Linux malware is becoming a more important tool for cybercriminals as these individuals focus a greater portion of their attention on attacking IoT devices running the open-source operating system. WatchGuard’s Internet Security Report Q1 2017 found malware targeting Linux now comprises 36 percent of all malware spotted by WatchGuard with three Linux variants, Linux/Exploit, Linux/Downloader and Linux/Flooder, being included in the list of top 10 malware samples of the first quarter.

For good measure the report argues PERL/ShellBot could also be considered a Linux malware as it primary targets systems running that software.

“Linux attacks and malware are on the rise. We believe this is because systematic weaknesses in IoT devices, paired with their rapid growth, are steering botnet authors towards the Linux platform,” the report stated.
The study also found each of the Linux variants tended to target certain geographic areas.

Linux/Exploit affected many European and American countries, but had the highest numbers in the U.S. and United Emirates.
Linux/Downloader mostly affected Germany, Great Britain, and Malaysia, but few others to the same extent.
Finally, Linux/Flooder primarily affected Germany and France.

The report noted that 99.99 percent of all Linux malware was delivered over the web during the first quarter, with only eight of 419,367 coming in via email or by FTP. This is due to the majority of attacks hitting IoT devices, which rarely have access to email, but are always connected to the web.

However, despite the growing usage of Linux, this threat vector was supplanted as the most frequently used threat vector being replaced by FakeAlert, which literally issues fake alerts to its victims to entice them to click on a malicious link.