From Staog to Windigo: A 20‑Year Journey Through Linux Malware

Although Linux malware is not as common as Windows or macOS threats, the security risks facing Linux have grown dramatically in recent years. The explosion of Android devices, which run on a Linux kernel, and the steady rise of Linux servers in data centers have made the platform an attractive target for attackers. Linux malware existed in some form before 2000; this article reviews its history.

Staog (1996)

The first widely recognized Linux malware, Staog, attempted to attach itself to running executables and gain root access. It was quickly eradicated and never spread widely, but it demonstrated that Linux could be infected by viruses.

Bliss (1997)

Bliss was the first Linux virus to attract significant attention. Like Staog, it hijacked executable files to gain privileges, but it could be neutralized with a simple shell command. Ubuntu documentation notes that the virus even kept a concise log.

Ramen & Cheese (2001)

Some Linux worms are surprisingly benign. The Cheese worm, for example, was designed to patch the earlier Ramen worm, which replaced a web server’s home page with an image and the caption “Hackers love noodles.”

Slapper (2002)

The Slapper worm of 2002 exploited an SSL vulnerability in Apache to infect servers, predating the famous Heartbleed bug by twelve years.

Badbunny (2007)

Badbunny is an OpenOffice macro virus that can run complex scripts on multiple platforms. Its only visible effect is the download of a lewd photo of a man in a rabbit costume.

Snakso (2012)

Snakso is a stealthy rootkit targeting specific Linux kernel versions. It injects an embedded frame into TCP packets generated by the infected host, forcing automatic downloads.

Hand of Thief (2013)

Hand of Thief was a commercial Linux trojan generator sold on Russian hacker forums. Although it caused a stir when uncovered, RSA researchers quickly determined that it was less dangerous than initially feared.

Windigo (2014)

Windigo represents a large‑scale cyber‑crime campaign targeting thousands of Linux servers, turning them into spam relays, malware distributors, and link‑redirectors. ESET reports that the threat remains active, urging administrators not to be complacent.

Shellshock‑related Mayhem Botnet (2014)

The Mayhem botnet exploited the Shellshock vulnerability in the Bash command‑line interpreter, compromising over 1,400 servers since July, as reported by Yandex researchers.

Epic Turla Spyware (2014)

Researchers discovered a large Russian espionage operation using the Epic Turla spyware, which is built on the cd00r backdoor first seen in 2000.

Translator: 沉香玉 Original author: Jon Gold Source: networkworld.com – “A brief history of Linux malware”