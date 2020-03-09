2019 was the year of Linux threats. Our research team observed a significant increase in the number of cyber attacks targeting Linux systems, evidenced by the discoveries of HiddenWasp, QNAPCrypt and EvilGnome.

Sadly, the antivirus industry continues to be plagued by low Linux threat detection rates.

It’s important to understand that in an open-source ecosystem like Linux, there is a large amount of publicly available code that can be quickly copied by attackers to produce their own malware. At the time of its discovery, for example, HiddenWasp contained large portions of code from previously leaked and/or open-sourced threats Mirai and the Azazel rootkit. While Mirai is not a highly complex malware, its code was leaked in 2016. We now see its code being reused often by adversaries to develop their own malware instances within the Linux operating system.

Analyzing code reuse on the binary level presents an effective way to detect and classify cyber threats. On the Linux platform especially — where detection rates remain low — attackers have become less concerned with using excessive evasion techniques. Even when they reuse extensive amounts of code, threats have relatively managed to stay under the radar. Applying a code reuse analysis approach, defenders can detect any future variant of a threat that reuses even tiny portions of code from its predecessor, regardless of evasion techniques that are used. Identifying the source of the attack itself effectively decreases the ROI for cybercriminals, making it exponentially more difficult for them to launch a new attack campaign in the future.