- Mar 16, 2019
Read More hereA newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
After injecting itself into all running processes, the malware acts as a system-wide parasite, leaving no identifiable signs of infection even during meticulous in-depth inspections.
Symbiote uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packets and to hide its own communication channels from security tools.
This novel threat was discovered and analyzed by BlackBerry and Intezer Labs researchers, who worked together to uncover all aspects of the new malware in a detailed technical report. According to them, Symbiote has been under active development since last year.
System-wide infection via shared objectsInstead of having the typical form of an executable, Symbiote is a shared object (SO) library that gets loaded into running processes using the LD_PRELOAD directive to gain priority against other SOs.
By being the first to load, Symbiote can hook the "libc" and "libpcap" functions and perform various actions to conceal its presence, like hiding parasitic processes, hiding files deployed with the malware, and more.
All hiding tricks used by Symbiote (BlackBerry)
"When it injects itself into processes, the malware can choose which results it displays," the security researchers revealed in a report published today.
"If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software's process and use BPF hooking to filter out results that would reveal its activity."
To hide its malicious network activity on the compromised machine, Symbiote scrubs connection entries it wants to hide, performs packet filtering via BPF, and removes UDP traffic to domain names in its list.
Backdoors and data theftThis stealthy new malware is primarily used for.......