WatchBog Attacks Linux Servers

When ordinary users think about computer infections, they probably seldom realize that almost anything could be hacked as long as that device is connected to the Internet. So anything from your fridge to a commercial server could be infected. WatchBog is one of those infections that regular users seldom encounter, and yet, they can cause a lot of problems for corporate computer systems. It is a Trojan infection, which means that WatchBog enters their victim servers surreptitiously, and it can be really hard to remove it unless the victim addresses a certified professional. If this Trojan targets a company network, it might also mean that the company’s IT department needs to step up.

Technically, WatchBog Trojan is a malicious infection that is intended for Linux servers. On the other hand, it doesn’t mean that it cannot attack machines that run other systems, too. Research suggests that WatchBog can infect machines and servers that run on Windows as well. And the upsetting part is that this infection has been active since November 2018. Thus, it is very likely that it has been running quietly behind the victims’ backs for quite a while before someone finally paid attention to the server discrepancies.

So, what technically is WatchBog? This Trojan is a mining botnet that mines cryptocurrency. Cryptocurrency-mining botnets are probably some of the most common cyber infections nowadays. Since mining cryptocurrency requires a lot of system resources, not everyone can invest in their hardware that much (not to mention that ever-growing electricity bills). So what do cybercriminals do? They infect powerful systems with mining botnets that exploit the said system’s processing power for cryptocurrency mining. As a result, the infected system exhibits poor performance because more and more of that power is hogged by the likes of WatchBog to perform multiple calculations that result in cryptocurrency.

One thing that we would like to emphasize is that WatchBog and other similar infections do not remain the same. Although this Trojan has been out there for more than a year, it doesn’t mean that it retains its original form. Since cybersecurity measures keep on evolving, so does the malware, too. For instance, the initial version of WatchBog wasn’t contagious, and it couldn’t travel from a server to a server. However, in the course of time, WatchBog was upgraded with spreading modules that allowed the infection to reach as many servers as possible.

To enter target servers, WatchBog employs a number of vulnerabilities. The most common vulnerabilities that this Trojan exploits are CVE-2019-0708, CVE-2019-0192, CVE-2019-2019-10149, and CVE-2019-11581. These vulnerabilities allow attackers to remotely execute codes on the target systems on various open-source platforms and servers. Of course, once the vulnerability has been found, it is usually patched in the next upgrade that is released by platform’s vendors. Consequently, WatchBog and other infections that exploit those vulnerabilities shouldn’t bother anyone anymore. However, there are bound to be systems out there that do not get patched for whatever reason.

And that is probably one of the main cybersecurity problems. Regular users and system managers often forget or simply do not update their software. While there are users who consider constant updates bothersome, some might choose not to update their systems because of license issues. However, running an unlicensed program is a great security risk. WatchBog is just one of the many Trojan infections that employ vulnerabilities that can be easily patched up. If you fail to upgrade your system, the vulnerabilities remain, and then cybercriminals could easily target your server or system with the most sophisticated threats.

If WatchBog happens to enter a target server, this Trojan downloads a Monero mining module, which is used to mine cryptocurrency. It might take a while for the security researchers to notice that WatchBog is there on the system. This Trojan is written in the Python programming language that can be easily obfuscated. For Linux users, it is the presence of the following files that is a dead giveaway that this Trojan is on your system: /tmp./gooobb and /tmp/.tmplassstgggzzzqpppppp12233333.

Once again, this Trojan is not your regular PC infection, so you may need to address a professional to remove WatchBog from your server. However, this can also be a good chance to improve your server’s security and learn more about prevention measures that should protect your system from other threats in the future.


  1. Alibaba Cloud Security, May 14, 2019, Return of Watchbog: Exploiting Jenkins CVE-2018-1000861. Alibaba Cloud Community
  2. CVE, November 26, 2018. CVE-2019-0708. Common Vulnerabilities and Exposures
  3. Litvak, P. & Sanmillan, I. July 24, 2019. Watching the WatchBog: New BlueKeep Scanner and Linux Exploits. Intezer Blog.
  4. NJCCIC, July 30, 2019. WatchBog. NJ Cybersecurity & Communications Integration Cell
  5. Stevens, D., May 15, 2016. Python Malware – Part 1. SANS ISC INfoSec Forums.