Companies rely on Linux because this operating system is considered stable, performant and secure. This assessment is no coincidence: the architecture of Linux, the rights model and the strong open source community have helped to create a very robust operating system over decades. However, this perception has also given rise to the dangerous myth that Linux is practically immune to malware.
The reality is different. In recent years, Linux has increasingly become the focus of attackers. Not least because a large part of the modern IT infrastructure is based on it. Web servers, container platforms, cloud workloads and network devices often run on Linux.
The attractiveness of Linux for attackers depends primarily on its role in the infrastructure. A compromised Linux server often offers attackers direct access to sensitive data, internal networks or other systems. Accordingly, cyber criminals are developing increasingly sophisticated malware specifically for this environment.
Linux malware is no longer a marginal phenomenon. There is a wide range of malware that specifically targets Linux systems, including
Cryptominers that misuse server resources to mine cryptocurrencies
Botnets that use large numbers of compromised systems for DDoS attacks
Backdoors that give attackers permanent access
A well-known example is the Mirai family, which originally infected IoT devices and created one of the largest botnets in history. Since then, numerous variants have emerged that automatically scan and compromise Linux systems. Publicly accessible servers in particular are often hit by automated attacks that search for weak passwords, unpatched services or misconfigurations.
Rootkits are one of the most dangerous categories of Linux malware. Their aim is to embed themselves deep in the system and at the same time conceal their own existence.
Rootkits can operate on different levels:
User-space rootkits that manipulate system tools
Kernel rootkits that directly modify the Linux kernel
Kernel rootkits are particularly problematic as they can manipulate system functions in order to hide processes, files or network connections. Classic security tools or simple log analyses often fail to detect such manipulations. Once a system has been compromised, it can remain under the control of an attacker for a long time without being noticed.
Many Linux systems rely on classic security measures such as
Firewall rules
Package updates and patching
Minimal software installation
Access controls and SSH hardening
These measures are important and form the basis of any secure Linux environment. However, they do not prevent all attack scenarios. Attackers often use legitimate tools and system functions ("living off the land") to move around the system inconspicuously. This results in hardly any classic malware signatures that could be detected by traditional security solutions.
This is where Endpoint Detection and Response (EDR) comes into play. Modern EDR solutions continuously monitor the behavior of a system and analyze activities such as
Process launches
file operations
Kernel interactions
network connections
Privilege escalation
Instead of only detecting known malware, EDR systems identify suspicious behavior patterns that may indicate an attack.
The Linux rootkit bedevil (bdvl) uses an unusual technique for persistence and camouflage: patching the dynamic linker. While classic LD_PRELOAD rootkits manipulate entries in /etc/ld.so.preload or the LD_PRELOAD environment variable, bedevil directly modifies the dynamic loader itself. This allows the attackers to bypass many detection mechanisms that only search for known LD_PRELOAD artifacts.
The dynamic linker (e.g. /lib64/ld-linux-x86-64.so.2) is responsible for loading all required shared libraries when a program is started. An important mechanism here is the loading of additional libraries from /etc/ld.so.preload. Rootkits often misuse this function to hook system functions and hide processes or files, for example.
During installation, the rootkit searches for existing linker binaries and replaces the character string /etc/ld.so.preload in the respective binary with a new, randomly generated path. Important: The length of the character string remains the same so that the binary structure remains unchanged.
inc/util/install/ldpatch/ldpatch.h (Source)
The dynamic linker processes the shared library specified with the LD_PRELOAD environment variable or the contents of the ld.so.preload file before other libraries or functions are called. For this reason, LD_PRELOAD libraries are always loaded first.
Have a look at the following strace output, in which we look at the system calls of ls:
Did you spot anything unusual?
We have found the malicious LD_PRELOAD file! The first access syscall attempts to load the file specified as the new LD_PRELOAD file, namely the path that the rootkit overwrote in the dynamic loader. Since this path was randomly generated during the initialization of the rootkit, we had no knowledge of it beforehand.
Patching the dynamic loader is a rather unknown technique that may be overlooked by incident responders. Several members of InfoGuard's Incident Response Team have presented their research on rootkits at international conferences and bring this experience to the analysis of real incident cases. A package integrity check can help to reliably detect tampering - on RPM-based systems, for example:
rpm -V glibc
A change to the dynamic linker would typically appear like this:
S.5....T. /lib64/ld-linux-x86-64.so.2
The use of statically linked tools is also recommended for forensic analysis. As these do not load external libraries, they bypass LD_PRELOAD-based hooks and can reliably make hidden artifacts visible.
Patching the dynamic linker shows that modern Linux rootkits are increasingly trying to circumvent classic detection methods by directly manipulating central components of the runtime environment.
Linux is and remains a powerful and fundamentally secure operating system - but only if security assumptions are regularly questioned. With the increasing importance of Linux in cloud, server and container infrastructures, the interest of attackers is also growing.
Particularly when it comes to hard-to-detect techniques such as rootkits, malware and botnets, it is clear that traditional security measures alone are no longer enough. The ability to understand behavior, make anomalies visible and react quickly in an emergency is crucial.
In addition to basic security measures, endpoint detection and response (EDR) is playing an increasingly important role - as a data-based foundation whose effectiveness is fully exploited by the in-depth analysis of experienced incident response experts.
What EDR must actually achieve:
Behavior-based detection instead of signature thinking
Comprehensive transparency of processes, system and network activities
Quick classification and prioritization of security incidents, including the derivation of targeted measures
Ultimately, the ability to make deviations from the normal state visible and derive the right measures in a timely manner is crucial.
Stay informed about current digital security issues: Look forward to relevant developments, well-founded classifications and the most important news from the world of cyber security. Subscribe to our blog updates and receive the latest insights straight to your inbox - practical and up to date.
Caption: Image generated with AI