During research into large scale attacks aimed at the free and open-source operating system, the researchers stumbled upon a new Linux virus that is connected to the SambaCry Trojan that took advantage of security vulnerabilities in the underlying systems of the program. Samba is a piece of free software that allows Linux and Unix to operate and communicate effectively with Windows.
Researchers have noted that the malware was built on the widely used QT toolset, and can quickly be ported to operating systems like macOS and Windows. The virus has a file size of around 3MB, which makes it difficult to distribute through traditional methods according to the group. However, once it finds itself on a vulnerable system, and is executed; it attempts to elevate the priority of the running thread or app. Once this is achieved, it connects to the command and control servers through an API call.
Once communication is established, the virus then becomes 'dangerous'. However, the researchers noted that if the virus fails to connect to the C&C servers, it can execute predetermined parameters; or in some cases be configured by another piece of malware. The virus communicates through the use of IRC networks, which are still some of the most popular messaging protocols in use today.
The virus has some advanced features, as outlined by the research group; including automatic updates, allowing the hacking group behind it to issue new updates or commands. It also allows the hacking group to 'remotely' execute specific commands and even more alarming, allow it to be deployed as a system service, which makes it harder to manage or remove.
The virus has a few use cases as outlined by the researchers; such as using the infected system as a proxy for DDOS attacks, or abusing the system to mine for crypto currencies. Beyond that, they note that it can also be used to spread other pieces of malware if any of the above should fail.
According to the research group, crypto currency malware has become a popular tool amongst hacking groups looking to utilize the hashing power of vulnerable computers. The virus was hard coded for 'Monero' mining, which mimics the Adylkuzz attack that formed part of the large scale WannaCry outbreak recently.