Interview: MalwareMustDie and their Linux malware research
Interview: MalwareMustDie and their Linux malware research
With great pleasure, we interviewed unixfreakjp. He is theleader and founder of the malware research group MalwareMustDie . We want to learn about their activities, Linux malware, and useful skills for security professionals. Keep reading!
InterviewMalwareMustDie About the MalwareMustDie organization
So for those never heard about MalwareMustDie, can you tell us who you are?
As stated on our web site. MalwareMustDie, is a white-hat anti cybercrime security research workgroup. launched in August 2012, is an Non Profit Organization media for security professionals and researchers gathered to form the work-flow to reduce malware infection in internet. We work to raise malware awareness by sharing general information of malware infection scheme and trend to the common users, helping security vendors and public automation malware-related scanning/decoding tools by providing in depth decode analysis to the recent malware infection frameworks, and work with legal authorities to take down malware domains, and its further threat intelligence.
We aim to establish good relationship vertically with authorities, and horizontally with the fellow researchers and security entities, so that cooperation can be enlisted in dismatling domains that host malware and its infectors in internet.
Why do work for free? What is there to gain?
We work as non profit “organization”, hardly can be called as a company. All of us are mostly employees or engineers with the day-work duties related with the network and internet administration or security profession. The organization is not receiving any income and costs were paid by the involved member’s own money on operations.
Can you tell us a little bit about the MMD team?How big is it?
We maintained a steady value of members around 30 members, with the supporters included, it is around 60 people right now.Linux malware
We typically hear that there aren’t viruses for Linux. Seeing the samples collected on websites like Packet Storm Security we know there is quite some malicious software around. What type of malware do you encounter?
Malware or virus in Linux exists for along time. In 10 years ago, it is not as popular as windows malware. But things had changed since 2012 when the abuse of Linux infection through unattended Linux devices has started. And we have a complete series of types since then, from backdoors, rootkit, hacking tools (scanner/bruter etc), spam tools, exploit distribution tool, ransomware, botnet kits (via irc or etc protocols) and to the traffic DoS attack malware tool.
Do you see any trend that suggests malicious software on Linux is increasing during the last years? What about ransomware for Linux, does that show up now?
In each time security community announces a new linux’s (or unix) services related vulnerability, the linux malware trend and infection is raising. In example: During the shellshock, The PMA phpMyAdmin) vulnerabilities, Apache Struts vulnerabilities, various OpenSSL vulnerabilities that leads to illegal authentication, and now the IoT’s factory credential setting flaw, all of these is (was) raising the Linux malware infection and distribution to the affected systems.
Ransomware is in “a boom” in cyber crime business. There are various type of Linux ransomware that encrypt websites data or the server’s data now, since to code an encoder or encrypter program is not difficult at all. For the cyber crime, ransomware is always high in profit and low in risk compares to the in real life extortion or ransom crime, most of the professional cyber mafia are on this “business” now.
The thing is that Linux is based on open source, dissecting ransomware in Linux is only a matter of time. You just can not mess with Linux/UNIX system administrators, for years they are the one who ready with backups, images and more savvy solution to prevent any of their services go down.
When someone finds a piece of malware on their machine, they can upload it on your website. What happens with the samples?
We just analyzed each samples, each one of it. Then we checked whether the protection layer i.e. antiviruses or etc signature (IDS, Yara, etc) already cover it, then we go deeper to the uncovered ones. When it comes to an unknown malware and it is aiming public level of threat then we post the awareness in our blog. Sensitive cases like APT for example, we don’t expose at all.Recent developments
You are known on Twitter as @malwaremustdie . You are using a lot of crusader pictures. Has it to do with religion, or is it something else?
It is just a symbol, just as Linux uses Penguin and FreeBSD uses a Daemon, we use knight images during the medieval era. No it is not related to any religion at all but all of the members are religious and decent citizens. The “Crusade” term is also symbolizing the hard effort we face to fight malware and crime scene behind it, it is a big deal, knowing that the malware still exist for, more than 20 years now.
Last year the Twitter handle became a private account. You also announced a lot of people to be removed from the followers. What was that about?
We are not active anymore on twitter.It’s all about security. There were malware people are lurking us. @malwaremustdie had 15,000+ followers and now we have around 1,300 after I reduce them. Most of the followers are the blackhat lurkers. They learned from what we tweet and use the information to improve their malware, some blackhats are using the vulnerability that we found to improve their malware too.
These lurkers are using the predicate as “security enthusiast”, “malware researcher”, “reverse engineer students”, “system administrator” and some of them are even faking real researcher’s pictures, names or avatars that they stole from respectful researchers from other SNS. In order to avoid this, to the people that we don’t know, we vetted and asked followers to inform about them self. We disconnect the follower who doesn’t explain. But our direct message is always open for them who want to re-follow after they give more details about them self.
I also run several scripts connected via twitter API to check the validity of accounts who tried to follow us, if the indicator is RED we won’t even answer to the request. Right now we have almost 500 requests already, that was still flagged as RED.We need to conduct our research peacefully and to OPSEC our comm better, right now we are in the most happiest state.
But people can still read the blog and learn about the details, right?
Yes, blog is the recommended ways for the public, including the malware bad guys, to read. The information in the blog was filtered, we passed all of the necessary details to the law enforcement before or during the time we blog it now.
If someone interested in malware and security, do they make a chance of being accepted as a new follower?
We are done with Twitter, if you refer to it. Right now I am not willing to add twitter followers anymore. People can follow us via blog or IOC feed we released, journalism and legit researchers know exactly where to reach us.
Our twitter DM in twitter is open to anyone.To ask questions or for anintroduction. The funny thing is, blackhats are using this channel a lot to send “their messages” etc, instead of whitehats.Professional skills
Is there a benefit for security professionals to learn analyzing malware samples? How could you use it in your daily work?It is important for security professionals to know how to check a malware sample. Th
本文系统（linux）相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统
本文标题：Interview: MalwareMustDie and their Linux malware research