Discovered in late 2016, the Dirty COW is a computer security vulnerability that affects all Linux-based systems. The surprising thing is that this kernel-level flaw has existed in the Linux Kernel since 2007, but was only discovered and exploited in 2016.
Today, we’ll see what exactly is this vulnerability, the systems it affects, and how can you protect yourself.
What Is Dirty Cow Vulnerability?
Dirty COW vulnerability is a type of privilege escalation exploit, which essentially means that it can be used to gain root-user access on any Linux-based system. While security experts claim that such kinds of exploits are not uncommon, its easy-to-exploit nature and the fact that it has been around for more than 11 years is pretty worrisome.
In fact, Linus Torvalds acknowledged that he had discovered it in 2007, but disregarded it considering it a “theoretical exploit.”
Dirty COW gets its name from the copy-on-write (COW) mechanism in the kernel’s memory management system. Malicious programs can potentially set up a race condition to turn a read-only mapping of a file into a writable mapping. Thus, an underprivileged user could utilize this flaw to elevate their privileges on the system.
By gaining root privileges, malicious programs obtain unrestricted access to the system. From there on, it can modify system files, deploy keyloggers, access personal data stored on your device, etc.
What Systems Are Affected?
Dirty COW vulnerability affects all versions of the Linux Kernel since version 2.6.22, which was released in 2007. According to Wikipedia, the vulnerability has been patched in kernel versions 4.8.3, 4.7.9, 4.4.26 and newer. A patch was released in 2016 initially, but it didn’t address the issue fully, so a subsequent patch was released in November 2017.
To check your current kernel version number, you can use the following command on your Linux-based system:
uname - r
Since most of the systems are now patched, the risk is mitigated, right? Well, not exactly.
While most of the mainstream systems have been patched, there are several other Linux-based embedded devices that are still vulnerable. Most of these embedded devices, especially cheap ones, never receive an update from the manufacturers. Unfortunately, there’s not much you can do about it.
Therefore, it’s pretty important to buy Internet of Things (IoT) devices from reputable sources that provide reliable after-sales support.
Since Android is based on the Linux kernel, a majority of Android devices are also affected.
How Dirty COW Affects Android Devices
ZNIU is the first malware for Android based on the Dirty COW vulnerability. It can be utilized to root any Android devices up to Android 7.0 Nougat. While the vulnerability itself affects all versions of Android, ZNIU specifically affects Android devices with the ARM/X86 64-bit architecture.
According to a report from Trend Micro, over 300,000 malicious apps carrying ZNIU were spotted in the wild, as of September 2017. Users across 50 countries including China, India, Japan, etc. are affected by it. Most of these apps disguise themselves as adult apps and games.
How the ZNIU Android Malware Works
The ZNIU-affected app often appears as a soft-porn app on malicious websites, where users are tricked into downloading it. Since Android makes it easy to sideload apps, a lot of novice users fall into this trap and download it.
Once the infected app is launched, it communicates with its command and control (C&C) server. Then, it exploits the Dirty COW vulnerability to grant itself super-user permissions. While the vulnerability cannot be exploited remotely, the malicious app can still plant a backdoor and execute remote control attacks in the future.
After the app gains root access, it collects and sends the carrier information back to their servers. It then performs transactions with the carrier through an SMS-based payment service. Then, it collects the money through the carrier’s payment service. Researchers at Trend Micro claim that the payments are directed to a dummy company based in China.
If the target is based outside of China, it won’t be able to do these micro-transactions with the carrier, but it will still plant a backdoor to install other malicious apps.
An interesting thing about the malware is that it performs micro-transactions, around $3/month to stay unnoticed. It’s also smart enough to delete all the messages after the transaction is complete, thus making it harder to detect.
How You Can Protect Yourself From ZNIU
Google quickly addressed the issue and released a patch in December 2016 to fix this issue. However, this patch worked on devices running Android 4.4 KitKat or higher.
As of January 2018, around 6 percent of devices are still running an Android version below 4.4 KitKat.
While this may not sound like a lot, it still puts a fair number of people at risk.
If your device is running Android 4.4 KitKat and above, make sure that you have the latest security patch installed. To check this, open Settings > About phone. Scroll to the bottom and check Android security patch level.
If the installed security patch is newer than December 2016, you should be protected from this vulnerability.
Google also confirmed that Google Play Protect can scan for affected apps and help you stay secure. But remember that Google Play Protect requires your device to be certified to work with Google apps correctly. Manufacturers can include proprietary apps like Google Play Protect only after passing the compatibility testing. The good news is that most major manufacturers are Google-certified. So unless you got yourself a really cheap knock-off Android device, there’s not much to worry about.
While Android antivirus apps can detect such elevated-permission attacks, they cannot prevent it. Anti-virus apps may be useful for other features such as anti-theft, but they certainly aren’t much use in this case.
As a final precaution, you should be mindful when it comes to installing apps from unknown sources. Android 8.0 Oreo makes installing apps from unknown sources a little bit safer, but you should still proceed with caution.
Staying Safe: The Key Takeaway
It’s no secret that the Dirty COW vulnerability affects a large number of systems. Thankfully, companies have sprung into action quickly to damage-control the situation. Most of the Linux-based systems like Ubuntu, Debian, and Arch-Linux have been patched. Google has deployed Play Protect to scan for affected apps on Android.
Unfortunately, a fair number of users running embedded systems with the affected Linux kernel will probably never receive security updates, putting them at risk. Manufacturers who sell cheap knock-off Android devices are not Google-certified, thus putting their buyers at risk. Such buyers do not receive security updates, let alone Android version updates.
Therefore, it’s extremely important to skip purchasing devices from such manufacturers. If you happen to own one, it’s time to disregard it immediately. Here are some of the best Android phones that do not burn a hole in your pocket. The rest of us should make sure to install updates promptly and use our common sense to stay secure on the internet.
Was your Linux system ever affected by the Dirty COW vulnerability or the ZNIU malware? Do you install security updates promptly? Share your thoughts with us in the comments below.