Slashdot Mirror

← Back to Stories (view on slashdot.org)

Looking At The New Linux Trojan

Posted by Hemos on from the peering-under-the-hood dept.

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

2 of 263 comments (clear)

  1. Partial isinformation by sigwinch · · Score: 5, Informative
    Unless it also ... fiddles with my hosts.allow file, I'm not particularly concerned.


    Whoa, cowboy! /etc/hosts.allow only affects friendly programs that bother to parse it (e.g., inetd, or programs that use tcpwrappers). An unfriendly program is free to ignore it.

    However, your advice to use kernel firewalling is sound. 'Defense in depth' is the only way to go.

    --

    --
    Kuro5hin.org: where the good times never end. ;-)

  2. Don't worry, this is no Linux Code Red by Xenna · · Score: 5, Informative

    For starters to get infected with this animal requires activity on the part of a user on the Linux box.

    Code Red required no user activity at all. A typical orphaned Linux box standing around in a corner would not be at risk, the same machine running IIS would have been a sitting duck for CR. There are a lot of orphaned servers out there with standard Redhat or IIS installs. These are the real danger. Any remote-root security holes on these popuplations are cause for real concern.

    I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

    I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

    Regards,
    Xenna