a good idea for all of us to learn more about security. One angle is covered in this recently updated cryptography overview for newbies from

To learn more about Linux security, check out the SysAdmin’s Essential Guide to Workstation Security from The Linux Foundation.

Workstation Security