The Anti-virus Times

Monday, June 19, 2017

Compared with threats for Windows, the number of malicious programs for Linux-like systems is relatively small. To a great extent, this is because Linux is far less widely used, and it is more profitable for criminals to attack platforms that enjoy much wider popularity among users. But that's not the only reason—attacks against less common platforms can also yield great results. They can be very successful just because no one is expecting them.

The main problem for criminals lies in the vast diversity of operating systems and configurations. Currently, a huge number of Linux distributions are available, and virtually every bit of the OS, including its kernel, can be recompiled. Also, any number of patches can be applied to overhaul a system and make it completely unrecognisable.

Creating an executable file for Linux (filename extensions aren't used in Linux, but to draw a simple analogy, they are akin to a Windows exe-file) is possible, but there is no guarantee that it will work. If dynamic linking is used, additional libraries are required to run executable files.

Note. One can create a file without dependencies—and that would be a static build. But in this case, according to the existing rules for Linux, the malware source code will have to be made available to the general public. Apparently, no criminals will go for that. :-)

But jokes aside (criminals are hardly likely to pay attention to rules of any kind), a file without dependencies will be much larger and thus harder to distribute.

How do cybercriminals find a way out of this predicament? They use scripts. Scripts are text files containing sets of commands (e.g., to launch system utilities), variables and instructions. They can't just be executed on their own. A script contains a set of instructions which are processed by an interpreter. Whenever a script is to be executed, the corresponding interpreter is launched automatically. It executes script commands in such a way that they work in this particular environment.

Linux is a world of utilities and the scripts that launch them. Criminals have adopted scripts to achieve their goals and make the lives of anti-viruses more difficult.

The same scripts can be run both on a router and on a desktop.

Why does an anti-virus have problems with scripts?

A script launches other utilities that are already present in the system. So if a malicious program establishes a communication channel with a control center and encrypts all the files, all the work is done by legitimate utilities. It is hard to determine the real culprit, especially if it is already running and the behaviour of various programs needs to be analysed. But users will likely be unhappy with this solution because the malicious program will manage to encrypt some files during the analysis. Applying signatures to scripts makes no sense because a text file can easily be changed. And the signature will become useless.

That's why malicious scripts need to be analysed in order to be discovered. In effect, they need to be run using an interpreter that will determine how the script is being executed and note any actions that appear to be malicious. This process is similar to an anti-spam analysis. Individual details add up to help determine whether a script can be categorized as a malicious program, or an email as spam. However, a malicious script that goes undetected will cause much more harm that a spam email message that has managed to bypass an anti-spam filter. And how Dr.Web manages to detect them all is a trade secret.