Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Tuesday, 16 June 2020 11:48

Threat to Windows and Linux cannot be really put in the same basket

Threat to Windows and Linux cannot be really put in the same basket Pixabay

Twice in the space of three months, researchers from BlackBerry have put out studies pushing claims about malware and ransomware that is alleged to attack Linux, giving the impression that this operating system is also under as much threat as Windows.

But both studies contained little to justify these conclusions; the second, issued in the first week of June, contained the word Linux thrice, in two sentences. One of these was the line: "Tycoon is a multi-platform Java ransomware targeting Windows and Linux that has been observed in-the-wild since at least December 2019."

And the other was: "The malicious JRE build contains both Windows and Linux versions of this script, suggesting that the threat actors are also targeting Linux servers."

The rest of the study, that runs to about 1500 words (not counting text in illustrations and tables), was solely about the Windows version of what the researchers claimed was a new form of ransomware known as Tycoon.

The earlier study, issued in April, claims that groups connected to China were targeting Linux servers with malware, with the claim resting on the reported discovery of a previously unidentified Linux malware toolset which included two kernel-level rootkits that made it difficult to identify executables.

But the study contained no information as to how this malware gained a foothold on these servers, surely an important step in the attack process. On asking, this response was elicited: "The rootkits were installed by way of an interactive bash script, which in some cases reached out to an online build server to determine particulars about the target system (distro, kernel version, etc) before delivering a bespoke rootkit and backdoor." The vulnerabilities in the Linux kernel that were remotely exploited in this manner were not specified; it must be noted that such a class of flaws are very rare for Linux.

The reply added: "There are several ways in which the installation script could have landed on the server, including brute force SSH attack (a technique reportedly used by the botnet to spread itself), physical access to the server (espionage operations are not always exclusively digital), or any other of the myriad ways in which admin credentials for servers are compromised and then used to log in."

The second study was authored by the BlackBerry Research and Intelligence Team and KPMG’s UK Cyber Response Services Team. It was not sent to iTWire; I spotted a number of articles based on it which hyped up the Linux threat. The American site ZDNet had this: "This new ransomware is targeting Windows and Linux PCs with a 'unique' attack", an inaccurate characterisation.

Bleeping Computer, which claims to specialise in the reporting of malware and ransomware, was no better, with its headline reading: "New Tycoon ransomware targets both Windows and Linux systems".

Strictly speaking, one did not need to speak to anyone from the company as an op-ed was planned. But one gave BlackBerry the benefit of the doubt and sought clarifications. The company offered a chat with Eric Milam, vice-president of GUARD Services, and Claudiu Teodorescu, director of Threat Research and Intelligence.

Milam was part of Cylance, the security firm that BlackBerry acquired to get into the business. My one encounter with Cylance was not very edifying, to say the least.

The pair said that the information they had received for the study came from KPMG and was from an incident response to one of that company's clients. Thus, they could only go on what they had – though this was not specified in their study.

They justified the "Linux threat" by saying that there was a version of a shell script written for Linux, and this suggested that Linux was also being targeted.

It was pointed out to them that in contrast to the vast amount of information concerning the Windows version of ransomware, there was more or less nothing about the Linux version and thus such a conclusion was overblown. It was suggested to them that a little more clarification in the study about the fact that they had nothing apart from this one script to go on when it came to Linux would have prevented the sweeping headlines that resulted.

Security companies benefit from the fear that is created around the use of various computing platforms as they sell services and products aimed at quelling these fears. With Windows, the limit has been reached because the problems that that system faces cannot get any worse. The baby of Bill Gates and the late Paul Allen has spawned a multi-billion industry that has sprung up to act as a support system for Windows, a system that came from a company which is a marketing firm first, and a technology company a poor second.

Thus, it is not surprising that companies try to hype up the threat around Linux. If only one could sell half the services around Linux that are sold around Windows, it would make for some handy revenue in an over-crowded market.

Some technology writers help in this enterprise, perhaps out of ignorance or sheer laziness. And, of course, there is the fact that Linux and malware/ransomware in a headline serves as clickbait, a fact I have dealt with in some detail here.

But then one, perhaps, cannot blame BlackBerry too much; their "studies" are meant to serve as marketing material for the company's services. The writers should carry more of the blame for not reading what they reported on.

The security industry has a history of hyping up threats based on little or no evidence. When the first attributions were made to link a country to malware by Kevin Mandia in 2013, nobody pointed out the difficulty in attribution. His company, Mandiant, became well-known as a result of this and was later bought by FireEye.

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News