Article Details

Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor. 'Plague' malware has been around for months without tripping alarms. Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and say antivirus engines do not flag the code as malicious. Nextron researcher Pierre-Henri Pezier says the company named the malware "Plague" as its deobfuscated code contains the text "Uh. Mr. The Plague, sir? I think we have a hacker" - a line from the 1995 film Hackers. “The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,” Pezier wrote last week, adding that the malware “integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools.” Pezier said the malware “actively sanitizes the runtime environment to eliminate evidence of an SSH session. Environment variables such as SSH_CONNECTION and SSH_CLIENT are unset using unsetenv, while HISTFILE is redirected to /dev/null to prevent shell command logging." The malware appears as a Pluggable Authentication Module (PAM) and uses a variety of techniques to avoid detection, including hiding session logs to evade scanning, implementing a custom string obfuscation system, and concealing itself from debuggers by using the legitimate libselinux.so.8 shared library file name. It also contains hardcoded passwords to allow the operator easy access. Given PAM's role in authentication, the backdoor is very worrying. Potentially it could be used to steal user account details and get around standard authentication verification. Another reason to worry is that Nextron isn’t sure how miscreants would install Plague. Worse still, Pezier wrote that parties unknown uploaded Plague variants to VirusTotal in 2024, but the malware scanning service never flagged the code as malware. This is nasty malware, but there is one reason to be slightly cheerful: Pezier found no public reports of researchers detecting Plague in the wild. "The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence," Pezier concludes. "Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods." Nextron had no further comment at the time of publication and antivirus vendors contacted by The Register had no comment. But with many folks heading to Las Vegas for the BSides/Black Hat/DEF CON security conferences, that's perhaps understandable.