The researchers found out how the new virus for Linux, Symbiote, works and what it is capable of. Experts say that it is almost impossible to detect it, writes Intezer. And that’s why.
Where did the virus come from
Symbiote was first discovered in November 2021, presumably written for the financial sector in Latin America, as domain names sometimes impersonate large Brazilian banks. After infecting a computer, the virus completely hides itself and any other malware used by attackers.
An investigation on an infected machine may reveal nothing because all files, processes, and network artifacts are hidden by the malware. In addition to the capabilities of a rootkit, malware provides a loophole for an attacker to log into the system and execute commands with the highest privileges.
How infection occurs
Because the virus is extremely evasive, Symbiote infestation is undetectable. This is not a standalone executable, but a shared object library that is loaded into all running processes with LD_PRELOAD (this allows it to be loaded before any other objects) and infects the computer.
One unusual feature is the Berkeley Packet Filter (BPF) packet capture feature. The virus uses it to hide malicious network traffic on the infected computer. When an administrator runs any packet capture tool on an infected machine, the BPF bytecode is injected into the kernel, which determines which packets should be captured. In this process, the Symbiote first adds its bytecode so that it can filter out network traffic that the packet capture software should not see.
The Symbiote malware hides not only its presence, but also other files associated with the malware deployed with it.
What does a virus need?
The purpose of the malware is to collect credentials and provide remote access to the computer. The latter occurs through the interception of several functions of the Linux Pluggable Authentication Module (PAM): traps placed allow an attacker to authenticate on a computer with any service using PAM. This includes, for example, Secure Shell. Once authenticated, Symbiote provides the functionality to gain root privileges. An attacker can do anything on your computer – steal files or use power to mine crypto (although, given the exchange rate, this is unlikely).
How to identify it
Due to the fact that the virus works as a user-level rootkit, it will not be easy to find it. Network telemetry can be used to detect anomalous DNS queries. Security tools – EDR and antivirus – should be statically linked to ensure they are not “infected” with rootkits. Only in this way can they be effective.