WatchBog Exploits Linux Servers

WatchBog is a malicious Trojan that attacks Linux servers. Therefore, it doesn’t seem to bother most of the regular computer users who are bound to be using either Windows or Mac OS machines. Nevertheless, we would like to tell you more about WatchBog, and what it is capable of. This entry will not deal with the Trojan removal because of the way it works. Please use this description to learn more about types of malware and what they do to various computer systems. Also, we always recommend exercising caution when you encounter unfamiliar content online. It is good to remember that malware infection could be just one click away.

WatchBog isn’t a new infection. This cryptocurrency-mining botnet has been known to the cybersecurity specialists since at least November 2018. It was documented that threat actors used this infection to attack Jenkins, an open source automation server. This server is used by developers all around the globe to develop and test their software. The attacked servers were used for cryptocurrency mining. Although WatchBog wouldn’t slither from one server to the other (in other words, the infection isn’t contagious), the sheer act of mining does cause a lot of damage to the victims, especially as the Trojan is programmed to maintain persistence.

Needless to say, the infection doesn’t remain the same all the time. Researchers at Intezer say that ever since November 2018, WatchBog has been upgraded by renewing its spreading module to cover as many servers as possible. The infection enters target servers exploiting their vulnerabilities. The most recent exploits to be used by WatchBog include CVE-2019-11581, CVE-2019-10149, CVE-2019-0192, and CVE-2019-0708. The latter is called BlueKeep. This vulnerability allows the threat actor to gain remote control execution (RCE) over the target system. Since this vulnerability can be found on various Windows versions, multiple systems could become victims of the WatchBog attack.

It is also important to note that systems with multiple vulnerabilities are usually unpatched. It means that they haven’t been updated or that the system administrator didn’t apply the issued updates. There are many reasons for that. The most common reason for not applying system updates is license. It is very unfortunate that there are still many systems out there that run without a license. It means that they cannot receive the newest patches and updates, and it makes them vulnerable to the likes of WatchBog.

Now, what happens if WatchBog manages to enter the target server? If that happens, the infection communicates with its control and command center, and it downloads Monero miner modules, which allow the Trojan to start using the infected system’s resources for crypto-mining. Also, while the previous versions of this Trojan used to stay on the infected server, the newest versions with new modules are bound to spread further. It means that WatchBog is a highly adaptable infection that will always update itself with newer offensive technologies.

One of the reasons WatchBog and other similar infections might be hard to track and analyzes is the Python programming language. The programming language itself is flexible and powerful, yet its main target systems do not have an interpreter that could read the language by default. Thus, it can be hard to detect and remove the likes of WatchBog, too.

Security experts suggest employing certain measures that should help Linux users avoid WatchBog. Of course, the main piece of advice says that you have to update your system software to its latest version. If you cannot launch the update because you do not have the software license, then perhaps you should consider getting one.

Also, let’s not forget that WatchBog mostly targets Linux users. Linux users often use third-party servers, and the server software should also be updated so that all vulnerabilities would be patched. If by any chance, you think that the Trojan could be on your system, you could check for these files:

  • /tmp/.tmplassstgggzzzqpppppp12233333
  • /tmp./gooobb

Should these files be present, the chances are that your system has been infected with WatchBog, and you have to deploy the usual measures to remove the Trojan for good. The problem is security software might not be able to detect WatchBog all the time, especially as this infection continues to evolve. Therefore, if you run a server, you have to be alert and careful because malware is always just a click away.


Leave a Comment

Enter the numbers in the box to the right *