Security researchers have discovered a highly nasty Linux trojan that has been used by cybercriminals in state sponsored attack in order to steal personal, confidential information from government institutions, military and pharmaceutical companies around the world.
A previously unknown piece of a larger puzzle called "Turla," one of the most complex Advanced Persistent Threats (APTs) uncovered by researchers at Kaspersky Lab in August, remained hidden on some systems for at least four years. The malware was notable for its use of a rootkit that made it extremely hard to detect.
The German security company G Data believed that Turla campaign is linked to Russia and has in the past exploited a variety of Windows vulnerabilities, at least two of which were zero-days, to infect government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries.
Recently, security researchers from Moscow-based Kaspersky Lab have detected the first Turla sample targeting Linux operating system. This Linux component of malware points towards a much bigger threat than it was previously thought and it may also herald the discovery of more infected systems.
"The newly discovered Turla sample is unusual in the fact that it's the first Turla sample targeting the Linux operating system that we have discovered," Kaspersky researcher Kurt Baumgartner said in an advisory. "We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet."
The modules of the Linux-based Turla malware is written in C and C++ languages and contains code from previously written libraries. The malware uses hidden network communication and stripped of symbol information, which makes it hard for researchers to reverse engineer or analyze.
As a result, the Linux-based Turla trojan may have capabilities that have not yet been uncovered completely, as Baumgartner said the Linux component is a mystery even after its discovery, adding it can't be detected using the common Netstat command.
In order to hide itself, the backdoor sits inactive until hackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware have ability to sit unnoticed on victims computers for years. The trojan contained attack functionalities including arbitrary remote command execution, incoming packet interception and remote management even though it requires no root system privileges.
Earlier this year, Kaspersky Labs researches suggested Turla as Snake, which was built on the capabilities of Agent.Biz, the worm that came to the surface in 2008 when US Department of Defense sources claimed that its classified networks had been breached by an early version of the same virus, described by officials as the "worst breach of US military computers in history." Uroburos rootkit was also one of the components of Snake campaign.
Agent.Biz has since been developed with many advanced features that make it even more flexible and sophisticated than before. It was thought to have inspired other nasty malware creations including Flame and Guass.