New Linux Malware Hides in Cron Jobs with Invalid Dates

Security researchers recently discovered a new, clever remote access trojan (RAT) for Linux that almost has an almost invisible profile by hiding in tasks that are supposed to be executed on February 31 – a day that obviously does not exist.

Known as CronRAT, the malware targets web shops and allows attackers to commit credit card data theft by using online scrapers on Linux servers.

CronRAT has problems with the Linux task scheduling system cron, which allows scheduling tasks to be performed on non-existent calendar days such as February 31.

The Linux cron system accepts dates as long as the format is valid, even if the date does not exist – which means that the task is not executed.

The Dutch cyber security firm Sansec reported that the malicious software hides a “sophisticated Bash program” in the name of planned tasks.

“The CronRAT adds tasks to crontab with a peculiar date specification: 52 23 31 2 3. These lines are syntactically valid, but would result in a runtime error when executed. However, this will never take place as they are scheduled to run on February 31st,” the Sansec researchers explain.

With the VirusTotal scan service, 58 antivirus engines did not detect it in the system.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web