Windows Malware Takes Advantage of Weak Linux Setups

by Ostatic Staff - Mar. 23, 2013

A few weeks ago I asked if Linux needed antivirus, in a post where I concluded with the assertion that even though it wasn’t necessary to protect the Linux servers, it was good to have for protection of Windows hosts. A recently discovered malware infection affecting Windows flips the concept and takes an interesting approach to compromising Linux. More importantly, it underscores the importance of properly securing Linux from both external and internal threats.

According to an analysis by Symantec, the malware looks for saved remote sessions with root privileges using mRemote (which has apparently been discontinued and replaced by a fork named mRemoteNG). If the malware found saved remote access, it would attempt to jump to the server and delete core filesystems, rendering the server unusable. A nasty little bug, but one that is preventable using some basic hardening techniques and following good practices.

To begin with, this is a perfect example of why access to servers should be restricted to only those who absolutely need it. When shell access is granted, it should be using a restricted account that has only the permissions that the user needs to accomplish their tasks. If root privileges are required, elevating privileges should be done using sudo, configured to require the users password. There should be no remote root access to the server. It is an easy change to make in /etc/ssh/sshd_config, but can be understandably harder when there are political or administrative reasons to keep ssh to root available.

Particularly troublesome are shared, non-expiring account with privileges over the application folder. While the existence of such an account undoubtedly makes management easier for teams, the possibility of malware to take advantage of the special groups privileges introduces an unacceptable risk into the environment.

It is a sad state of affairs that in 2013 we still need to take precautions against malware writers. Is it really unavoidable that we will have viruses? Are flaws in software such a fact of life that malware will continue to be prevalent in the most popular platforms? It seems to me that if open source desktops were adopted, especially in the enterprise, issues like these would become less relevant. Do you agree? Is a life without malware possible? Let me know in the comments.