Security researchers from Trend Micro have stumbled upon a new malware strain that mines cryptocurrency on Linux computers, but which is also different from previously seen cryptominers because it downloads a rootkit to alter the operating system’s behavior and hide the unwanted high CPU usage that usually comes with cryptocurrency mining. Currently, Trend Micro has not identified the way through which the malware –which they named KORKERDS– infects systems, but they don’t believe this recent wave of infections is the result of an intrusive mass-hacking campaign. Instead, researchers believe crooks are using poisoned Linux applications that have been modified to silently download and install the KORKERDS cryptominers during the installation process of a legitimate app. Which app? Trend Micro hasn’t figured that out yet. But researcher did say that the KORKERDS samples they’ve recently analyzed would do more than just install a Monero miner –also downloading and installing a rootkit, which they described as “a slightly modified/repurposed version of publicly available code.” Besides allowing KORKERDS to survive OS reboots, the rootkit component also contained code a slightly strange feature. Trend Micro says that KORKERDS’ authors modified the rootkit to hide the cryptominer’s main process from Linux’s native process monitoring tools. “The rootkit hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library,” researchers said. “The rootkit will override the normal library file by replacing the normal readdir file with the rootkit’s own version of readdir.” This malicious version of readdir works by hiding processes named “kworkerds” –which… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.