Linux malware authors use Ezuri Golang crypter for zero detection

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,632
72,010
Multiple malware authors are using the "Ezuri" crypter and memory loader to make their code undetectable to antivirus products.

According to a report released by AT&T Alien Labs, multiple threat actors are using Ezuri crypter to pack their malware and evade antivirus detection.

Although Windows malware have been known to deploy similar tactics, threat actors are now using Ezuri for infiltrating Linux environments as well.

Written in Go, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Using AES, it encrypts the malware code and, on decryption, executes the malicious payload directly within memory without generating any files on the disk. [...]
Ezuri's Indicators of Compromise (IOCs), YARA detection rules, and more information can be found in the blog post published by AT&T Alien Labs.
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
It's interesting to see Linux malware "improve" in ways that Windows malware has already tried to evade detection. FWIW the "near zero" detection is now up to 12, notably with Symantec and Fortinet joining the club (Fortinet being an important one since they're one of the most popular gateway based antivirus solutions for protecting corporate servers)

Ultimately, the Windows solution to a lot of these problems has been to do in-memory scanning or behavior blocking, and that's something that no Linux AV that I know of is able to do yet.

One of the many reasons why I believe right now, Linux antivirus software is largely a waste of time for protecting the Linux machine itself. It's useful for accomplishing whole-network scanning for email servers or even routers / proxy servers as layered protection, but if you wanted to protect a Linux machine from these kinds of attacks, I think right now you're barking up the wrong tree by selecting AV software.
 

mazskolnieces

Level 3
Jul 25, 2020
116
598
It's interesting to see Linux malware "improve" in ways that Windows malware has already tried to evade detection. FWIW the "near zero" detection is now up to 12, notably with Symantec and Fortinet joining the club (Fortinet being an important one since they're one of the most popular gateway based antivirus solutions for protecting corporate servers)

Ultimately, the Windows solution to a lot of these problems has been to do in-memory scanning or behavior blocking, and that's something that no Linux AV that I know of is able to do yet.

One of the many reasons why I believe right now, Linux antivirus software is largely a waste of time for protecting the Linux machine itself. It's useful for accomplishing whole-network scanning for email servers or even routers / proxy servers as layered protection, but if you wanted to protect a Linux machine from these kinds of attacks, I think right now you're barking up the wrong tree by selecting AV software.
Contrary to the hype "Linux is more secure," the fact of the matter is that Linux is quite insecure. If the full force of pentesting and security researchers were unleashed upon Linux, the amount of discovered vulnerabilities would create a Linux insecurity hysteria. Attackers (especially nation states) already know that Linux security is atrocious.

The current state of Linux AV is at the same level as Microsoft Security Essentials in its early days.

As the NSA pointed out when it developed Selinux, Linux security has to be all put onto the user. And that is just as true today as it was all those years ago.
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
Contrary to the hype "Linux is more secure," the fact of the matter is that Linux is quite insecure. If the full force of pentesting and security researchers were unleashed upon Linux, the amount of discovered vulnerabilities would create a Linux insecurity hysteria. Attackers (especially nation states) already know that Linux security is atrocious.

The current state of Linux AV is at the same level as Microsoft Security Essentials in its early days.

As the NSA pointed out when it developed Selinux, Linux security has to be all put onto the user. And that is just as true today as it was all those years ago.
I totally agree. I think we are already seeing in the IoT world what's happening once Linux becomes a juicy target. Desktop Linux is okay simply because nobody cares to create attacks against it due to the small userbase. My web servers just catch dozens and dozens of Linux based attacks from IoT worms to cPanel/webmin exploits and PHP CGI shell injections. If you run the right Linux services you really need to figure out a security story, and unlike Windows, it is not "install piece of $100/yr/endpoint software" because the only available options for that are pretty much at feature parity with Windows 3.1 antivirus.

It's further disappointing that there was a bit of initial interest in AppArmor and SELinux when those technologies came out 10+ years ago, but not a lot has happened since then. Even distributions that ship with SELinux and AppArmor protection punch big holes through it or halfheartedly write policies. One popular distribution still has a DNS daemon sandbox policy written by me when I was in high school and it's been completely unchanged since then... :(

I think we all understand the state of Windows security software these days, but it's worth looking at macOS as an example too of how to be proactive. For years and years, Macs were not an attack surface for the same reason as desktop Linux (nobody uses it). But as Macs got popular, adware and ransomware sure started popping up. But Apple has been extremely aggressive in deploying new security features, from exploit protection in the toolchain to Gatekeeper (similar to SmartScreen's job) to a built-in startup items scanner in early boot. Two years ago after one single report of a sorta successful ransomware PoC, macOS now has CFA like permissions built into it and I think the implementation is better than a lot of AV software too. It's not perfect, but it at least shows the vendor is trying to do something about the problem BEFORE it becomes a prevalent issue.

What exactly have Linux (and heck FreeBSD) distributions done in the last 10 years on the security front? There's not even a single one that ships with a way of locking down or signing kernel modules, read-only system partitions, or other extremely basic hardening mechanisms that are used by devices with good track record for security.

(I'm purposely excluding Android smartphones and things like Tesla's infotainment, which do some of the things I mentioned. That's not every day desktop Linux, that's a highly customized software stack that just happens to be based off Linux)
 

mazskolnieces

Level 3
Jul 25, 2020
116
598
If you run the right Linux services you really need to figure out a security story, and unlike Windows, it is not "install piece of $100/yr/endpoint software" because the only available options for that are pretty much at feature parity with Windows 3.1 antivirus.
Adequately securing Linux servers (to a standard of security that a security professional would find acceptable) is no trivial matter. It's complex and tricky.

Linux security as a profession is ripe and lucrative for the can do security sudoers.

How many Linux pros do you know that can skillfully secure Linux ? Even those with years of experience struggle.
 
Top