The Linux Turla is a new piece of malware designed to infect only Linux computers, which has managed to remain relatively hidden until now and has the potential of doing a lot of harm. Unfortunately, very little is known about it or how to fix it.
During the course of almost a year, the guys at Kaspersky Lab discovered a cyber-espionage operation which they called the “Epic Turla.” According to their research, more than 45 countries have been affected and that includes government institutions, embassies, military, education, research, pharmaceutical companies, and a lot more domains. It seems to be an organized effort, probably with a nation backing it up.
These problems were Windows-only and it looked like it will remain that way, but it turns out that “Turla” did not affect Windows systems exclusively. In fact, Linux systems are also vulnerable, to a different kind of code, which seems to be a part of the same organized effort to compromise computers on a global scale.
I don’t know when. I don’t know where. But something bad is going to happen
This could be something Donald Rumsfeld might say, but the truth is that is almost the conclusion Kaspersky researchers posted on securelist.com. Until now they have only become aware that this problem exists, but it will be hard to fix.
“This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.”
“The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources,” wrote the Kaspersky researchers.
From what the researchers have managed to put together until now, it looks like it links to three libraries, glibc2.3.2, openssl v0.9.6, and libpcap. The hardcoded C&C that hosts known Turla activities is news-bbc.podzone[.]org (from pDNS IP: 188.8.131.52). Kaspersky Lab is currently sinkholing that address.
It doesn’t need root
One of the most interesting aspects of this Turla cd00r-based malware is that is doesn’t require elevated privileges,