How this malware attacks Linux, and you can’t protect yourself

It has always been said that Linux was an invulnerable system, that there were no viruses, and that it is much safer than other alternatives, such as Windows or macOS. However, although it is true that this system offers us a plus of security compared to its rivals, it is far from being the stronghold that many boast. And not only because of viruses that can affect it directly, but also because of remote malware, which directly attacks programs or protocols, against which we can do nothing. And this is what the new RapperBot does.

RapperBot is a new botnet that has been in operation since mid-June this year. This malware specializes in carrying out brute force attacks on the SSH protocol of all types of Linux servers. With this, it aims to establish a connection with the computer, access it and be able to both access the data stored on the server and move around the network in search of other computers.

How this malware attacks Linux

This new malware is based on Mirai, a Trojan that has been infecting tens of thousands of Linux devices for a few years to create one of the largest computer networks in order to rent it to the highest bidder for all kinds of computer attacks. However, although based on it, RapperBot is somewhat different in that hackers have more control over its expansion and it does not seek to focus on conducting DDoS attacks, but on remote connection to computers and lateral movement within a network. net.

Hackers control this botnet through a C2 panel. In this way they can indicate targets, and send lists of SSH users to test, with brute force, which one allows the connection. It is capable of connecting to any SSH server with Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and AES128-CTR encryption.

In just a month and a half, this malware has scanned and attacked more than 3,500 IP addresses. And it seems, moreover, that it is more alive than ever.

How to mitigate these attacks

Brute force attacks don’t rely on a security flaw in a program or protocol, so we can’t expect a magic patch to suddenly protect us. Therefore, there is no way to completely protect ourselves against this threat, but what we have to do is mitigate its impact and prevent us from being the next victim.

To do this, the first and most obvious thing is that, if we do not use SSH, we must deactivate the service on our Linux. This will prevent us from connecting remotely to the system, but at the same time it guarantees that we will not fall into the clutches of these hackers. Another possible way to protect ourselves is to configure security to block connections after a limited number of attempts . So, for example, if connections are blocked after 10 failed attempts for 10 minutes, brute force attacks become ineffective.

Other tips to mitigate the impact of malware are the typical ones, such as not using default users, using long, random and strong passwords, and changing the default port.