March (attack!) of the Penguins! Linux Turla Edition

Last week, security researchers discovered a new trojan that infected Linux operating systems around the world, targeting government and pharmaceutical companies. Laying dormant as a root kit, even the Netstat commands in terminal couldn’t detect this extremely stealthy malware.

Known as the Linux Trojan Turla, this malware has certain signatures stripped away making it very difficult to know how it was created. The trojan listens to ‘magic numbers’ in sequence packets that the attackers send as a cue to wake up and execute the Turla’s mission. What’s bad, is that to do any moderate changes in Linux, the user or process will be required to run in a super user role; however, this malware can execute even with very limited permissions. Linux gained fame for operating in a very secure state, but for a malware to execute like a rootkit with impunity – is very impressive to say the least.

Microsoft’s Turla has been lurking in the shadow for years

turla_150Microsoft’s version of Turla, also known as the ‘Snake’ or ‘Uroburos’, was discovered back in February; however, the malware has been operating undetected for years.  It targeted many governments and their organizations, military bases, academic research facilities and even embassies around the world. Many believe that this clandestine attack originated out of Eastern Europe. An estimated 45 countries have been the victim of this malware infestation. The US Department of Defense stated that it is “the worst breach of US military computers in history”. The attack used a combination of zero-day attacks, social engineering like spear-phishing and whaling, along with watering hole techniques.

The original version of Turla uses two zero-day exploits; first, it uses the Escalation of Privileges (EoP) in Microsoft Windows XP and Microsoft Windows Server 2003. To make matters worse, the malware also followed up with the Adobe Reader exploit. Whenever an unsuspecting user opened up an email that was crafted with an infected PDF file, it infected the computer with the trojan.wipbot. The trojan.wipbot will then allow the trojan.turla to be downloaded on the Microsoft operating system and then giving control to the attacker.

Linux is impregnable to malware – said no Turla ever!

Anti TrojanMany experts fear that there are still more pieces to Linux Turla puzzle. Not many know about it because of the sophistication in the way it hides itself. We can only speculate that this is just the tip of iceberg. Maybe your system is already infected and you don’t even know it yet?

The new Turla is considered an APT, or an ‘advanced persistent threat’. The Linux Turla is C/C++ executable and it is linked to multiple libraries that the compiler uses. It uses remote management and other network communications capabilities in order for it to be controlled by its master. Security experts are learning more about this malware each day, so stay alert for more updates.

So why now? What has caused this trojan to come out of its rooted slumber? As mentioned before, the trojan appears to be sponsored by an Eastern European state government. Is it possible that the group who created the Turla is state sponsored? Probably. If we look at the victims, they all have the same commonalities. For example, many of the targets are Western governments; the Turla has targeted many private government networks and even traversed into their embassies.

The best Defense is a Good Offense!

So what does this all mean and how do we prevent the trojan from taking hold?

  1. Educate your users on spear-phishing attacks – do not click on any links from an address you are not positive or familiar with. Notify your security administrator immediately.
  2. Do not go to any unfamiliar website from emails, these can be used as watering hole attacks.
  3. Ensure you have good patch management system in place and be on the look out for new patches. Always patch first in a test environment.
  4. Finally, make the surface threat of your servers and desktops computers as small as possible. Block all ports that are not needed and ensure that there are no rogue programs running that the user has installed without approval or authorization.

Following these steps can help you in the prevention of being infected.

If you are a Linux administrator and what to check for this trojan, inspect your outgoing traffic for the news-bbc.podzone[.]org or IP address 80.248.65.183. These are the known addresses that command and control the Turla trojan.