New Symbiote malware infects all running processes on Linux systems

"A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.

After injecting itself into all running processes, the malware acts as a system-wide parasite, leaving no identifiable signs of infection even during meticulous in-depth inspections.

Symbiote uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packets and to hide its own communication channels from security tools..."

https://www.bleepingcomputer.com/ne...fects-all-running-processes-on-linux-systems/

"Summary of Symbiote Research (A New, Nearly-Impossible-to-Detect Linux Threat)..."

https://www.intezer.com/blog/malwar...new-nearly-impossible-to-detect-linux-threat/

 

What else is new. I hope that people now understand when I say that Linux isn't as safe as thought. It has exactly the same attack vectors as Windows, this looks to me like a standard but very dangerous rootkit that were often deployed on Windows XP. But PatchGuard sure helped a lot, doesn't Linux have a similar system to tackle this stuff?

 

Nothing is safe, when people just click on attachments, that shouldn't be clicked on.

I'm not concerned about this particular threat aimed at servers.
From Bleepingcomputer.com:

 

Yes of course it's geared toward Linux servers, but that's not the point. The point is that when it comes to OS architecture, Linux has the exact same flaws as Windows. And the problem is that this malware is very hard to detect. Also, let's not forget that it's not just about clicking on attachments or downloading malicious files from the web. We don't know how this malware ended up on the systems, so it might as well been some browser or OS exploit. And when dealing with zero days, I feel safer on Windows because of the many advanced endpoint protection tools, like anti-exploit. On macOS and Linux you don't have this many.

 

Well, there is the AppArmor Linux kernel security module.

Default status (haven't added profiles myself):

Code:

sudo apparmor_status
[sudo] wachtwoord voor nico:           
apparmor module is loaded.
25 profiles are loaded.
23 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   ippusbxd
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   system_tor
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/cupsd (1011)
   /usr/sbin/ntpd (1188)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

There is a profile for Firefox, but it is not enabled by default, because it could give issues.
It can be enabled by:

Code:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

Perhaps easier to use Firejail.
See also:
https://easylinuxtipsproject.blogspot.com/p/sandbox.html

 

^ +1

 

It is the point. It's not going to affect the vast majority of Linux users. Every so often there is malware aimed at Linux servers. To extrapolate this into the idea that Linux architecture is as vulnerable as Windows is wishful thinking on your part. I'm pretty sure most servers run Linux anyway. I run desktop macOS and Ubuntu. Symbiote isn't exactly making me shake in my boots.

 

Unless you happen to be a high profile target.

 

Good point, forgot about this. This should be able to give strong protection against exploits.

Yes exactly and I assume this malware can also run on Linux desktop systems.

 

No, it's not the point that I'm trying to make. And you and I clearly have different definitions of what OS architecture exactly is, so any further discussion between you and I about this subject is pointless. And guess what, I haven't had any malware infection on Windows in the last 20 years or so, so just about all reports about malware attacks on Windows isn't making me shake in my boots either. Especially if the system is protect by advanced security tools.

But the fact that it's possible for malware to operate this stealthy is bad OS architecture in my book, no matter if it's Windows, Linux or macOS. So this hasn't got anything to do with wishful thinking, it's about facts. Security experts already mentioned that because there is so little focus on Linux security, it's likely that many more servers are infected without system administrators even knowing about it. You probably think it's FUD, but it's much more likely that's it's the harsh reality. But yeah, Linux and macOS desktop users haven't got that much too worry about, with a 10% user market. But on Windows it's also easy to safe and brain.exe is probably the most important tool.

 

It does, but for the average desktop user it's not so easy to configure right for browsers.
For example, when trying to run Firefox with Firejail, the "Open With" extension stopped working (makes use of Native messaging) .
Haven't yet figured out how to add additional permissions in Firejail to permit access to the relevant file system paths...

That being said, it remains unclear to me if such an extension will even survive the Manifest v3 apocalypse.
I noticed today that it had been removed from the Chrome Web Store.

 

I doubt I'm high profile lol.

 

As long as I've been using the Net there has been malware occasionally infecting Linux servers, which is then usually mitigated against eventually. This isn't anything new. Linux isn't invulnerable, it is a lot less vulnerable than Windows however. The only 'experts' worried about the alleged lack of mitigation tools for Linux have their own agenda.

 

You know, I value your opinions as a long-time (probably much longer than myself) Linux expert highly. I just want to remind you that you didn't only forget to mention AppArmor but also SELinux, Tomoyo, seccomp-bpf, namespaces, chroot, (control of) capabilities and some others including tools like Firejail, bubblewrap and systemd using those technologies. But I understand that it's easy to forget them when using them quite naturally all day long

 

~90% percent of this malware's functionality is running in user mode, so PatchGuard, or anything similar, wouldn't protect from it.
And yeah, we have Linux Kernel Runtime Guard and grsecurity to protect Linux kernel-mode. Former is open-source, latter is commercial.

 

Very funny, but I was talking about third party tools. On Windows it's easy to block exploits, but there is no notable exploit protection on Android, iOS and macOS. Are there any third party tools on Linux?

Yes good point, this malware is indeed running from user-mode, similar to how most rootkits and malware work on Windows nowadays. That's my point when I say that Linux has the same crappy architecture. But how do you think these servers became infected, because they didn't mention this. In the article it's mentioned that it's basically running as a .dll file, but shouldn't this first be launched by some executable?

Yes exactly, there has always been Linux malware, but perhaps they are now better in catching it. And a lack of mitigation tools is always a bad thing in my book. But anyway, further discussion between you and I about this subject is pointless, because of the reasons that I mentioned earlier.

OK I see, that would be indeed a bummer if it interferes with for example browser extensions, seems to be way too restrictive. It also has to be userfriendly otherwise most people are not going to use it. That's why I love Sandboxie so much, it's quite simple to understand.

 

So you now realise Linux actually has mitigation tools? "Angels and ministers of grace defend us!"

 

I'm not following you, but what I meant is that there is apparently a lack of endpoint mitigation tools against dangerous Linux malware like Symbiote. Because it took advanced EDR to be able to spot this. And those EDR systems are made by companies that according to you are spreading FUD, which I beg to differ. But like I said, any further discussion is pointless.

 

There is a lot of FUD around.

 

Most extensions work fine.

Only those that use Native Messaging can give issues, like KeePassXC-Browser and "Open With"
https://github.com/netblue30/firejail/issues?q=keepass

If you have an issue with such an extension, you can always open an issue at GitHub.

That's a good thing.
Works as designed.

 

I noticed that the way systems are infected, is hardly ever mentioned in these kind of articles.
My guess is, that it must be user error, social engineering and/or badly patched/configured servers.

 

The attack vector is always the first thing I look for in an article. So I looked. And looked again. Perhaps I overlooked it? No, not mentioned.
Perhaps it's unclear what way systems are infected? Let's see if there will be a later article that will give more insight.

I guess. But sure I'd like to know.

 

We could argue if Linux architecture is good enough for security, but it is certainly not the same as Windows.

I don't know. They didn't mention it. These things may be crucial for judging malware operator capabilities.

 

Sorry, but this confirms again that you're not familiar with Linux (but still make bold claims about it). Those technologies I mentioned are built-in into the kernel. And those tools like Firejail are available in the official repostories of most distros to make use of some of those technologies more easily for applications which don't by default - contrary to, e.g., most browsers and systemd which use them anyhow.

And you're insisting on "third party tools" again shows your misunderstanding of how Linux works. In Windows you need third party tools/applications for countless purposes downloaded from more or less trustworthy websites - often with the risk of getting infected. However, in Linux every distribution has a large repository with thousands of packages covering virtually every intended use. They are open source packages used in every distros since many years and regularly checked and updated by maintainers familiar with those packages. In nearly 30 years using Linux I've never seen a package in an official repository identified/flagged as malware. So sticking to the official repositories is the first and most important step to stay safe - and there is hardly any need to install non-official packages. That's why an AV is pointless on a Linux desktop system.

It's a bit different for Linux servers. Such servers naturally have open ports (otherwise they wouldn't be servers ), cheap rental servers are often poorly configured (e.g. using simple passwords, setting wrong write permissions etc.) and often not regularly updated (boasting about "99.999% availability") and following the mantra "never touch a running system" - but even Linux needs to fix vulnerabilities! It's not surprising that infections on those servers occur if they haven't been updated for months. While in this particular case we're discussing here the attack vector is unknow as @nicolaasjan and @Stupendous Man rightly mentioned. But if you deliberately install a non-official package as root, a "third party tool" will probably not be very helpful. Some of the mentioned technolgies might be able to limit the damage, though.

 

What else is new. For years in these forums it's been a complaint of mine.