New Symbiote Malware for Linux: Nearly Impossible to Detect
3 min readNew Symbiote Malware for Linux: Nearly Impossible to Detect
- An American company made 0.7nm chips: EUV lithography machines can’t do it
- CVE-2007-4559 Python vulnerability ignored for 15 years puts 350,000 projects at risk of code execution
- RISC-V only takes 12 years to achieve the milestone of 10 billion cores
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
New Symbiote Malware for Linux: Nearly Impossible to Detect.
Intezer and BlackBerry research teams recently discovered a new Linux malware that affects the Linux operating system with a parasitic nature; it infects all running processes on an infected system, providing threat actors with rootkit capabilities, The ability to obtain credentials and remote access.
They named the malware Symbiote and described it as “a new, almost impossible-to-detect Linux threat.” Symbiote was first detected in November 2021, and research found it appeared to be written against the financial sector in Latin America.
According to the introduction, Symbiote is not in the form of a typical executable file, but a shared object (SO) library that is loaded into a running process using the LD_PRELOAD instruction and parasitic infects the machine.
It utilizes Berkeley Packet Filter (BPF) hooking feature to hide malicious network traffic on infected machines.
Security researchers point out that when it injects itself into a process, the malware can choose which results it wants to display.
“If an administrator starts a packet capture on an infected machine to investigate some suspicious network traffic, Symbiote injects itself into the process of inspecting the software and uses BPF hooking to filter out results that might reveal its activity.”
Symbiote can hook “libc” and “libpcap” functions and perform various actions to hide their existence, such as hiding parasitic processes, hiding files deployed with malware, and more.
To hide malicious network activity on infected machines, Symbiote sanitizes connection entries it wants to hide, performs packet filtering via BPF, and removes UDP traffic to domains on its list.
In addition to hiding its presence on the machine, the Symbiote malware also hides other files related to malware that might be deployed with it.
The researchers concluded that Symbiote is a highly evasive malware. Its main goal is to capture credentials and facilitate backdoor access to infected machines. Because malware runs as a user-level rootkit, detecting infections can be difficult. Network telemetry can be used to detect abnormal DNS requests, and security tools such as AV and EDR should be statically linked to ensure they are not “infected” by user-level rootkits.
Details can be found in the official announcement .
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?
