Network Security

Linux-based malware: Fighting back with machine learning

With 90% of the cloud powered by the Linux operating system, it's predictable that malware would follow — and it certainly has. However, most modern security tools are designed to solve Windows-based threats, leaving huge gaps in protection and more questions than answers when it comes to understanding Linux-based malware, its threat to multi-cloud environments, and what organizations can do about it.

With this evolution in mind, VMware's Threat Analysis Unit recently set out to study the growth of Linux-based malware and its threat to multi-cloud environments. The findings are captured in VMware’s Menacing Malware: Exposing threats lurking in your Linux-based multi-cloud report. VMware threat researchers spoke with SC Media about the report during a recent webcast. The research is further covered in an upcoming SC Special Focus report.

This article, the third and final in a series, explores the role machine learning plays in mitigating the threat.


In the first two articles of this series, we explored the persistence of Linux-based malware and what it does upon infecting systems. The question now is how security teams can mount a better defense.

VMware recommends that organizations view their security program as an integral part of their operations and business environment. Protecting multi-cloud environments from RATs and other forms of malware and malicious attacks begins with visibility into workloads with comprehensive system context so that security and technical teams can easily prioritize their mitigations. Here, machine learning (ML) has become vital.

ML–the study of computer algorithms that can improve automatically through experience and by the use of data – is at the core of such security solutions in both EDR and NDR.

EDR can monitor the actions performed by processes on cloud workloads and NDR can recognize network-based evidence of attacks, malicious lateral movements and effectively segment the network to contains risks.  Ideally, both should block the malware before it can take hold of the target hosts.  

Other defenses

Additionally, to adequately protect cloud systems, VMware advises that all workload access and communications must be secured, both within specific clouds and from cloud to cloud. Additionally, to stop attackers from moving laterally within the environment quickly, a zero-trust strategy should be in place so that users, devices, workloads, and networks are correctly and continuously vetted.

Just as ransomware, crypto-jacking, and RATs have moved to Linux systems and place multi-cloud environments at risk — more malware is likely to target Linux operating systems. Defending against this threat requires a robust security program based on best practices and good in-depth defense, including securing the underlying infrastructure.

This means delivering security as a built-in distributed service across your control points of users, devices, workloads and networks.

Increasingly, this will include effective data backup and recovery process with EDR and NDR capabilities.

To gain more actionable insights, download VMware’s full report: Menacing Malware: Exposing Threats Lurking in Your Linux-Based Multi-Cloud

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.