Linux servers running Redis NoSQL database vulnerable to Linux.Lady crypto-currency mining Trojan

Linux.Lady Trojan turns Linux servers into manic miners

Organisations running the popular Redis NoSQL database have been advised to double-check their configurations following the discovery of a crypto-currency mining Trojan taking advantage of poor out-of-the-box security.

Up to 30,000 Redis servers may be vulnerable, largely because careless systems administrators have put them online without setting a password, combined with a general lack of default security in Redis.

The malware was discovered by Russian anti-virus software vendor Dr Web and is, intriguingly written using Google's Go programming language, largely relying on open-source Go libraries hosted on GitHub.

It uses a more compact Trojan called Linux.Downloader.196 to, in turn, download the main payload after infection. Linux.Lady, once installed and running, then sends back basic information about the cracked system to the command and control server.

The next step in the infection process is a configuration file sent from the command and control server to start the crypto-currency mining process for the benefit of the malware's controllers. Linux.Lady is also self-propagating.

"This malware possesses the ability to: Collect information about an infected computer and transfer it to the command and control server; download and launch a cryptocurrency mining utility; and, attack other computers of the network in order to install its own copy on them," according to Dr Web's advisory.

Once launched, the advisory continues, the Trojan checks the system for keys and terminates itself if they are missing:

• Version - display the Trojan's version and terminate the session;
• Install - install the Trojan;
• D - launch main payload of the Trojan.

The Redis database server that the Trojan exploits has already come in for criticism about poor security. At the beginning of July, the Risk Based Security report suggested that there were more than 6,300 Redis servers online that had been compromised.

Redis is a NoSQL database system "ideal for storing data in the key-value format, using an in-memory system for handling the data and subsequent queries", according to Softpedia. The lack of security features partly accounts for its decent performance in its default configuration.

Redis stands for REmote DIctionary Server and is the product of an open source project. First released in April 2009, it has been sponsored by VMware and Pivotal and is, therefore, a popular choice.