New Symbiote malware infects all running processes on Linux systems

Yes, it would have been interesting to know how a Linux server could be owned liked this. Or perhaps it was a supply chain attack, as seen in first link? An insider attack is also possible of course. But seems like this technique isn't anything new, see second link. However, I didn't get the part about ''no executables being necessary'', I mean in Windows you would at least need some .exe to perform code injection or some driver to hide file system and network activity.

https://www.bleepingcomputer.com/ne...alware-hidden-in-fake-browserify-npm-package/
https://attack.mitre.org/techniques/T1574/006/

 

No correct, I'm not familiar with Linux that's why I'm asking these questions. The question was, are there any notable third party anti-exploit tools on Linux, and from what I understood Firejail is about the only one, which is cool I guess.

And the bold claims that I'm making are based on what I read about stealthy malware running on Linux systems, servers in this case, but I assume they can also run on desktop systems. These are just as bad as old skool rootkits on Windows, so in my book this is crappy OS architecture, I can't explain it any better. I have the exact same complaint about Windows, but at least there are very good (third party) mitigation and detection tools available.

Cool, but this hasn't got anything to do with good OS architecture, because the same can be done with Windows. So when I talk about OS architecture I mainly talk about the techniques that malware/hackers can use to attack a system, once they are up and running. Of course, delivery of malware is the same on all operating systems in general, namely user downloads and exploits. Obviously, users are less at risk on Android, iOS, macOS and Ubuntu since they make use of an app store. But that doesn't mean they are better designed than Windows.

M$ is now also trying to beef up the Microsoft Store, but I doubt that the older generation will stop downloading software from the web. And trust me, I have download hundreds of apps directly from the web in the last 25 years without any problems. Sure, a couple of them might have been malware, but this was taken care of by AV or HIPS. But again, this hasn't got anything to do with OS architecture, in my view.

You can't say this for sure, because if this third party tool monitors for code injection and DLL hijacking, it might have been able to prevent this attack. On Windows there are tools that are good in catching this stuff. But this is Windows, I don't know how it works on Linux. But I do know that if you look at the MITRE Attack Matrix, most of the stuff that applies to Windows also applies to Linux.

https://attack.mitre.org/matrices/enterprise/linux/

 

In Windows it can also be done without an executable.
See:
https://security.stackexchange.com/...ithout-the-user-executing-or-opening-the-file
Or:
https://www.microsoft.com/security/...ith-behavior-monitoring-amsi-and-next-gen-av/

https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat#hero:

So:
Dynamic Linker Hijacking
Explanation:
https://www.cadosecurity.com/linux-attack-techniques-dynamic-linker-hijacking-with-ld-preload/

 

Thanks, will do some reading. Perhaps this was indeed similar to a file-less attack.