Malware researchers from ESET have discovered a new Linux malware dubbed Linux/Shishiga targeting systems in the wild.
The Linux/Shishiga malware uses four different protocols (SSH, Telnet, HTTP and BitTorrent) implements a modular architecture by using Lua scripts.
“Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family have generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents a new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name: Linux/Shishiga. It uses 4 different protocols (SSH – Telnet – HTTP – BitTorrent) and Lua scripts for modularity.” reads the analysis published by security firm ESET.
The spreading mechanism behind the Shishiga malware leverage on brute-force attack, the malicious code in fact
Shishiga malware relies on the use of weak, default credentials in its attempts to plant itself on insecure systems through brute-force attacks. The malware uses a built-in password list in the attempt to hack a system.
Despite Shishiga has many similarities with other recent malware in abusing weak Telnet and SSH credentials, researchers consider it more sophisticated due to the usage of the BitTorrent protocol and Lua modules.
“At a first glance, Linux/Shishiga might appear to be like the others, spreading through weak Telnet and SSH credentials, but the usage of the BitTorrent protocol and Lua modules separates it from the herd. BitTorrent used in a Mirai-inspired worm, Hajime, was observed last year and we can only speculate that it might become more popular in the future.” states ESET.
According to the experts, the Shishiga malware is a working progress, at the time of the ESET’s investigation it infected just a small number of Linux machines, the researchers also observed continuous addition, removal, and modification of the components along with code comments and debug information.
It’s possible that Shishiga could still evolve and become more widespread but the low number of victims, constant adding, removing, and modifying of the components, code comments and even debug information, clearly indicate that it’s a work in progress. To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.
ESET is warning of a possible evolution of the Shishiga malware, in order “to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.”
(Security Affairs –Shishiga malware, Linux)