Sunday, January 17, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Stantinko’s Linux malware now poses as an Apache web server

November 25, 2020
in Internet Security
Stantinko’s Linux malware now poses as an Apache web server
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.

The upgrades, spotted by security firm Intezer Labs, come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.

You might also like

DuckDuckGo surpasses 100 million daily search queries for the first time

Xayn introduces user-friendly and privacy-protecting web search

NSA warns against using DoH inside enterprise networks

A short history of Stantinko

The Stantinko botnet was first detected in 2012. The group behind this malware began operating by distributing the Stantinko trojan as part of app bundles or via pirated apps.

Only Windows users were targeted in the beginning, with the malware using infected hosts to show unwanted ads or for installing a hidden cryptocurrency miner.

As the botnet grew in size and started generating more profits, its code evolved across the years. A considerable update was discovered in 2017 [see PDF report] when Slovak security firm ESET spotted Stantinko also deploying special versions of its malware for Linux systems.

This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.

Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

New Stantinko Linux version

But crypto-mining botnets like Stantinko are a dime a dozen, and they aren’t usually tracked with the same vigor as ransomware gangs or botnets like Emotet or Trickbot.

The last version of Stantinko’s Linux malware was spotted back in 2017, having a version number of 1.2. But in a report released today and shared with ZDNet, Intezer Labs said that after three years, they have recently discovered a new version of Stantinko’s Linux malware, having a version number of 2.17 — a huge jump from the previous known release.

However, despite the huge version gap between the two releases, the Intezer team notes that the new version is actually leaner and contains fewer features than the older release, which is odd, as malware tends to bulk up as years go by.

One reason behind this odd move is that the Stantinko gang might have removed all the chaff from its code and left only the features they need and use on a daily basis. This includes the proxy feature, still present in the newer release, and crucial for its brute-forcing operations.

Another reason might also be that the Stantinko gang was attempting to reduce the malware’s fingerprint against antivirus solutions. Fewer lines of code mean less malicious behavior to detect.

And Intezer notes that Stantinko almost pulled it off, as the newer version had a very low detection rate on the VirusTotal aggregated virus scanner, almost going by undetected.

Posing as Apache’s web server

Furthermore, the Stantinko gang appears to have put a primer on stealth in this newer release because they also modified the process name its Linux malware uses, choosing to go with httpd, the name usually used by the more famous Apache web server.

This was obviously done to prevent server owners from spotting the malware at a regular visual inspection, as the Apache web server is often included by default in many Linux distros, and this process is usually running on Linux systems that Stantinko generally infects.

Either way, Linux system administrators need to realize that as the Linux OS becomes more widespread in enterprise environments today, more and more malware operations will begin targeting Linux, and many gangs will also bring over all their expertise and trickery from years of developing Windows malware.

What Linux server owners need to know is that despite Linux being a secure OS, malware often burrows deep inside systems because of misconfigurations. In Stantinko’s case, this botnet goes after server administrators who use weak passwords for their databases and CMSs.

In fact, this is how all malware operates, regardless of operating system.

Malware rarely exploits OS-level vulnerabilities to gain a foothold on a system. In most cases, malware gangs usually focus on:

  • app misconfigurations that have left open ports or admin panels exposed online;
  • outdated apps left without security patches;
  • systems/apps that use weak passwords for internet-facing services;
  • tricking users into taking dangerous actions (social engineering);
  • or exploiting bugs in the apps that run on top of the operating system.

Exploits in the Linux OS itself are rarely used, and usually after the malware has already gained access to a system through one of the methods above.

These exploits, employed as second-stage payloads, are usually employed to elevate privileges from low-level to admin accounts, so the malware can take full control of the attacked system. This is why, even if Linux (or other OS) isn’t targeted directly, it still needs to run up-to-date versions to prevent these user-to-root elevations once attackers gain a foothold on infected hosts.

Keeping systems safe from attacks is easy, as most system administrators need to keep apps up-to-date and to use strong passwords. Yet, this is always hard work because, in most cases, companies run hundreds or thousands of systems at the same time, and attackers only need to find one weak link to get in.

Credit: Zdnet

Previous Post

Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

Next Post

Use a Submit Button Outside of !

Related Posts

DuckDuckGo surpasses 100 million daily search queries for the first time
Internet Security

DuckDuckGo surpasses 100 million daily search queries for the first time

January 17, 2021
Xayn introduces user-friendly and privacy-protecting web search
Internet Security

Xayn introduces user-friendly and privacy-protecting web search

January 16, 2021
NSA warns against using DoH inside enterprise networks
Internet Security

NSA warns against using DoH inside enterprise networks

January 16, 2021
Joker’s Stash, the internet’s largest carding forum, is shutting down
Internet Security

Joker’s Stash, the internet’s largest carding forum, is shutting down

January 16, 2021
Iconic BugTraq security mailing list shuts down after 27 years
Internet Security

Iconic BugTraq security mailing list shuts down after 27 years

January 16, 2021
Next Post
How to Change the WordPress Admin Login Logo

Use a Submit Button Outside of !

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

DuckDuckGo surpasses 100 million daily search queries for the first time
Internet Security

DuckDuckGo surpasses 100 million daily search queries for the first time

January 17, 2021
Automated Data Science and Machine Learning Platforms Market Comprehensive Analysis, Share, Growth Forecast from 2020 to 2025
Machine Learning

Automated Data Science and Machine Learning Platforms Market Comprehensive Analysis, Share, Growth Forecast from 2020 to 2025

January 17, 2021
Xayn introduces user-friendly and privacy-protecting web search
Internet Security

Xayn introduces user-friendly and privacy-protecting web search

January 16, 2021
WhatsApp Delays Controversial ‘Data-Sharing’ Privacy Policy Update By 3 Months
Internet Privacy

WhatsApp Delays Controversial ‘Data-Sharing’ Privacy Policy Update By 3 Months

January 16, 2021
NSA warns against using DoH inside enterprise networks
Internet Security

NSA warns against using DoH inside enterprise networks

January 16, 2021
NSA Suggests Enterprises Use ‘Designated’ DNS-over-HTTPS’ Resolvers
Internet Privacy

NSA Suggests Enterprises Use ‘Designated’ DNS-over-HTTPS’ Resolvers

January 16, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • DuckDuckGo surpasses 100 million daily search queries for the first time January 17, 2021
  • Automated Data Science and Machine Learning Platforms Market Comprehensive Analysis, Share, Growth Forecast from 2020 to 2025 January 17, 2021
  • Xayn introduces user-friendly and privacy-protecting web search January 16, 2021
  • WhatsApp Delays Controversial ‘Data-Sharing’ Privacy Policy Update By 3 Months January 16, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates