Turla Malware Variant Targets Linux

By

Weird trojan executes arbitrary commands without elevated privileges.

Researchers at Kaspersky have uncovered a Linux variant of the powerful Turla malware family, one of the most technically advanced trojans ever discovered. Turla has been around for several years, but previously known versions only attacked 32- and 64-bit Windows systems. The fact that the Linux version seems to have existed in the wild for at least four years without discovery is further evidence of the sophisticated nature of Turla, which is thought to have been created by a spy agency with the backing of a nation-state.
According to the blog post, Turla hides on the victim's computer until activated through a "magic packet for authentication" consisting of a numerical value ("magic number") and an existing network interface name. Once activated, the code is able to receive communication over the network and execute arbitrary commands on the system even if it doesn't have elevated access privileges, thus circumventing the entire Linux security structure. The process is not detectable through standard process management tools like netstat.
The version examined at Kaspersky is hard-coded to communicate with the domain news-bbc.podzone.org or the IP address 80.248.65.183 . One way to detect the trojan is to watch for communication with these sites, but of course, modified versions of the code could easily point to different places. Ars Technica points out that investigators could also build a profile using the YARA malware detection tool to search for evidence of an attack.

12/09/2014

Related content

comments powered by Disqus