Linux machine users running the popular Redis NoSQL database beware. A new Trojan dubbed “Linux.Lady” has been found in the wild, and she’ll turn your computer into a mining rig without your knowing.
Up to 30,000 Redis servers may be vulnerable due to a lack of default securities on Redis and because system administrators have exposed them to the Internet without setting up a password.
Linux.Lady was reported by the Russian antivirus firm Dr. Web. Interestingly, the malware is written in the Google programming language Go, relying largely on open source Go libraries hosted on GitHub.
According to Dr. Web, once Linux.Lady is launched, it collects information about the infected computer (such as the Linux operating system version, the number of CPUs on the infected system, and the number of running processes), and sends that information to the command and control (CC) server.
It is likely that this information tells the hacker whether it’s worth the effort to do some mining on the machine, or if the CPU is already maxed out.
If all systems are go, the CC then sends back a configuration file and the virus proceeds to download and launch its main payload: a crypto-currency mining utility to generate money and transfer that money to the hacker’s e-wallet.
The sample of Linux.Lady analyzed by Dr. Web was mining a cryptocurrency named Monero.
The real danger of the virus is that it self-propagates. Once it is up and running, the malware can detect the IP address of the server and go after other vulnerable Redis servers on the network to install its own copy on them.
Upon finding a new machine, the infection process starts all over, authenticating on the Redis server, downloading the Linux.DownLoader.196 script and adding it to a Cron job.
It is important to note that while Lady.Linux targets Linux systems, it does not exploit any Linux flaws. Instead, the problem lies in how Redis is configured.
Intended for internal use inside trusted environments only, Redis is designed to be lightweight for maximum performance, not maximum security.
In a Redis security document, the company specifically cautions: “It is not a good idea to expose Redis directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.”
System admins are advised to follow best practices when configuring their Linux hosts. Additionally, Dr. Web also recommends the use of its own anti-virus software to eliminate the threat of Linux.Lady.