Linux malware may attempt to enumerate the distribution and version of the system is is running on.
It does this for many reasons:
-
To send statistical information back to the attacker
Malware often includes functionality used to send information about the victimized host back to the attacker. Attackers can then review this information to make informed choices and perform reconnaissance.
For example, the attacker may see that the IP address belongs to a large company and decide to explore it further. Or they may see that it is a very underpowered VPS and skip it. Or they may see that it has a lot of processing power and use it to crack passwords or mine cryptocurrency.
-
To determine if the malware is compatible with the system
A byproduct of the diverse ecosystem of Linux is that software often doesnt “just work” from one computer to the next. Different distributions include different libraries or versions of libraries out of the box. If a malware author uses libraries, dynamic linking will be problematic from one disparate system to the next.
Sometimes, the kernel introduces new features. If malware uses any of these features that are somewhat new, it may not work on an older kernel. Malware can figure out which kernel is running to select which method to use to accomplish its objective, or determine whether it will even work at all.
-
To ensure that the system is an intended target of the malware
In targeted attacks, the attacker will often take measures to prevent the spread of their malware into unintended networks or hosts. Malware authors may run a series of checks such as IP addresses, geolocation, MAC addresses, time zone or system clock, default langauge, presence of a filesystem artifact, presence of a specific process, etc.
If the malware determines that it is running on an unintended target, it can gracefully exit, or self-destruct. This prevents collateral damage and can be an effective anti-analysis technique.
-
To detect sandboxes or reverse engineering attempts
Malware can use a number of techniques to determine if it is being run under a sandbox or analysis environment. This can cause the malware to change its execution flow in order not to reveal additional information about the malware, or avoid dropping additional modules or payloads for the analyst to observe.
Some of the techniques for this are the same as other methods outlined already:
- Check for filesystem artifacts
- Check for certain processes
- Check if being traced
- Check filename of malware to make sure its running under its intended path, name, etc and not a hash
- Check if users exist such as vagrant or cuckoo
- Check if certain tools are installed on the system