Close Menu
Technology Mag

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Verizon’s ‘software issue’ has disconnected many wireless customers across the US

    August 30, 2025

    No, a Windows update probably didn’t brick your SSD

    August 30, 2025

    The 20 best Labor Day deals you can grab for $100 or less

    August 30, 2025
    Facebook X (Twitter) Instagram
    Subscribe
    Technology Mag
    Facebook X (Twitter) Instagram YouTube
    • Home
    • News
    • Business
    • Games
    • Gear
    • Reviews
    • Science
    • Security
    • Trending
    • Press Release
    Technology Mag
    Home » Stealthy Malware Has Infected Thousands of Linux Systems for Years
    Security

    Stealthy Malware Has Infected Thousands of Linux Systems for Years

    News RoomBy News RoomOctober 9, 20243 Mins Read
    Facebook Twitter Pinterest LinkedIn Reddit WhatsApp Email

    Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

    After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

    Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

    The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

    The researchers continued:

    As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.

    All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

    By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

    People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

    This story originally appeared on Ars Technica.

    Share. Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Email
    Previous ArticleNintendo is taking applications to join a mysterious Switch Online playtest
    Next Article Through Hurricanes Helene and Milton, Amateur Radio Triumphs When All Else Fails

    Related Posts

    The Era of AI-Generated Ransomware Has Arrived

    August 30, 2025

    US Government Seeks Medical Records of Trans Youth

    August 29, 2025

    Senate Probe Uncovers Allegations of Widespread Abuse in ICE Custody

    August 27, 2025

    Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

    August 27, 2025

    A Special Diamond Is the Key to a Fully Open Source Quantum Sensor

    August 25, 2025

    Data Brokers Face New Pressure for Hiding Opt-Out Pages From Google

    August 23, 2025
    Our Picks

    No, a Windows update probably didn’t brick your SSD

    August 30, 2025

    The 20 best Labor Day deals you can grab for $100 or less

    August 30, 2025

    SpaceX Starship Finally Pulls Off a Successful Test Flight

    August 30, 2025

    The Era of AI-Generated Ransomware Has Arrived

    August 30, 2025
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Science

    Scientists Just Caught Human Embryo Implantation on Camera

    By News RoomAugust 30, 2025

    The simulation made it possible to appreciate how a human embryo does not merely adhere…

    US Government Seeks Medical Records of Trans Youth

    August 29, 2025

    Leak suggests new Philips Hue lights will have direct Matter support

    August 29, 2025

    Microsoft’s next annual update for Windows 11 is in Release Preview testing

    August 29, 2025
    Facebook X (Twitter) Instagram Pinterest
    • Privacy Policy
    • Terms of use
    • Advertise
    • Contact
    © 2025 Technology Mag. All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.