Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
How To Identify and Remove Linux Malware InfectionsHow To Identify and Remove Linux Malware Infections
Explore common Linux malware types, how to detect infections, and best practices for removal, recovery, and prevention.
6 Min Read
Alamy
Linux is known for its security and resilience operating system, making it a popular choice for critical infrastructure like cloud and IoT. However, because of its growing adoption, it has become an attractive target for malware operators. In 2024, a more sophisticated breed of Linux malware necessitated a proactive approach to detection and removal.
This article explores practical strategies for spotting and eliminating Linux malware, helping IT professionals secure their systems.
Understanding Linux Malware
Linux malware appears in various forms, including:
Rootkits: Software that allows unauthorized users to modify system binaries or kernel modules to hide their presence.
Cryptomining Malware: Attacks that hijack the victim’s system resources to clandestinely mine cryptocurrency.
Backdoors/Trojans: Malware designed to evade signature-based detection. Malware operators typically “drop” them into the victim’s system via phishing sites or malicious documents containing embedded scripts (e.g., PowerShell macros). Once executed, they connect to a command-and-control server, allowing attackers to deploy additional malware, issue commands, and exfiltrate data.
Botnets: Infect systems and turn them into nodes for large-scale DDoS attacks and spam campaigns.
Fileless Malware: Runs directly in memory, making detection and removal more difficult.
Signs of Malware Infection
Advanced Persistent Threat (APT) groups are highly skilled at infiltrating systems undetected. They often remain on the network for months while conducting reconnaissance, exfiltrating data, and potentially deploying ransomware. They evade detection using custom tools and malware that bypass signature-based security technologies.
Organizations should conduct regular threat hunting using SIEM/SOAR tools to analyze logs and search for indicators of compromise (IOCs) with query languages like Kusto Query Language or Splunk Query Language. Vulnerability scanning also helps assess system security.
Tell-tale signs of malware infection include:
Unexplained System Behavior: Examples include high CPU, memory, and network usage. You might also experience unexpected crashes or reboots.
Suspicious Processes: Unknown background processes or processes with unusual names or locations.
Unauthorized Changes: Unexpected modifications to critical configuration files and new/altered CRON jobs.
Network Anomalies: Unusual traffic to suspicious IPs or domains, beaconing behavior over HTTP/HTTPS (ports 80 and 443), or unexpected open ports.
Unresponsive Security Tools: Firewalls, intrusion detection and prevention systems, or antivirus tools fail or become disabled without explanation. Attackers might target or attack in-place security tools to evade detection.
Presence of IOCs: Detection of malicious files, hashes, IPs, or domains flagged by threat intelligence feeds.
Linux Security Tools for Detecting Malware
Several security tools can help detect malware quickly and accurately:
1. ClamAV
A popular open-source malware scanner.
Install: Use your package manager – e.g., the sudo apt install clamav command on Debian-based systems.
Update signatures:
sudo freshclam Run scan: (recursive scan on a directory)
sudo clamscan -r / perform a recursive scan on a directory.
2. Lynis
Audits Linux systems to detect vulnerabilities and suspicious activity.
Install:
sudo apt install lynis # for Debian-based systemssudo yum install lynis # for RHEL-based systemsRun audit:
sudo lynis audit system3. Chkrootkit
Detects rootkits on Linux systems.
Install:
sudo apt install chkrootkit # for Debian-based systemssudo yum install chkrootkit # for RHEL-based systemsRun scan:
sudo chkrootkit
4. Rkhunter (“Rootkit Hunter”)
Scans for rootkits, backdoors, and vulnerabilities.
Install:
sudo apt install rkhunter # for Debian-based systemssudo yum install rkhunter # for RHEL-based systemsUpdate database:
sudo rkhunter –updateRun scan:
sudo rkhunter --check5. CrowdSec
An open source intrusion prevention system that detects and mitigates threats.
Install:
sudo apt install crowdsec # for Debian-based systemssudo yum install crowdsec # for RHEL-based systems6. YARA Rules
Detects malware by identify patterns within files, scripts, and memory dumps. Security analysts can create custom YARA rules or use existing ones from the GitHub repository. YARA Rules integrates with tools like ClamAV to enhance malware detection.
Manual Detection Techniques
Although automated tools are vital, manual analysis and threat hunting help uncover hidden threats and vulnerabilities.
Threat hunting
Threat hunting involves proactively searching for threats based on Cyber Threat Intelligence. Analysts create hypotheses such as, “Attackers are using spearphishing with PowerShell commands hidden in malicious documents to gain access to our systems.”
From there, security teams search centralized logs for PowerShell Download and Execute commands or other attack patterns. SIEM/SOAR tools (e.g., Microsoft Sentinel using the Kusto Query Language) help analyze logs and identify IOCs.
Manual malware detection steps
1. Monitor processes: Use tools like top, htop, and ps to check for suspicious processes.
2. Analyze network traffic: Use built-in Linux utilities (such as netstat or ss) to look for unexpected connections.
3. Analyze logs: Centralize and analyze logs from /var/log/ directories. As a system administrator, set up a log retention strategy and use SIEM tools to ingest logs via rsyslo. Logs include:
syslog (system-wide events)
kern.log (kernel-level activity)
audit.log (security audits)
4. Perform file integrity checks: Verify critical file integrity using native Linux commands md5sum and sha256sum.
Removing Linux Malware
Once malware is detected, it must be contained and removed. The NIST incident response guidelines offer a clear framework for identifying, containing, and eradicating malware.
Additionally, organizations should follow these steps:
1. Isolate the infected system: Immediately disconnect the compromised system from the network to prevent the malware from spreading.
2. Terminate malicious processes: You can use the kill command with Process Identifier (PID) as a parameter to stop suspicious processes. Find the PID with ps aux or top.
3. Quarantine infected files: Move suspicious files to a separate directory for further analysis. Coordinate between incident responders, digital forensics analysts, and malware researchers.
4. Uninstall unwanted software: Check for and remove suspicious software.
List recent installations: sudo apt list --installed | grep ‘recent’
Use the grep command to search for specific terms in logs and configurations.
Remove unwanted packages: sudo apt remove <package>
5. Restore from backups: You can recover deleted or quarantined files from trusted backups. Follow business continuity best practices and ensure your backups are frequent, verified, and readily restorable.
Post-Infection Recovery
After removing malware, follow these steps to restore system integrity and prevent reinfection.
1. Patching and updating
Fix vulnerabilities by updating the system and software. Here are the Debian- and Red Hat-based commands:
sudo apt update && apt upgrade -y # Debian-based systems
yum upgrade -y # RHEL-based systems2. Change credentials
Update all passwords to prevent unauthorized access. Rotate SSH keys to invalidate any potentially compromised keys.
3. Audit CRON jobs and startup scripts
Check for unauthorized or malicious scheduled tasks:
List user CRON jobs:
crontab -l
View system-wide CRON jobs:
cat /etc/crontab
Startup scripts and CRON jobs are configured in /etc/init.d and /etc/cron.d, respectively.
Here is an example of an Ubuntu system’s crontab contents.
Prevention of Future Infections
For a detailed guide on Linux server, container, and system hardening, check out my articles:
Here are a few steps to strengthen your Linux system against attack:
Enable SELinux or AppArmor: Enforce stricter access controls to limit the impact of exploits.
Restrict administrator privileges: Use sudo and implement Privileged Access Workstations to isolate administrator tasks from everyday use.
Turn off unnecessary services and ports: Reduce the attack surface by switching off unused services (e.g., sudo systemctl disable <service-name>).
Enhance monitoring: Deploy continuous monitoring tools like Wazuh or OSSEC to detect threats in real time.
Implement network segmentation: Prevent malware from moving between systems.
Educate users: Conduct phishing simulations and security training to reinforce cybersecurity best practices.
Main Takeaway
Linux is inherently very secure, but no operating system is immune to malware. Specialized APT groups actively target Linux, making it vital for organizations to engage in proactive security. Linux administrators and cybersecurity practitioners must adopt an integrated approach, combining best practices, security tools, and continuous monitoring to protect systems and networks from evolving attacks.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
