The Virus of All Virus: XBash for Windows, MacOS and Linux

Imagine if there is a shopping mall for cybercriminals, an all-in-one malware that “does it all.” A virus with botnet, worm, ransomware, cryptomining and destructive abilities that scare the living daylights of any computer user regardless if they are using Windows, MacOS or Linux. Unfortunately for us, the cybercriminal community has their wish granted, with XBash.

XBash is the Walmart of the malware industry. This is where almost all methodologies of a virus developed for personal computing started in the 1980’s have been rolled into just one convenient virus package. A superbug, it was programmed to contain the functionalities of different malware types as mentioned above, and it is still being fine-tuned by its authors to make it more effective.

The holy grail of any modern malware is to have a capability of not only infecting its perennial victim, Windows but also explore the possibility of targeting Linux and MacOS as well. “We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled. Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group,” explained Palo Alto Networks, who discovered the XBash malware.

Various antivirus vendors and security sites are covering this XBash malware, as it is one of the first of its type: an all-in-one, “infect everything” malware.

Bleepingcomputers, a cybersecurity site has also exposed the type of backend used by XBash malware: “Xbash is developed in Python and then converted to Portable Executable (PE) format using PyInstaller. This tactic has multiple advantages that help with evading detection, assuring installation and execution on a variety of Linux instances, and the possibility to create binaries for Windows, Linux, and macOS.”

Avira blogged about XBash virus and claimed that their its ransomware module seems to be still in progress, as it lacks the capability to back up the encryption key and upload it to the command and control server: “We see no evidence that the attackers are actually making good on their promise and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.” Aside from such a limit, the ransomware module is very damaging against a Linux computer. A Linux machine that hosts a MySQL, PostgreSQL, and MongoDB has their database corrupted. Linux computers are also made a part of the XBash botnet during its infection phase.

To maintain survival and spread to other computers and networks, XBash is programmed in order to propagate through tapping various technologies like: HTTP, VNC, MySQL, Memcached, MySQL/MariaDB, FTP, Telnet, PostgreSQL, Redis, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, Rsync, Oracle database, and CouchDB.

As per TrendMicro, a mainstream antivirus firm has provided 3 tips to help prevent being infected by XBash:

1. Frequently change your passwords and make them complicated, from the gateway to the endpoint. Practice good password hygiene, and avoid reusing credentials on multiple user accounts.

1. Regularly install system updates and patches for your systems once released by legitimate vendors.

1. Regularly backup your files. Practice the 3-2-1 system to minimize or mitigate data loss.