David Jacoby told iTWire on the sidelines of the Kaspersky Security Analyst Summit in Cancun on Friday that the most common form of malware for Linux systems was either a PHP, Perl, Java or Python script, with shell commands chained in.
He pointed out that while the kernel proper did not see many directed attacks, nobody ran the kernel alone on a server.
Many of the scripts he had encountered also had a dropper which left behind some nasties like a backdoored version of SSH or a toolset that attacked other servers on the same network or on other connected networks.
Thus, he said, while Linux servers could not be infected per se by Windows malware, they needed to be running anti-virus software in order to trap Windows malware – else the Windows hosts on that particular network would be in danger.
Jacoby said another avenue of attack for Linux was through SE Linux, a kernel patch to add security features and patches to applications to allow them to determine the security domain in which to run processes.
One particular case he pointed to involved a vulnerability in SE Linux policies: a PHP script was allowed to open up network functions — dangerous behaviour — while Perl, Python or shell scripts were not allowed to do so.
He also highlighted the case of IoT devices where it was easy to infect devices, mostly through gaining access via the default credentials — which most people did not bother to change — and also through unpatched systems which became vulnerable because the manufacturer would not bother to issue patches beyond a year at the most.
"Practically all IoT devices are running Linux," he pointed out.
One mitigating factor for IoT devices was the fact that they were built atop ARM devices making exploitation was more difficult. "Fewer people know how to write exploits for these processors," he explained.
Jacoby played down the emergence of the cloud, saying it was just another form of hosting. "You have scalability, sure, where you can increase or decrease memory, storage or bandwidth as needed," he said.
"But at the end of the day it is just another form of hosting and it needs security measures just as servers did in the olden days."
Pointing to the example of Hotmail, the webmail service that was built by Sabir Bhatia in the mid-1990s and later purchased by Microsoft, Jacoby asked, "What was Hotmail? That was hosting too and it was a long time back."
He said one should not be carried away by terms like cloud; "it's just someone else's computer and that term didn't emerge from any technical person, but from marketing."
Given this, the security in such environments was needed to the same degree. In the end it depended on contractual obligations and also on the expertise of the person/people administering the cloud instance, he said.
The writer is attending the Kaspersky Security Analyst Summit as a guest of the company.
Photo: courtesy Kaspersky Lab