All News | Boards | Chips | Devices | Software | Archive | About | Contact | Subscribe
Follow LinuxGizmos:
Twitter Facebook Pinterest RSS feed
*   get email updates   *

Linux under fire: Malware reports detail growing threats

Jul 7, 2017 — by Eric Brown 2,115 views

As the CIA’s Linux-targeting OutlawCountry and Gyrfalcon code is revealed, two reports claim Linux malware attacks are rising quickly.

Over the past few years, anecdotal evidence has suggested that security threats to Linux devices are on the rise. Last fall’s Mirai botnet attacks, which turned thousands of Linux devices into a zombie army used to attack infrastructure via Distributed Denial of Service (DDoS), were particularly effective in waking up the Linux community.

Progress of 2016 Mirai botnet attacks on Linux devices
(click image to enlarge)

Now, we’re seeing quantitative statistics to support the Linux malware trend. On the heels of a WikiLeaks release detailing the CIA’s OutlawCountry and Gyrfalcon hacking tools aimed at Linux, both AV-Test and WatchGuard have released reports claiming that Linux computers are among the fastest growing targets of malware over the past year and a half.

According to AV-Test, macOS computers saw the largest increase in malware targeting in 2016 with a 370 percent increase, but Linux was close behind with a 300 percent rise from the previous year — triple the number in 2015. WatchGuard’s Internet Security Report, which instead focuses on Q1 2017, claims that Linux malware made up more than 36 percent of the top threats.

Global malware attacks in 2016 and Q1 2017
(click image to enlarge)

A decade ago, Linux was obscure outside the server world, but Tux lovers could at least console themselves with the security of their beloved OS compared to Windows. This helped reinforce the generally true, but somewhat counterintuitive, claim that by inviting anyone to bug check the code, you could build a more secure platform than with a proprietary OS.


A worthy target

The first crack in the Linux armor came in the Android world where many apps revealed themselves to be pestilent. It wasn’t just the app platform — and Android fragmentation — that fueled the increase, however, but Android’s popularity. In recent years, as more and more Linux-based routers, home automation gizmos, and other devices entered the relatively unprotected home scene, hackers have increasingly found Linux to be a worthy target.

The problem is not that Linux is unsafe compared to other platforms. The Linux kernel and other components are regularly updated to meet the latest threats, which are more easily identified thanks to the greater participation afforded by open source. Developers are continually improving system update and integrity protection mechanisms, and protecting against other emerging security threats.

Although more remains to be done, the main issue is that vendors release routers, consumer electronics, and IoT gear with outdated Linux kernels and either no or limited security protections on top of the Linux stack. IoT vendors rarely offer kernel updates, and if they do, there’s usually no over-the-air (OTA) mechanism. The user must be sufficiently motivated to find out about the update, and then download and install it. In addition, consumers tend to leave their devices unprotected by passwords or else use easily hacked passwords.

CIA’s OutlawCountry and Gyrfalcon exposed

The CIA’s OutlawCountry exploit, which was exposed in a Vault7 release by WikiLeaks on June 30, focuses on Red Hat Embedded Linux (RHEL) and the RHEL-based CentOS in their 6.x versions, which primarily run on servers. On July 6, WikiLeaks added a report detailing the CIA’s Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms.

As described in a ZDNet story on OutlawCountry, the mechanism takes advantage of the Red Hat distributions’ aged 64-bit 2.6.32 version of the Linux kernel. Before OutlawCountry can do its work, however, the server must have already been compromised with the infiltration of a malicious module, as well as the acquisition of root privileges. OutlawCountry then redirects outbound traffic to a CIA-controlled server by creating a hidden iptables or netfilter table in the Linux kernel’s networking stack. Red Hat is working on a resolution for OutlawCountry, which was internally documented by the CIA two years ago, and has released a command so users can check for infections.

Earlier this year, WikiLeaks released info on the CIA’s Weeping Angel exploit, which attacks Samsung’s Tizen-based Smart TVs, as well as a CIA Dark Matter project that affects the Mac. A few others are general networking exploits that could affect Linux devices, but most of the 15 CIA exploits detailed in WikiLeaks’ 8,000-plus Vault7 documents target Windows.

According to AV-Test, Windows represented 70 percent of the online threats detected by AV-Test anti-malware security systems in 2016. There was a 15 percent drop in Windows attacks in 2016 as malicious hackers turned their attention to Linux and the Mac. Yet, any relief in the Windows world may be short lived — Windows made up 77 percent of attacks in Q1 2017.

The WannaCry ransomware was the biggest scourge on Windows in 2016, but the attacks have slowed greatly. While ransomware is often the most devastating malware, it represents a very small number of attacks, says AV-Test.

Progress of 2016 Tsunami attacks on Linux devices
(click image to enlarge)

In the Linux world, the Mirai botnet appears to have faded somewhat, but other malware is targeting the same IoT devices. These include the Bashlite malware and the older, but ever resilient, Tsunami backdoor. The overall percentage of Linux or macOS attacks were not listed, but presumably both make up the bulk of the 24.4 percent of 2016 attacks not represented by Windows or Android.

Android attacks

The Linux numbers do not include Android, which represented 5.65 percent of all malware in 2016. That may not seem like much, but it was double the number of attacks in 2015, says AV-Test.

The most infamous Android malware of the last two years — StageFright — has actually infected very few devices, or so Google claims. However, security firm Check Point reports that a type of Android malware called CopyCat last year infected 14 million devices, despite never making it to Google Play. CopyCat ended up rooting more than half of them, or about eight million devices. Most victims were in Southeast Asia, but 280,000 were in the United States. The CopyCat creators earned about $1.5 million, primarily through ad fraud.

Android malware attacks in 2016
(click image to enlarge)

Security threats in general dropped by 14 percent in 2016 compared to the 2015 high water mark. However, that’s still the second highest total since AV-Test started its surveys, and Q1 has shown an uptick. The company estimates that some 640 million malware programs were active in 2016.

The WatchGuard Technologies Internet Security Report, which was based on feedback from 26,500 WatchGuard UTM appliances worldwide, suggests that Linux malware is growing even faster than the AV-Test measurements indicate. As noted above, WatchGuard’s report found Linux to be the target of 36 percent of malware detected in Q1 of this year, with IoT devices and servers receiving the lion’s share of attacks.

Other trends include an increase in attacks on web servers, totaling 82 percent of all network attacks. The report also detected seasonal trends: Most malware hits in Q4, followed by a Q1 slowdown.

It’s probably a good idea for all of us to learn more about security. One angle is covered in this recently updated cryptography overview for newbies from

This article is copyright © 2017 and was originally published here. It has been reproduced by this site with the permission of its owner. Please visit for up-to-date news and articles about Linux and open source.

(advertise here)

Print Friendly, PDF & Email

One response to “Linux under fire: Malware reports detail growing threats”

  1. Joe Cohen says:

    In the era of IoT, smart devices, Linux is not the guaranteed safe choice anymore. Sure, when the enemy was viruses, Linux was OK but now when your web camera and router, running Linux firmware, can be made part of a botnet thanks to vulnerabilities, watch out. Hopefully Mirai botnet was a wakeup call.

    Of course, because Linux and Mac OSes were so safe before, attackers were busy going after Windows. Now that these other OSes have gained larger market shares, they become fair game.

    As AV-Test and WatchGuard research shows, this trend is about to become a flood.

Please comment here...