How do I remove malware that keeps coming back even after I remove it?
Linode
Linode Staff
After a system compromise, we find that a crypto miner called 'xmrig' keeps returning after we have tried to remove it several times.
1 Reply
hphillips
Linode Staff
There is no guaranteed method of removing persistent malware other than rebuilding your system, but there are some things that you can try that may work bearing in mind the various tricks used by malware such as:
using the scheduler to periodically reinstall the malware if it is missing
running a pair of watchdog programs that detect if the malware has stopped or been removed and if the either of the watchdogs goes down, the other one restarts a new one or reinstalls/restarts the malware
trojaning commands that are either run by the system or the user to perform their normal function as well as making sure that the malware is running and installed
replacing critical programs on the system with infected versions, ensuring that if the malware is removed, the system no longer works.
running the malware by decrypting a custom file to and running it from a ram disk ensuring that malware scanners can never find the malware on disk
You can use a malware scanner to try and detect and remove commonly used malware. This will only work if the attacker has not tailored their tools to be unique.
https://www.linode.com/docs/security/vulnerabilities/scanning-your-linode-for-malware/
https://www.linode.com/docs/security/recovering-from-a-system-compromise/
In this case the problem is not necessarily the xmrig cryptominer. The problem is the software that is making sure that the cryptominer is installed and running.
The bottom line is that once your system has been compromised, you can never truly be sure that you have gotten rid of the compromise.