Crypto miners are not something new. They have been around almost since the beginning of cryptocurrencies back in 2009. Skidmap, however, is a brand new piece of code that was detected by the team of researchers of Trend Micro. The malicious code has been created to target Linux machines specifically while using kernel rootkits to work undetected. The way it’s been coded is to outperform most of the popular miners out there since it can really evade detection. The miner even manages to set up a master password for the attacker to be used to access any system remotely.
For the guys at Trend Micro the use of kernel rootkits shows a strong imagination in the use of resources to avoid detection. The extension of the access granted by the malware is also worrisome since systems are essentially stripped naked of protection with this code. Since Skidmaps requires root access to do most of its functions, the attacking vector brings unending vulnerabilities to any system infected, from targeted reconfigurations to data exposure on the internet. Top all of this with the software granting access to the system, and you have a recipe for disaster.
A Well-Designed Miner that Has Proven to be A Challenge
The people behind the analysis also took notice of the fact that the attacking vector could be delivered with any of the usual routines handled by Skidmap. The malware will get the miner installed using the crontab to execute the main binary of your system until it cracks down. After that, the security setting will work in a laxing manner, even if you see them configured the way they are supposed to go. The code is intended for SELinux, supposedly the most secure version of the OS you can get. It disables the security protocols of the system and run confined domains by setting up backdoor access.
The bad news keeps coming in this report. On top of the back access, Skidmap also replaces the pam_unix.so file, which is the module used for Unix Authentication for a malicious version of it. The leading binary later checks how the system is being run and drops the miner in the Linux Distro. The team of Trend Micro also stated that the malware is one of the toughest nuts to crack since it’s designed to keep running no matter what by obfuscating all the other activities performed by the system and redirecting its resources to keep the miner running. There is an additional component added by the miner named “Kaudited.” This file gets installed to monitor the mining process and create logs of information for the attacker.
The Nail that Hits the Head of Skidmap and the Only Efficient Fix
The final element is probably the scariest one identified by Trend Micro. They also identified “iproute,” which is nothing more than a module that hooks the malware to the contents of the directory to make it untraceable and fake the network activities as well as the CPU stats to hide the influence of the malware in your system. This malware is really to scrap of your system sort of formatting the hard drive and get new security protocols in place.