Lock Code Circular2

Last Friday, Microsoft announced that they have discovered a new botnet that exposes both Windows and Linux computers and web servers to new threats.  The botnet, known as Sysrv-K, takes advantage of unpatched computers by installing cryptocurrency miners.

According to NHS Digital, the technology provider for England’s National Health Service, the original version of Sysrv was first discovered in late 2020.  Sysrv contains a worm that searches for computers running outdated internet-facing software in order to take advantage of unpatched security vulnerabilities.  Once inside, it adds the newly infected computer to the botnet and installs a program that siphons power from the infected machines in order to mine the Monero cryptocurrency.  Once Sysrv is on a computer, it also attempts to spread by adding other computers in the network to the botnet, endangering the entire network.  Unlike previous versions of Sysrv, Sysrv-K can also capture database credentials, allowing it to take over web servers.

Although Linux is generally known for being more secure than Windows, NHS Digital reports that Sysrv is a threat not only to Windows but to “most popular distributions” of Linux.  Sysrv-K’s new ability to take over web servers is especially dangerous for Linux users; according to ZDNet, over 95% of web servers run Linux.

Because Sysr-K automatically deletes the cryptominer’s configuration files and hides itself from the process list, it can be difficult to detect manually.  However, NHS Digital still recommends monitoring systems for unusual activity.  Additionally, Microsoft announced that Syrsv-K can be detected by Microsoft Defender.  Most importantly, since Sysr-K seeks out security flaws that already have patches released, one of the best ways users can protect against Sysr-K is to make sure that all of their software is up to date.