Wednesday April 26, 2017

Experimental Shishiga Malware Targets Linux

The Shishiga of Russian lore makes it's home on the Kama River. The legend states that travelers and drunkards along this river may come across a nude creature combing its hair along the banks. Those unfortunate enough to succumb to its beauty will either travel out into the river and drown, or die by some other means. Perhaps by being eaten by ill-tempered sea bass. Not good.

In the real world, the Shishiga has taken on a digital form. Researchers at ESET have discovered a nasty piece of malware that operates by brute forcing weak telnet and SSH credentials on the Linux OS in an effort to plant itself on a victim device. Upon first inspection, Linux/Shishiga might appear to be like other LuaBot inspired malware. The difference being that those malware samples target weak Telnet and SSH credentials, while Shishiga leverages the BitTorrent protocol in the same manner as the Mirai style worm called Hajime. Hajime was observed last year and is believed to be created in an effort to harden the Internet of Things (IoT) against Mirai Bot-Net exploitation. It is more sophisticated than Mirai, and seems to be gaining popularity in a modified and malicious form.

News Image

"It’s possible that Shishiga could still evolve and become more widespread but the low number of victims, constant adding, removing, and modifying of the components, code comments and even debug information, clearly indicate that it’s a work in progress. To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials."

To protect yourself from this attack, ensure that you are not using default credentials for Telnet or SSH. In fact, default credentials should be the first thing changed when installing a new OS, device, applicaiton or service. Mirai would have met little success if users were forced to change default credentials in IoT devices.