Turla-like Malware for Linux Finally Detected

Turla-like Malware for Linux Finally Detected

Security experts recently detected a piece of malware targeting Linux, which appears to be part of the well-known Turla malware designed for Windows and targeting the military, embassies, and more.

Turla for Windows

Kaspersky and Symantec discovered Turla earlier this year and up until now, all its components were designed specifically for Windows. The sophisticated spyware was suspected to be created by the Russian government. It infected “several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies,” according to Kaspersky Lab.

No wonder why security experts called this malware ‘Epic Turla’.

According to an article in Reuters from March 7, 2014, security researchers believed that Turla was also related to the malicious software used on the U.S. military in 2008, which caused a massive disturbance. And, it was also said to be related to Red October – another global spying operation targeting military, diplomatic and nuclear channels online.

Turla for Linux

The Linux Turla has apparently been created in addition to the Windows Turla – in order to have a broader access of victims. Experts believe that this component is not new, and it’s been around for some years now, but they have not had specific proof of that until now.

The malware is said to act like ‘a stealth backdoor on the cd00r sources,’ as per securelist.com.
cd00r.c‘ is a proof of concept code to test the idea of a completely invisible backdoor server,’ according to phenoelit.org, the creators of cd00r. ‘The approach of cd00r.c is to provide remote access to the system without showing an open port all the time. That is done by using a sniffer on the specified interface to capture all kinds of packets. The sniffer is not running in promiscuous mode to prevent a kernel message in syslog and detection by programs like AnitSniff.’

That’s what Linux Turla did – it adopted the cd00r approach in order to be able to remain in a stealth mode while running commands remotely. It is quite flexible and free to run on victims’ computers thanks to the fact that it does not need root access. And, instead of using SYN packets, it went for TCP/UDP packets to run its invisible operations. That is why it cannot be detected by netstat (network statistics) – a commonly used command-line tool.

In short, experts have suspected the existence of Turla components targeting Linux for a while now, but had no hard facts until now. We then can’t help but wonder if there are other Turla variations out there which experts haven’t even thought of yet.