A team of research found a new malware called Linux/Shishiga, which targets Lua programming language and script on Linux-based devices

A new strain of Linux Malware has been around for some times. The malware, which Eset Research and Michal Malik called “Linux/Shishiga”, could prose serious danger to the system. The new threat was reported to represent Lua Family, but it is not related to the existing LuaBot malware. Linux/Shishiga targets Lua script.

Lua contains a series of modules, which give the designers flexibility. Lua is known for as a lightweight and efficient scripting language. Lua language is widely used for procedural programming, functional programming, object-oriented programming, data description, and data-driven programming. Lua is now used for Flame and Evilbunny, and it is a popular choice among APT makers.

The programming language has been around since 1993. It was designed to meet the increasing demand for customizable programming language at that time. It includes mechanism for customizing the language, thus allowing the programmers to implement specific features. However, the language itself does not contain domain-specific features. The language is designed to improve programming speed, extensibility, portability, as well as user friendliness.

The coming of the new threat has been anticipated by many threat managers. Even though it may not create a new ground of damage, the new malware may come with existing techniques, which it derives from other strains of malware.

How Linux/Shishiga Malware Might Influence Lua

Lua programming language may be vulnerable to the malware. It uses a common infection vector, as it has weak bases for its built-in password list. As a result, the malware could use the list to find possible password combination to gain access to the system. Actually, Linux/Shishiga works in a similar way to Linux/Moose. Linux/Moose is also a malware. It primarily targets Linux-based DSL modems, routers, cable, and other embedded computers. It uses the infected devices to steal unencrypted network traffic and to provide the botnet operator with proxying services.

On the other hand, Linux/Shishiga uses four different protocols, namely SSH, BitTorrent, Telnet, and HTTP. Eset Research and Michal Malik also found that the new malware has several binaries for various architectures. They include ARM (armv41), MIPS, PowerPC, and i686. These are widely used in IoT devices.

Linux/Shishiga is a binary, which is packed with Ultimate Packer for Executables (UPX) 3.91. However, the tool is expected to have trouble in unpacking the binaries, since the new malware provides additional data at the end of the packed file. After trying to unpack the binaries, Eset Research Team and Michal Malik found that the malware is statistically related to Lua runtime library and symbols. That is why they associated the new threat with Lua malware family.

Actually, Eset research Team and Michal Malik had observed the malware for several weeks. They found minor changes during the last few weeks. They included rewriting of some parts of the modules, addition of testing modules, and removal of redundant files. These modifications have looked trivial so far, but they must be anticipated since the malware keeps working. The research team concluded that the malware authors might have used Lua as a scripting language, since it is easy to use. Alternatively, they derived the code from a different malware family and then integrated the targeted architecture with Lua library and symbols.

Is Linux/Shishiga Malware Dangerous?

Is Linux/Shishiga dangerous for your computer? The malware is different from any other threats, which target default credentials on IoT devices. Linux/Shishiga compromises Linux computers with weak password. It exploits easily guessed passwords for Linux, particularly over SSH or Telnet. So, How do you know if your devices have been affected?

The malware opens a backdoor on the effected computer and makes it potential to download malicious files. It spreads by brute forcing SSH credentials and Telnet. When your devices are infected, you will find files, which begin with $home/.local codes. Then, the malware will perform the following actions on your computer:

• It scans and infects other devices (computers) on external network addresses
• It downloads additional modules
• It downloads malicious files

So far, the malware has had few victims, but the ongoing process related to Linux/Shishiga indicates that it progresses. For instance, Eset Research Team found that there have been constant addition, removal, and modifications of components, debug information, as well as code comments. In addition, the research team warned that since the malware keeps growing, there might be future variants, which try another means of entry into the device system, beyond the password way.

How to Stay Safe from Linux/Shishiga Malware

The research team found that Linux/Shishiga malware seems to target data center or IoT devices. If the attackers successfully get into the computer’s system of an enterprise, huge troubles will result. It will be very difficult to retrieve the affected files unless the company finds fast solution. So, how to prevent your computer from the malware?

Malik and the Eset research team suggested Linux users to do the following steps to minimize the risk for being affected by the worm:

• Not using SSH credentials and default Telnet.
• Using difficult-to-guess password will minimize the risk. Ask your team to enforce a specific password policy, such as changing administrator passwords at a regular basis and using complex passwords, which are difficult to crack
• Administering a kind of in-depth defense system that can identify incoming threat in an immediate way
• Implementing aggressive patching, thorough looking for suspicious files, reviewing log data, and resting incident response.
• Using a powerful firewall to block incoming threats
• Disabling the AutoPlay feature on your computer to prevent the executable files from being automatically launched
• Turning on file sharing feature and any other file sharing apps, such as Bluetooth, only when necessary. If not used, it is better to turn off the file sharing to limit access and increase password protection
• Turning off or removing unnecessary services, particularly those that need internet connection. Such services can be used by attackers as a point of entry.

Removing the Linux/Shishiga is very likely as long as you use a powerful virus scan application on your computer. Make sure to use an updated anti-virus and run a full-system scan to identify any traces of the affected files.