INTERNET

Polymorphism Could be the Secret to Spreading Unix Malware

Unix and Unix-like operating systems have long been known for their built-in security features, with data scientists only periodically warning about the possibility of specific exploits. Many of the most recent exploits have gotten around the mitigation authored to protect against these previous attacks because they emphasize polymorphism as a way to hide from the traditional tools used to detect problematic code. In one particularly concerning case, bad actors have figured out a way to make malicious code actually look like userspace tools.

FontOnLake, as cybersecurity experts have taken to calling it, deploys rootkit components that can create backdoors accessible to outside actors. While it has an extremely low prevalence in the wild at the moment, FontOnLake is a dangerous proof of concept. Fortunately, there are some interesting ways that data scientists have found to extend conventional Unix user permissions to reduce the risk of these attacks becoming widespread.

Many of these use surprisingly simple solutions, which are easy to distribute as patches. Unfortunately, it does appear that polymorphism will continue to be a major issue for cybersecurity experts to deal with for years to come.

Disguising Malware as a Legitimate Tool

The programmers of the FontOnLake Trojan have been able to alter at least four different utilities that are found in a large number of GNU/Linux distributions. The secure FTP utility sftp is probably the most interesting of these, but it’s still found in many installations even if many routers have FTP functionality switched off at the box level. OpenSSH server processes in the form of sshd have been compromised by FontOnLake as well, which again is not a tool that many individual users of GNU/Linux may need on a regular basis unless they’re performing remote server maintenance or spinning up Raspberry Pi instances.

On the other hand, these tools are almost ubiquitous in many embedded systems, which is what this kind of malware may eventually target the most. Boxed routers and modems largely run modified GNU/Linux distros, which make them an attractive attack vector for bad actors who want to build botnets or sniff out packets for useful bits of information to steal. That being said, it’s the more conventional userspace tools that are the most concerning to security researchers.

Corrupting a Standard GNU Tool

While FontOnLake’s corruption of two networking tools might be rather concerning, it’s also taken control of the cat utility. This is perhaps one of the first command line tools that people ever learn to use. Since it’s used for displaying and combining sets of text, a compromised cat app could be useful to bad actors if they want to snoop on the contents of documents on a specific desktop machine. Potential uses also include getting a copy of a hosts file at the router level, which could provide information about the internals of a specific network.

Though this might not be immediately useful, some security researchers have warned that having access to such information may make it possible to deploy more sophisticated network attacks on the same target in the future. Experts from security organizations like Aura have recommended the use of encrypted Wi-Fi network subroutines, but an infection using this specific type of Trojan horse could theoretically also spread over RJ-45 connections and even Fibre Channel. This makes it a potential hazard to those working with storage area networks as well.

The kill command is also compromised, which of course could be used to perpetuate the virtual equivalent of vandalism. A remote actor could, theoretically, use the kill command to stop any running process that was started by the user they had permissions for. More likely, however, a sophisticated cyberattack wouldn’t involve this script kiddie-like behavior. Rather, they’d use the kill command to get a list of all the running processes on a system in much the same way as one could use the top command.

Quite a few Unix system tools have features that people might not often think about, which makes them an interest target for those wishing to compromise an existing system.

Utilizing Less Common Command Line Switches

Something as simple as the arecord command has a large number of options, many of which aren’t often used. Most of these are related to different types of audio codecs, which can help podcasters and telephony experts record sounds in a variety of fashions. On the other hand, you could also use it to expose a process ID and share more information about the system that it’s running on. An individual who had at least some limited form of remote control over a compromised system could use these switches to explore the machine that they’re experimenting with.

Naturally, few Linux or FreeBSD developers would ever want to reduce the number of command line options offered to power users who have need of these features. Rather, it’s important that bad actors wouldn’t be able to gain control of them in the first place. The problem is made worse by the fact that many users have installed third-party apps outside of the conventional repositories.

While software that’s stored in a distro’s official repository isn’t necessarily safe, it’s usually acceptable to treat it as at least relatively so. Power users have found it possible to install Microsoft Excel on Linux, which brings in a large number of dependencies that are then potential security risks.

The same goes for those who run Steam game and other related software like Minecraft. That isn’t to say that these things are inherently unsafe in and of themselves. However, they do bring in huge amounts of extra software that increases the total attack surface of a machine. Eventually, it could increase to around the size of something running Microsoft Windows or another standard consumer-grade operating system.

Patches and hotfixes have so far focused on the underlying system software, which means that polymorphic attacks could theoretically position themselves in such a way as to take advantage of a larger attack surface.

Taking Advantage of Extra Apps

When a GNU/Linux or FreeBSD user installs something like Wine, they’re actually offering a small portion of their machines to an external application layer. End-users might not realize that while their systems are still impervious to Windows-related security flaws, a Trojan horse designed for Windows could still accidentally run on this application layer. If it did so, then it wouldn’t be able to escape a user’s home directory and anywhere else said user had access to write to.

However, that kind of access should be more than enough to do some serious damage. Wiping an entire home directory could get rid of countless documents if someone hasn’t been diligent about backing them up to some other type of storage. If they have any space on a separate ext3 or ext4 partition that’s marked with the same permissions, then this could be cleared out as well.

Most concerning is the fact that a Trojan horse designed for Windows could attack USB storage. FAT16 and FAT32-formatted devices often aren’t mounted with any sort of Unix permissions at all, so writing to them is therefore trivial. The same would go for anyone wishing to write to exFAT volumes.

The good news is that these kinds of issues should be less prevalent in the enterprise, where attack surfaces may be somewhat smaller. Individual users may find that protecting themselves against a majority of attacks could be as easy as removing software they don’t use any longer.

They’ll certainly get a small performance boost if nothing else.

Click to comment
Exit mobile version