Cryptojacking is a lucrative venture for malware developers, but it comes with a problem. Cryptojackers take up a lot of the processor’s resources which makes the attack very noticeable for the victim. One strain of cryptojacker has developed a way to avoid detection by masking the tell-tale signs from the user.1
The Arrival of Skidmap
Skidmap is a Linux-based malware which mines cryptocurrency on computers and servers without the owner’s permission. What makes Skidmap so dangerous is its wide range of advanced features that make it a pain to locate and stop.
Hiding the CPU’s True Usage
For one, it can mask its CPU usage. It does this by using a rootkit that masks how much of the processor is being used. This is handy for Skidmap, as its performance-tanking attack will cause users to look at their system resources. Should they see the spoofed CPU usage, they’ll assume any slowdowns as another part of the computer, thus taking heat off the malware.
Hiding Its Network Activity
Cryptojackers need to send data to mine the funds for their owner. This, too, can be a “fingerprint” that will give away a cryptojacker’s location. As such, it uses its rootkit to mask its network traffic so that the user can’t spot the communications going to and from the malware.
Persisting Past Cleanup
Skidmap can also infect the kernel of the operating system, meaning it’s harder to clean it out completely. Even if the user manages it, Skidmap has many ways of sneaking around a network, meaning it can re-infect cleaned devices.
Why Does It Infect Linux?
Typically, malware that makes the developer money targets Windows. This is because of Windows’ high adoption rate; the more computers that run Windows, the further the malware can spread, and the more money the developer makes. So, why does this one target Linux – the OS that’s cited as the hardest option to spread malware?
Legitimate cryptominers know of the weaknesses of mainstream OSs and have shored up with Linux for their mining needs. This makes a malware attack less likely than with a Windows machine.
As a result, heavy duty mining rigs typically run Linux. These are prime targets for cryptojacker developers, who are keen to bandwagon off the rig’s processing power to make themselves some money.
What to Do in the Face of Skidmap
Due to Skidmap’s evasive nature, it’s highly recommended not to allow it to get a foothold on your system. As such, the common practices for avoiding a nasty infection are recommended here.
Keep your servers and systems up to date to help combat this threat. Try not to download and open files on a mining computer or even on a computer on the same network. Don’t give root permission to unknown files. Your computers may be running Linux, but these days it doesn’t give you a free pass for malware!
Mapping Out Skidmap’s Plan
Skidmap is a nasty example of advanced cryptojacking. It can burrow into a Linux kernel, survive multiple wipes, and mask its footprints using false CPU usage information and fake network traffic. A Skidmap infection is hard to shake, so do your best to prevent the initial infection.
Will this news make you more wary of a cryptojacker infection? Let us know below.