Vulnerabilities within your operating system can help WatchBog and thousands of other malicious infections to slither in. According to recent statistics, new malware is released every 7 seconds, and more and more infections emerge every single year. At the same time, more and more security tools and measures become available to users, and that means that cybercriminals have to be smart and come up with new ways to attack operating systems. Now, we start seeing malware that might cross over from one operating system to the next. WatchBog started off as a Linux infection, but there is information suggesting that it might be capable of invading Windows operating systems too. Whichever one of these systems you run, you need to take care of it because once malware slithers in, a lot of bad things can happen.
WatchBog could not attack operating systems if it weren’t for the carelessness of these operating systems’ users. The infection exploits Exim’s CVE-2019-10149, Jenkins’s (CVE-2018-1000861), Jira’s CVE-2019-11581, Nexus Repository Manager’s CVE-2019-7238, and Solr’s CVE-2019-0192 vulnerabilities. Unfortunately, software is flawed, and when new features or functionalities are added, backdoors are left behind that might allow cyber attackers to exploit them for successful malware execution. The good news is that, in most cases, vulnerabilities are detected and patched before anyone with malicious intentions can figure out a way to exploit them. The bad news is that, in many cases, users of the flawed software fail to install updates in time. The mentioned vulnerabilities are found within Linux-related software.
Windows users have to patch the BlueKeep’s CVE–2019-0708 vulnerability. If it is not patched, it is possible that the attackers behind WatchBog could exploit it too. When the Intezer team analyzed the malicious infection, an integrated RDP scanner (hosted on GitHub) was found, and its main task was to find systems with the unpatched BlueKeep vulnerability. That being said, no actual attacks had been reported. Linux systems, on the other hand, were actively attacked, and at least 4,500 infected machines had been recorded. Once inside the system, WatchBog can be used to inject malware modules, and it appears that it is primarily used to inject a Monero miner. Monero is a kind of crypto-currency, and a miner is a tool that can be set up to mine this crypto-currency and earn money.
Miners are not the most harmful of malware, but they can exhaust system resources and, potentially, cause damage to the physical drives of the machine. That would happen in extreme cases if WatchBog’s miner was running on an older machine and causing the system to overheat and crash. Even if your system is up-to-date and if your computer is new, you might notice decreased operation speeds, and that is because the main energy goes to mining. This process requires the computer to solve problems, which is done to authenticate crypto-currency transactions. Miners earn money for the resources/services they provide. Since a lot of power is needed, it is cheaper and easier for cybercriminals to inject miners into multiple computers to earn money fast. Unfortunately, miners are becoming more and more popular, and even public computers are infested with them. Just recently, it was revealed that the workstations in an undisclosed airport in Europe were riddled with crypto-currency miners too.
Without a doubt, it is important to remove WatchBog and whatever might come with it, including a crypto-currency miner. Linux users are advised to check for “/tmp/.tmplassstgggzzzqpppppp12233333” and “/tmp/.gooobb” files, but manual removal is not the only option. In fact, it is best to employ automated anti-malware software that, after deleting malware, could also secure your system and prevent new infections from slithering in. Of course, you also need to do your part. First and foremost, update all of the flawed software that was mentioned in this report. In the future, always install the newest updates to ensure that no vulnerabilities are left unpatched.
Bera, A. April 2, 2019. 38 Interesting Malware Statistics. SafeAtLast.
Foremski, T. October 16, 2019. Cryptocurrency Miners Now Using Evasive Tactics to Exploit Airport Resources. CyberBit.
Litvak, P., Sanmillan, I. July 24, 2019. Watching the WatchBog: New BlueKeep Scanner and Linux Exploits. Intezer Blog.