Just like the soda wars between Pepsi and coke, there’s an ongoing operating system (OS) war being between Microsoft Windows and Apple macOS. That competition has been going on as long back as November 1985! That’s when Windows 1.0 was released. The first Apple Macintosh computer (as they were called back then) was released in January 1984. But it appears there has been an OS war of sorts going on between Windows and Linux, too.
Linux in a nutshell
Linux isn’t really just one OS—it’s a kernel that is used in literally at least hundreds of different other OSes, if that makes any sense. Without getting too technical, a kernel is the deepest, most fundamental part of any OS. It’s not the part that comes up with the graphics you see on your screen in the forms of windows and applications, and it’s not the part that directly runs your applications. It’s the part underneath the part that directly runs your applications. The kernel talks to your computer hardware.
Linus Torvalds and a lot of other computer programmers working with him developed the first Linux kernel back in 1991, a derivative of the UNIX kernel. Linus plus UNIX equals Linux, get it? Many updated versions of the Linux kernel have been released ever since, and the latest version, 4.19, was released in October 2018.
Chances are that you use Windows or macOS on your desktop and laptop computers. But if you don’t have an iPhone, you probably have an Android phone instead. And most likely, you have already surfed the web today. Most of the web servers that have sent you your webpages run some sort of Linux-based OS. Android also is based on a Linux kernel. Many of your Internet of Things (IoT) devices, like your Fitbits, your car’s onboard systems, and your Google Home or Amazon Echo run a version of Android, even if you can’t see it. So whether you know it or not, you’ve used Linux today in some direct or indirect way.
The Bill Gates connection
Knowing the importance of Linux and how Windows has competed with Linux over the years makes this story all the more interesting. You know who Bill Gates is, right? Together, he and Paul Allen founded Microsoft all the way back in 1975, and he helped to run the company up until 2006. That’s right, Microsoft existed about a decade before they released the first version of Windows.
New Linux malware has been discovered, called “Linux.BtcMine.174” by researchers. This is how it works. If a cyber attacker acquires access to a Linux computer, which could be a desktop, or a server, or an Android phone or Internet of Things device, they can run this malicious shell script. A shell script is a bit of computer programming that’s designed to be executed at the Linux or UNIX command line, the old-fashioned text-based way of using an operating system which modern computers still support so that nerds can use it. Shell scripts can be good, but they could also be bad. They could also be malware.
The working details
This bad shell script is really long, it has about 1,000 lines! It finds a folder on a Linux target and hijacks it. That way, the cyber attacker can make changes to the folder, put their own bad files into it, or do bad things to the files that were already in there. The malware then scans the Linux target for other people’s malware so it can’t interfere with what they want to do. From the cyber attacker’s own server, the target will then download DDoS malware that they have called “Bill Gates.” He was the CEO of Linux rival Microsoft, so the cyber attacker must think that’s hilarious. So what is DDoS?
DDoS stands for distributed denial of service attack. It means a lot of different computers are used (“distributed”) to send such an overwhelming amount of data to the cyber attacker’s victim computer that it can no longer operate until a network administrator makes it run properly again. That’s the “denial of service.”
Many DDoS attacks these days are done by a cyber attacker’s botnet, which is formed when the cyber attacker puts their “zombie” malware on a lot of different internet-connected computers. The cyber attacker can control all of those computers in unison, so they can synchronize their efforts in overwhelming their cyber attack target with more data than it can handle.
“Linux.BtcMine.174”, as per its name, can also make the Linux computers it infects generate Bitcoin. So, the computer’s processor and memory become dedicated to doing a whole lot of complicated math problems so the cyber attacker can make money at the target’s expense. Because of one of the first things the malware shell script does, hijacking a folder, the cyber attacker also will have a “backdoor” on the victim Linux computer. They can use their own servers to send all kinds of other nasty malware and perhaps also acquire remote control of their target!
These are the Linux security vulnerabilities, which make what “Linux.BtcMine.174” does possible. When security vulnerabilities are discovered, they are often recorded into the CVE, otherwise known as the Common Vulnerabilities and Exposures database, and they’re given a unique sort of serial number for identification.
The first is CVE-2013-2094. Here’s the description for it: “The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.”
Breaking down the techno-speak
Okay, that sounds like a bunch of technical gobble-dee-gook. But basically, because of a silly computer programming error, someone on a Linux computer who doesn’t have administrative privileges can get them. And those administrative privileges allow cyber attackers to do many different types of nefarious things on the computer—such as the bad things done by the “Linux.BtcMine.174” malware.
The second is CVE-2016-5195. “Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka ‘Dirty COW.’” Ugh, more geek speak! Pragmatically speaking, it’s much like the first vulnerability. It’s a computer programming error that can be exploited to do the sort of malicious stuff “Linux.BtcMine.174” does.
Many current versions of Linux and Android use a Linux kernel that predates 4.8.3, and some even use kernels that predate 3.8.9, including Android Marshmallow and older versions of Android. Hopefully with news about “Linux.BtcMine.174” being shared around, the developers of the hundreds of different Linux-based OSes out there will work with the developers of the Linux kernel to fix these vulnerabilities. Don’t forget—always update your OS and software!
#