Winnti, a trojan typically used by Chinese attackers and normally runs on Windows-based systems, has now been found on Linux systems. This discovery was made after the Bayer company was hit by an attack and the Winnti malware was discovered on their systems. Winnti was first found in 2011 and has been used to download popular video games and to infect multiple companies. Winnti is made up of two parts, a rootkit that hides malware on infected hosts and a backdoor trojan. Further research shows code similarities between the Linux and Windows versions. Other similarities include how outbound communications are handled with its command and control (C&C) server. The malware creates an ability for hackers to initiate connections without going through the C&C servers. Linux malware is actually quite rare because Linux provides the opportunity for attackers to “live off the land” which renders customized tools unnecessary.
Analyst Notes
Even though malware is uncommon in Linux, it is still advised to have malware and general virus detection systems installed. It is also advised to update the programs on a routine schedule to obtain the latest virus and malware definitions.
