Linux-Targeted Malware Increased by 35%

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021:

Malware targeting Linux systems increased by 35% in 2021 compared to 2020.

XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021.

Ten times more Mozi malware samples were observed in 2021 compared to 2020.

Lots of details in the report.

News article:

The Crowdstrike findings aren’t surprising as they confirm an ongoing trend that emerged in previous years.

For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

Slashdot thread.

EDITED TO ADD (2/13): Another article.

Posted on January 24, 2022 at 6:27 AM15 Comments


Linuxsucks January 24, 2022 7:22 AM

It’s about time. With a bit of luck we’ll see that jump to 100%, and the world will be fine again.

zzzz January 24, 2022 7:49 AM


Increased by 35%

%100 would not mean that all Linux machines are infected… actually means nothing… If there is one Linux computer infected today and two tomorrow, that would be a 100% increase….

Ted January 24, 2022 10:32 AM

Those are useful observations, especially for critical services that remain vulnerable to DDoS attacks. As CrowdStrike says, Linux-running IoT devices are low hanging fruit – often times due to hardcoded passwords, open ports, and unpatched vulnerabilities.

On an up note, the UK Parliament has scheduled a second reading of the PSTI bill – the one that proposes new IoT regulations including the banning of default passwords.

It looks like it’s on for January 26th.

Clive Robinson January 24, 2022 11:05 AM

@ ALL,

Is this realy unexpected?

We tend to look on malware writers as cyber-criminals looking to make a profit of some kind.

The implication on that is a simple ROI calculation.

There are three basic drivers,

1, Application security on commercial OS’s is unbelievably to many improving (all be it too slowly).

2, The use of less common OS’s especially those that use Open Licencing is increasing for a variety of reasons.

3, The use of cross platform Open Source Components by commercial software vendors is increasing.

Thus as has recently been seen by the use of Open Source components can be a bit of a problem as Log4j demonstrated. It got buried in a lot of places and few even knew it was part of the systems they used.

The more “platform independent” a feature or vulnarability is, the better the ROI from a malware developers perspective.

I fully expect to see the malware on less common OS’s and applications to rise, for two reasons,

1, It’s even now a low risk crime that can have significant rewards.

2, It’s such a target rich environment that significant vulnerabilities are being found at an ever greater rate (think “X per day” not the older “One every X days”).

Some OSs will very very rarely get vulnarabilities publically found. This is not because they do not have any, but the usage of the OS is low and for general crime purposes capitalizing on them is even lower. That said from an APT / State level / Level III attacker looking for kinetic or similar disabaling effects such vulnarabiliries would be of considerable interest.

someone January 24, 2022 11:20 AM

First cited article is from a company that apparently sells malware protection products for Linux systems. No potential lack of objectivity there 8-/ The 35% metric is meaningless without context (there is really none provided). What is the population of internet-facing systems using Linux, how does that compare with similar non-Linux systems (preferably broken out by OS family), how much have such Linux-based systems increased or decreased, and what was the attack rate fo those other systems. Possibly most importantly, what fraction of the attacked systems were infected or otherwise compromised. Article looks suspiciously like it may have been pushed by Crowdstrike marketing, not ITSec.

null clam January 24, 2022 11:43 AM

This seems to raise the general question of Linux code quality. Has there ever been assembled some sort of assessment ?

Winter January 24, 2022 12:13 PM

@Clive, All
“Another article on the story,”

This one gives more context. The targets are predominantly:
1) IoT devices
2) SSH servers with weak passwords (IoT, Routers, smart devices)
3) Docker containers (includes 2?)

1 and 2 are simply the result of products thrown over the wall with minimum code cost. #3 is worked on by reducing containers to the bare minimum functionality and the obvious hardening policies.

Little is said about desktop Linux.

Clive Robinson January 24, 2022 2:39 PM

@ Winter, ALL,

#3 is worked on by reducing [Docker] containers to the bare minimum functionality and the obvious hardening policies.

I suspect that many containers were not put together by those using them, also those that have have bern secured against the wrong threat profile.

Also I suspect many containers are in effect “Off The Shelf”(OTS) made to be as much ‘all things to all men” as possible. So I suspect the actuall “hardening” is quite a ways from what it could be.

Whilst the rules for first step hardening of an *nix OS are more or less the same, as you get more into it the rules become more specific to the family of *nix then the specific type and how it is setup for the application concerned.

Those who go back a bit to using chroot() and the like to set up limited environments for application, or slightly better BSD “jails” know that sometimes it can be very frustrating knowing what needs to be there and what does not. The result is often an over inclusion, so a wider than neccessary attack surface.

As for security, chroot(), BSD Jails, are just semi-restricted environments, like a poor mans sandbox or “Virtual Machine”(VM). Docker and other containers are themselves a form of VM, but unless propper hardware support is available for security all such VM’s can be broken out of one way or another.

But do they even need to be broken out from?

Probably not. These days many IoT type devices are not attacked to get at information on the system, the attackers want the resources. Most of which such as CPU for crypto-coin mining or using network bandwidth to “Denial of Service”(DoS) other systems do not require the malware to escape the VM or container.

So setting up servers to be secure may not work if you are securing against the wrong threat profile…

Hedo January 24, 2022 6:09 PM

@Clive Robinson is correct (as he is in most cases).

Let me just add that this is pretty plain and simple, it’s the market-share,
or the footprint. There are more people switching to those Operating Systems that allow for more control. You know, as in, you paid the money for the hardware, and for the Internet connectivity, so you’d think that you ought to know what goes on in the background, such as, where are the packets going, what relays, maybe there’s one too many (unnecessary)hops or redirects? Which apps are calling home in the background without your knowledge?

Most, if not all of these things AND MORE, we used to be able to tweak for ourselves and for our friends, family, work even. Microsoft is taking away more and more of those tweaks from its users to the point where if you tweak certain things you should be able to (but MS doesn’t want you to) the system will truly become UNSTABLE. They (MS) do it on purpose so that they (MS) have more control over your privacy. Plain and simple.

Now, the “FREE” Linux distros are doing it as well lately, adding more and more bloatware because they can. You see, they (Linux distros developers) feel entitled to do so because – “don’t complain-it’s free stuff”. NO, IT’S NOT FREE – they get “donations” from the bloatware owners so the bloatware owners can have access to your private data so YES YOU ARE PAYING for your “FREE” Linux distro install and all security update/patches (“free” support).

So, to conclude, what Linux is doing now – M$ has been doing for decades. They’ve (Linux distro devs) learned from the best in industry, except, M$ took it a notch further, you’re paying them for spying on you, kind of like one of those VPN service providers run by some three-letter agencies of US Government (or other governments) where you’re paying for your VPN subscription and on top of it they collect all your surfing history and other online activities. So, you’re paying to be spied on. There is no better concept for them – it’s genius.

SpaceLifeForm January 24, 2022 9:33 PM

Back-porting fixes is hard.

Forward-porting flaws is easier.

One must rebuild the kernel and userland from source in a chroot environment to verify the patch really works.

You have to know which minimum versions of each part of the software actually are tested.

If you fail to do this, you may pull in a header file that is newer, and while the patch may work in your test environment, it may fail on a slightly older kernel.

Trust me on this. I found this exact issue on a commonly used security tool.

And it was not actually a kernel problem, but the build environment of the patch submitter.

The backport effort failed to backport the correct header files.

The fix was to include a header file that had been dropped from the backport effort.

Winter January 25, 2022 3:36 AM

“Now, the “FREE” Linux distros are doing it as well lately, adding more and more bloatware because they can. ”

If you read the linked articles, you will see the problems are in IoT, routers, docker containers and the like. None of these can be accused of harboring bloatware. The problems are not in desktop Linux, which contains these bloatware.

Ted January 25, 2022 7:57 AM

Did you all see that the Golang programming language is becoming more popular for writing malware since it can be repurposed more easily for various platforms? Think Windows, Linux, and macOS.

CrowdStrike wrote an article about the ‘TellYouThePass’ ransomware, whose more recent versions have been compiled in Golang. The samples were 85% similar between Linux and Windows versions.

The blockchain-enabled Glupteba botnet was also written in Golang.

According to Intezer, Linux runs about 90% of cloud workloads. So an increase in Linux malware seems to point to greater vulnerabilities not just for IoT devices, but cloud platforms too.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.