Stealthy Linux Trojan May Have Infected Victims For Years

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

systemd hasn't been around that long, has it?

I thought that the systemd infection of Debian was much more recent than that. Like within the past year. But maybe I'm wrong, and it has been longer?

Re:systemd hasn't been around that long, has it?

[gweihir]

It is just that these things evolve and eventually move into the light ;-)

Re:systemd hasn't been around that long, has it?

[deviated_prevert]

As long as your sig is under construction it will not be ready to move into the light. Personally I prefer tailor made sigs.

Re:systemd hasn't been around that long, has it?

Debian was only hit recently, but Arch has been suffering from systemd for more than a year.

Re:systemd hasn't been around that long, has it?

They said it's a Trojan so it can't be systemd. A trojan gets onto a system because the user thinks it's something worthwhile.

Re:systemd hasn't been around that long, has it?

It is just that these things evolve and eventually move into the light ;-)

Sort of an anti-cockroach

Re:systemd hasn't been around that long, has it?

[gweihir]

I had one of those. But I found out my tailor was too limited for my tastes, so I upgraded to ultimate flexibility! ;-)

Re:systemd hasn't been around that long, has it?

systemd infection

Yup, it`s all about Poettring disease, and not systemd.
Take a look at the pulseaudio. Try to use pre-pulse programs with it.
Find that some guys drop ALSA and question yourself about it. It`s just like GNOME and systemd.
Exactly the same spirit that runs in Windows freeware: please let me install Google Chrome (just an example) for you and make it default. Oh yeah, and let me install many-many other Google things, because I love Google and cannot live without it.

Re:systemd hasn't been around that long, has it?

Sad but true :/

Security through Obscurity

I certainly don't prefer security through obscurity and generally support transparence in all aspects of life, but it sure makes it easier for hackers to have access to the source code. I guess Open Source tends to give a false sense of security as seen several times this year (OpenSSL, Linux kernel, etc).

Re:Security through Obscurity

I certainly don't prefer security through obscurity and generally support transparence in all aspects of life, but it sure makes it easier for hackers to have access to the source code. I guess Open Source tends to give a false sense of security as seen several times this year (OpenSSL, Linux kernel, etc).

That's a good point. If the code is open source, we can end up in a situation where there is more malicious than friendly eyes looking at the code.

Re:Security through Obscurity

That works for closed source too. Do you look at all your binaries through a debugger and/or decompiler?

Re:Security through Obscurity

[GameboyRMH]

With closed source there are also no guarantees the bad guys won't see the source either. And it's far better to make the code visible to all then to wait for the exploit to be found in the usual ways while everyone was in the dark about it.

Security through obscurity is just like peril-sensitive sunglasses. Having the code visible makes you nervous for some reason? Well we'll just keep you from seeing it! Problem solved!

Re:Security through Obscurity

[Goaway]

And it's far better to make the code visible to all then to wait for the exploit to be found in the usual ways while everyone was in the dark about it.

That is quite a strong claim to make without providing evidence to back it up.

Re:Security through Obscurity

[MikeBabcock]

Linux certainly isn't obscure, or you're being sarcastic and suck at it ...

Re: Security through Obscurity

That's what I've been saying for years, but the Linux fanbois drank the kool aid

Re:Security through Obscurity

Different AC here:

Ever notice that when news about security problems happens, with Linux, it is bugs that -could- be exploited. With a certain mainstream OS that is closed source, the news articles seem to be about bugs -already- being exploited and organizations being hacked. Big difference between "eek, a security hole, lets announce and patch" versus "oh shit, exploits are going on at a massive scale."

Re:Security through Obscurity

That is quite a strong claim to make without providing evidence to back it up.

Servers are prime targets for hackers. Now compare for example Apache to the various MS server flavours and the number of exploits between the two platforms.

Re: Security through Obscurity

With closed source there is akso no guaruntee that the good guys aren't the bad guys too.

Re:Security through Obscurity

This *very article* is about "oh shit, exploits are going on at a massive scale" on Linux. They don't even know the initial attack vector yet.

Re:Security through Obscurity

[HiThere]

What evidence would you find convincing? (I can't assess this, as I'm already convinced.)

Re:Security through Obscurity

[HiThere]

A valid point, but this *is* an unusual case. OTOH, we don't necessarily know that a bug isn't being exploited just because nobody had noticed it happening.

FWIW, in my viewpoint Linux gave up a lot of it's security when it allowed files that were expanded from archives to have the executable bit set. And that's a long time ago. (OTOH, even without the executable bit set, you could always execute a file from an explicit shell command [usually "sh"].)

Re:Security through Obscurity

What would be convincing is hard numbers, not susceptible to bias, that FOSS actually delivers on that score. FOSS believers keep asserting that FOSS delivers higher quality and faster repairs than closed source. I've never seen any serious factual data to back that up.

There is a first principles reason to think the FOSS claim might be true. That part is OK. However FOSS believers persistently underplay the countercurrent possibilities:

1). Availability of source code means that directed sabotage is much easier. Yeah, yeah, code signing, computed hashes, I get that some protection mechanisms are in place. I also get that undermining those mechanisms would be easy, as in drop dead easy;

2). The average FOSS user will never conduct a code review. The average FOSS user isn't a programmer and never will be. The average FOSS user will obtain an executable binary and never test or check it in any way whatsoever. Heartbleed demonstrated that the number of eyeballs on the code can be surprisingly low and it doesn't matter how important that code is.

What these FOSS aficionados don't get is that I've seen closed source systems that I've trusted. Ones that appear to have the attributes of security, reliability, maintainability, performance, and so forth. Ones whose attributes were demonstrable in many ways over periods of decades. This is not the exclusive domain of FOSS. And no, my opinion is not unique. I have been a member of large groups of diverse analysts who were of the same opinion. Entire cultures exist in the closed source world just as they do in the FOSS world.

Re: Security through Obscurity

so exactly like Open Source then

Re:Security through Obscurity

[Goaway]

Did you actually try doing that? Because IIS is doing quite well on that score, last I checked.

Re:Security through Obscurity

[HiThere]

I've also seen non-FOSS systems that I've trusted. One of them read paper tape.

You are asking for evidence that is guaranteed to not be available. I'm sorry, but it's impossible. Some of the users who are sabotaged will refuse a subpoena rather than admit that they had been penetrated. And the software that they are using is irrelevant to their opinion. Their opinion is driven by image.

OTOH, let me point out that it is irrelevant what the average FOSS user does. It's that any FOSS user who chooses CAN check the code. And this does happen. With closed source products, nobody can legally check the code and report on problems except the company (not the individuals) that owns the copyright. This isn't invariably true, but is almost always true. It's also true that there are open source software packages that aren't free. That used to be a very common model. And most of them would also allow any user to report a detected error TO THEM. Only some of them would allow publication of the error. So there do exist intermediate positions.

The fact that you trust a system says much about how you feel about the system, and little about the system, without knowing you. What tests did you run? Etc. (I'm not asking for an answer, this is rhetoric.) I have often encountered systems which many people trusted and which were later found to have SERIOUS security flaws. Thos Sumner, a Systems Programmer at LBL, once asserted that no program longer than 10 lines could he be certain was operating as intended. I'm not sure whether he was thinking of assembler.

Well, there ARE languages that claim to have proofs of program correctness available. One is a subset of Ada. I once looked into it, and what they proved is that the programs match the specifications, but the specifications were required to be so complex that I was unsure that this improved the actual correctness in any but a formal sense.

Re:Security through Obscurity

[gregstumph]

I assume you meant "than" rather than "then" in your second sentence; it changes the meaning of the whole sentence in this case...

Re:Security through Obscurity

[GameboyRMH]

Yep my mistake.

Re:Security through Obscurity

Re: "You are asking for evidence that is guaranteed to not be available. I'm sorry, but it's impossible."

No. You are making assumptions and generalizations about the proprietary world, sweeping enough to be completely false.

Proprietary systems frequently have source code available. Stuff that the customers routinely use, modify, inspect and all the rest. I worked for years in such an environment. The difference is that the customer only owns their enhancements, not the base code.

Re: "With closed source products, nobody can legally check the code..."

Wrong. Entirely wrong. Dead wrong. I'm not asking you this, or proposing it as a theoretical possibility. This happens, every day, all day. You don't know what you're talking about!

Re: " I have often encountered systems which many people trusted and which were later found to have SERIOUS security flaws."

Stand in line. This is true of every system. The security data is clear on this point. Every non-trivial system has bugs, including security bugs, and some of them are as major as you want to imagine. This is why only an unbiased statistical study will do to resolve the matter of the comparative quality of FOSS versus non-FOSS systems.

Oh, and your vehement dismissal of proprietary bug reporting? Microsoft does this. Every day. Has done for years, and most other vendors do as well. Check out the SANS reporting. You don't need code to get data on code quality. If necessary you can treat proprietary systems as black boxes and STILL get reliable quality data on them. Though often the vendors are transparent enough, you don't need to do this.

Again, you are issuing statements of faith about FOSS that are not supported by facts. Decent statistical studies of system quality and reliability aren't difficult to get because of the proprietary nature of some vendors. They are difficult to get because of a blizzard of other issues in getting comparable data sets, and the low value of any results obtained.

"Running arbitrary commands" is irrelevant

[gweihir]

The privilege system does not protect commands, it protects data. You can always run any command on any data that belongs to you. But when you want to access data of others or the system, you need elevated privileges and same for attacking to privileged network ports.

Re:"Running arbitrary commands" is irrelevant

Normally, that's what I'd take "arbitrary" to refer to when someone says "arbitrary commands" -- that they can run commands on anything. However, the link for the "running arbitrary commands" text actually goes to an explanation of Epic Turla in which there seems to be no mention of any Linux trojan, so I have no idea if that's the case here.

Re:"Running arbitrary commands" is irrelevant

[Antique+Geekmeister]

I';m personally aware of thousands of systems on which database data, backups, and system logs are not read protected from local users. They're left this way on the grounds that "if someone has local access, we're screwed anyway". They pass pass commercial security audits because the security companies do a handful of known external attacks, which giver a small set of tasks to fix the issue and do not address such fandamental issues.

This is particularly aggravated on systems with have password free sudo access for developers, which is very common on development environments, on systems with password free SSH keys casually stored with system wide access, and software systems that store passwords in clear text by default, such as Subversion HTTPS access. It's also compounded when home directories on which such information is stored is NFSv3 mounted and shared with all clients on the network. The concept of "data which belongs to you" breaks down quickly with NFS or CIFS without authentication in most environments. NFSv4 or Kerberized CIFS access can be helpful in restricting this, but I know very few partners or clients who go to the extra steps needed for this.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

Well, the other thing is that you cannot run commands on arbitrary data without privilege escalation, unless you are already root. It is simply conceptually impossible. Any process that allows you to access data above your privilege level includes a privilege escalation by definition.

My take is just that the article sound sensationalist and not very competent with regards to technology.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

I do not disagree. But that is a property of the target system, not of the attack.

Re:"Running arbitrary commands" is irrelevant

[Enigmafan]

Well, the other thing is that you cannot run commands on arbitrary data without privilege escalation, unless you are already root. It is simply conceptually impossible. Any process that allows you to access data above your privilege level includes a privilege escalation by definition.

My take is just that the article sound sensationalist and not very competent with regards to technology.

But if you run Linux from disk on a system, and you create a user with the same ID as the user data you're trying to access on that system, you can read all the data from that user. That is not privilege escalation, as far as I can see.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

The process that allows you to create that user already requires privilege escalation as non-root users are not allowed to create new users.

Re:"Running arbitrary commands" is irrelevant

Creating the new user is the priviledge escalation event.

Re:"Running arbitrary commands" is irrelevant

The privilege system does not protect commands, it protects data.

Mine does. You can control which filesystems a user can write files to, and make those filesystems non-executable.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

You can only restrict what can be executed from disk, and that is just a form of restricting read access. A user can still execute things in other ways. Sure, it gets a bit more challenging, but you are mistaken about the type of protection you get. As soon as you have some facility that can interpret commands from other sources than files (shell, Perl, etc.) your idea fails. You also need to be very careful about other tools, as for example TCC can compile and execute C code without writing it to disk first. The point is that the privilege system is concerned with read and write access, execution restrictions are just a side-effect of that and an imperfect one.

Re:"Running arbitrary commands" is irrelevant

[mlts]

Protecting commands (data goes without saying as well) is handled by a MAC/MIC system like AppArmor or SELinux.

What I don't get is how this Trojan could sit around for so long and not be caught by a competent admin. Between process accounting, Tripwire/Aide, mounting home directories with noexec, and finally a sane IDS/IPS [1] that does active protection, this should have been caught by someone and reported. Even a Linux based antivirus product like McAfee that uses the latest 2.6 kernel hooks to do realtime scans likely would catch something like this with heuristics.

[1]: Never ceases to amaze me how few companies actually have a working IDS/IPS in place. So many breaches would be caught and stopped in their tracks, especially on secure networks where traffic is known and limited.

Re:"Running arbitrary commands" is irrelevant

[mlts]

There are a number of tools that give non-root users root access. It might be "just" sudo, or it might be some GUI tool to allow graphical administration. All it takes is a program that can hijack one of those, or just passively wait until the user issued a sudo command (so their password and access is cached), then it could jump in, grab root, stuff a module in the kernel, and all bets are off from there.

Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist. This could be something like Solaris's elfsign or AIX's trustchk, where an admin can make a self-signed key and sign all executables. With this in place, on a production system, if an executable, script, or library isn't signed, it doesn't run. Virtually every other OS has this functionality in place. This doesn't have to rely on an "official" signing key either, and could just be a manifest list generated after install, similar to tripwire's database, and if some executable's signature is different, it doesn't get to run until an admin updates the signature DB.

Re:"Running arbitrary commands" is irrelevant

[mlts]

In general, there has been a trend away from both local protection privilege escalation (from user to root.) Mainly the focus has been keeping people out of the box proper, although this does go against the defense in depth concept since once the box gets breached somehow (a security bug that commandeers a Web browser, for example), an attacker can gain a lot by running just with that user's context [1], or even using exploits to get root. Once root, burying kernel modules becomes quite doable.

There needs to be more focus on defense in depth. For example, there needs to be a separate context for a user's Web browser than his/her shell. This way, if/when the browser or add-ons get compromised, the hacked code doesn't have full run of the user account.

Local user protection on Linux has not been that much of an item that has been worked on. Usually at best, there might be a bootloader password or a LUKS encryption prompt to get the boot process past the initial RAM disk. What would be nice to see is work on both signed executables as well as the ability to use the TPM with LUKS for keeping volumes encrypted... but allowing the machine to boot completely without interaction (as the TPM supplies the keys to unlock the volumes.)

As for NFS v3 and earlier, it can be made decently secure if used only by a few hosts, and there can be made networking infrastructure to guard against spoofing, but if this can't be done, NFS v4 or even samba/CIFS might be the protocol of choice. However, as stated above, securing NFS in a shop takes a lot of time, either by having infrastructure in place for Kerberos for NFS v4 to work or having dedicated paths that are difficult for an unauthorized party to access so NFS v3 is secure. There is always going with samba/CIFS in general, but compatibility with the protocol can vary widely between UNIX variants, Linux distributions, or even versions in Linux distributions.

[1]: For the big bucks, just getting access to a user is enough. From there, an attacker can masquerade as that user with fake E-mail, upload documents used, use the user's LAN access to attack other boxes, or just encrypt all the documents for ransom. Spambots and such don't need root access to go out on port 25, nor do botnets need root to perform successful DDoS attempts.

Re:"Running arbitrary commands" is irrelevant

[turbidostato]

"There are a number of tools that give non-root users root access."

Yes. And all of them restort to already having root-level access so it is still a privilege scalation issue.

"Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist."

You are not too savvy about what Linux can and can't do, right?

Re:"Running arbitrary commands" is irrelevant

... passwords in clear text by default, such as Subversion HTTPS access. It's also compounded when home directories on which such information is stored is NFSv3 mounted and shared with all clients on the network. The concept of "data which belongs to you" breaks down quickly with NFS or CIFS without authentication in most environments. NFSv4 or Kerberized CIFS access can be helpful in restricting this, but I know very few partners or clients who go to the extra steps needed for this.

Similar to my experience.

I'm starting to have the impression that with the same amount of effort Windows is more secure nowadays.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

Indeed. But most Linux installations do not have those or only have a generic config, as doing them right is pretty hard. I have some experience in that area. You run into things like Acrobat reader doing and needing code execution on the stack and other "fun" stuff.

As to your second point, you already said it: It needs a competent admin. Often that one is missing. It also needs a competent admin with the right to decide what to put on the machines and how to configure it. In large enterprises that is usually not the case and stops even competent admins from doing as good job.

[1] If you do not have said competent admins, or they do not have the rights they need to do a good job, IDS/IPS just causes a lot of false positives and eventually gets ignored or switched off.

Re:"Running arbitrary commands" is irrelevant

[HiThere]

Not necessarily true. If the comman resides in a directory that is read protected then you need to have the appropriate privileges to execute it. I've got an early version of Red Hat in a virtual machine where "shutdown" is protected in precisely that way.

Re:"Running arbitrary commands" is irrelevant

The concept of "data which belongs to you" breaks down quickly with NFS or CIFS without authentication in most environments. NFSv4 or Kerberized CIFS access can be helpful in restricting this, but I know very few partners or clients who go to the extra steps needed for this.

Even with authentication you're still fucked if you're using those protocols because anyone on the same network circuit can see the plaintext data going across. iSCSI and NBD have the same problem although it can be protected by using dev layer encryption (eg. cryptsetup, etc).

Re: "Running arbitrary commands" is irrelevant

Can CentOS, RHEL, Oracle EL do code signing white/black lists?

As long as we are comparing to Solaris/AIX they are all that matter, not what kernel patches you can build in your bedroom.

The latest thing I found were some secureboot patches from 2013 that only supported static binaries.

What makes you more knowledgeable about what Linux can do?

Re:"Running arbitrary commands" is irrelevant

[TemporalBeing]

There are a number of tools that give non-root users root access. It might be "just" sudo, or it might be some GUI tool to allow graphical administration. All it takes is a program that can hijack one of those, or just passively wait until the user issued a sudo command (so their password and access is cached), then it could jump in, grab root, stuff a module in the kernel, and all bets are off from there.

True, but those tools also require the user to have permissions to use them. For instance, sudo requires the user to be part of a group - root, sudo, wheel - that group is configurable so you can call it whatever you want. Even then it usually requires the user's password (which is also required to change the password, so you can't just change the password to be able to use sudo in your script).

Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist. This could be something like Solaris's elfsign or AIX's trustchk, where an admin can make a self-signed key and sign all executables. With this in place, on a production system, if an executable, script, or library isn't signed, it doesn't run. Virtually every other OS has this functionality in place. This doesn't have to rely on an "official" signing key either, and could just be a manifest list generated after install, similar to tripwire's database, and if some executable's signature is different, it doesn't get to run until an admin updates the signature DB.

Check out AppArmor, SELinux, etc - they have the ability to do very fine grain management of the system that really controls every little thing a user or program could do.

So yes, the ability is there. However, it's so easy to screw it up that most don't use it unless they really need it. And honestly most don't need it; the standard permission set (which still runs through SELInux, btw, just being configured with a default that matches the historical permissions) is sufficient enough to deter most things.

kinda makes you wonder

[v1]

just how many botnets the NSA is actually running?

Re: kinda makes you wonder

Because obviously all the world's problems are always and only caused by government.

Re:kinda makes you wonder

[camperdave]

The NSA doesn't run botnets... well, not many, anyways. However, they do analyze botnets completely and thoroughly, and thus they can take command of known botnets in a heartbeat if the need arises.

Re:kinda makes you wonder

Aaaaaall of them...

Re:kinda makes you wonder

Why should anyone trust these "labs" who seem to be always just a little behind the curve in releasing their dramatic security findings? Usually long after the security breach has fulfilled it's purpose. If they are so skilled at finding these complex security breaches they are certainly capable of creating the problems in the first place. And the skills attributed to the NSA or any government agency do not belong to any GS12 salaried government employee. They use highly paid contractors who, judged by the level of skill needed to create some of the purported NSA programs, are in the upper tier of computer scientists.

Re: kinda makes you wonder

[ColdWetDog]

Because obviously all the world's problems are always and only caused by government.

It's a pretty good first approximation ....

Re: kinda makes you wonder

Not all, but most.

Re: kinda makes you wonder

[tehcyder]

Because obviously all the world's problems are always and only caused by government.

It's a pretty good first approximation ....

It's not "the government" that's the problem, it's the Military-Industrial complex, big business, land owners, capitalists, those with inherited money and privilege, and the wealthy self-serving elite generally.

A proper democratic government is the only real protection against these powerful interests.

Re: kinda makes you wonder

A proper democratic government is the only real protection against these powerful interests.

At which point you find yourself living in a Latin American hellhole.

Re: kinda makes you wonder

[Pieroxy]

A government, like any other entity, has a tendency to grow and expand its powers and perimeter. The problem is that the government also makes the laws, which makes it the worst and most dangerous of all entities, because if it doesn't have the absolute powers it's pretty damn close.

Re:kinda makes you wonder

[v1]

The NSA doesn't run botnets... well, not many, anyways.

From TFA:

The unknown attackers--who are probably backed by a nation-state, according to Symantec

Even Symantec thinks it's a government operation. We're just starting to see them, but I think there's a lot more government-run botnets out there that haven't been outed yet. These sophisticated, highly targeted malware like Stuxnet are all government-run botnets.

They either made them, or as you suggested, took them over for their own use. (that's actually a good idea, and I'd bet the more common option outside of say china or NK... those two I could really see rolling their own botnet) It's not like anyone's going to put up any resistance. You don't call the cops when someone steals your cocaine.

Re:kinda makes you wonder

[dragonturtle69]

This one appears to be a Russian Regin, looking at the Language Artifacts section of the securelist.com article.

"requires no elevated system privileges"??

If you are establishing a raw socket, you have to have privileges...

Re:"requires no elevated system privileges"??

The virus could be exploiting a bug that gives it root privileges even when it normally shouldn't.

Re: "requires no elevated system privileges"??

... which is the definition of "privilege escalation," no?

Hello spooks

[MrKaos]

It seems to be anyone else.

Re:Hello spooks

[MrKaos]

It seems to be anyone else.

It seems too obvious, that is. I shouldn't post when tired.

Stripped binaries, statically linked libraries, magic numbers in packets and so on. I'm sure there are a few shell vulnerabilities that we don't know about and certainly there are plenty of commands that can be exploited to escalate priviledge levels if required.

Re:Hello spooks

[ruir]

The last attacks I have seen they use coded transmission to talk with the CC, and I have seen a couple of instances where when running locally, they erase the binaries to not be tracked. If one is not careful analysing a system or too fast shutting down a compromised server, you will damage important data to be collected with foresync tools for sure.

Re:Hello spooks

[MrKaos]

It looks like a good platform for assessing a local system and installing a more serious exploit, so I agree, it would be very difficult to isolate these and identify what they are doing.

"Announcing: Slashdot Deals"

There are a lot of things you can do to cripple a user's experience without elevated system privileges. Dice for exemple, does a pretty good job at spamming my Slashdot page with ads and they do not have root access to my machine and they don't even need to infect my computer with a stealthy trojan! Man I never felt the need to install Adblock on my browser and I can't beleive I will have to do it because of Slashdot.

And no, I don't want to discover Slashdot Deals. Thanks.

Hate being several clicks away from the actual inf

[ledow]

It's an ordinary piece of malware.

It talks home to a hard-coded URL.

It has to have a secret "knock" before it will talk back to you (port-knocking has uses both ways, it seems!).

It contains easily-greppable strings.

Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?

Well

is this the same secure, unbreakable, no-virus-possible Linux system?

Re:Well

[ledow]

If you honestly think anyone with a brain or in any position of repute has ever claimed those three things, then you're a bigger idiot than posting that on Slashdot makes you appear.

Re:Well

I not only think somebody has claimed that, I've seen it happening on slashdot so many times! brainwashed kids preaching Linux all the way. The comment was aimed at that stereotype of people - let's keep it friendly, shall we? Keep those adjectives to yourself as you are not impressing anybody with that kind of attitude.

Re:Well

[jones_supa]

There has been plenty of people here who have claimed that Linux and open source provide an architecture which is by design more resilient against malware than proprietary solutions.

Re:Well

Resilient != fullproof.

Re:Well

Considering this is the same site that I've been modded down on for pointing out flaws in Linux in a reproducible fashion? I think a bit of gloating isn't out of line.
 
Let's face facts, the LinuxFanboyArmy has been more than a bit protective (to the point of being outright combative) in matters of their favorite OS. People who act that way deserve what they get.

Re:Well

[ruir]

And it is. The fact that you may have a 10-year old server infected with some malware, and a FUD article for someone with vested interests in running AV solutions for every machines does not disprove it. Plus it is very easy to have malware and or running external commands through applicational holes, like wordpress both in Windows or Linux if your PHP is not well configured, and it is not exactly "Linux" fault. Pity the article is more concerned with fear mongering than providing technical details.

Re:Well

fullproof

Moron.

Re:Well

[staalmannen]

There has been plenty of people here who have claimed that Linux and open source provide an architecture which is by design more resilient against malware than proprietary solutions.

It is. That is why a Linux malware get to be news whereas yet another Windows malware does not register above the noise as news because there are so damn many of them. The same thing with the Bash, GnuTLS, OpenSSL etc vulnerabilities. "More resilient" does not mean immune - claiming immiunity would just be silly. News of Critical Vulnerabilities in Windows are about as frequent as every Patch Tuesday.

Re:Well

[donaldm]

Pity the article is more concerned with fear mongering than providing technical details.

I read through both articles and it read as "The sky is falling! The sky is falling! Everyone panic!" but they did not really provide any technical details.

Oh the horror /(^o^)\

Re:Well

If the facts of the article are true, and I will take them as such until you can disprove it, then it's not FUD at all. LOLZzz!!

Re:Well

No, this is the same "more secure", "more difficult to break", and "very few viruses exist for", Linux kernel.

Until recently, with the obsession of moving all of the system into userspace, Linux has had a better design for separation of privilege, and supports things like mandatory access control at the kernel level, making it much more difficult to infect Linux with the same type of malware as Windows is susceptible to.

But logic and reason don't appeal to you, because you're obviously trolling, and trolls don't respect rationality.

Re:Well

No OS can protect users from their own stupidity. If a user downloads and runs a trojan (which is malicious software pretending to do useful things), it can access all files for which that user has the required privileges (i.e. typically at least most of the user's home directory). No bugs in the operating system need to be exploited, it is just users trusting software they should not. Anti-virus tools could detect the malware, but for that it needs to be discovered first (which is not easy if it is some kind of rare targeted malware). Although one potential disadvantage of Linux is that it currently does not have many such tools available.

Re:Well

Only when it runs on a PC

Time for periodic offline audits?

Perhaps it's time for companies/governments with highly-sensitive data to do periodic offline audits of their systems. If you find something that doesn't belong and which isn't clearly harmless, investigate further.

Yes, it's expensive but it's getting to the point where the alternative is even more expensive.

Re:Time for periodic offline audits?

[ruir]

People are cutting corner and costs everywhere... and then they got surprised.

Good New For Us Linux Users

Today is patch Tuesday so we will be all set and good to go once we patch our boxen.

It's good to be king
Louis da here-and-now

Unless you look for it, you don't find it

I think generally we think that somehow this stuff just get's rooted out naturally. But unless your a security firm either looking for it, or someone has found something suspicious. It could easily sit in all that code for years without being noticed. That is the key these days, that the worst stuff is not detected right away and the simple malware rarely does any damage. Sure, buy all the security you want, but truth is unless something is found and a definition is created to detect it with a scan. It won't find it. This is why security software is worthless except for giving paranoid people a false sense of security. Many times it even finds PUP (potentially unwanted programs) just to make people feel its working. I'm glad the claims that certain operating systems are immune is disappearing. This is another false assumption that cannot be guaranteed or proven. Nobody should argue or brag that their OS is safe. Obviously Windows is under far more attacks simply because of its large user base. It means more targets, more hackers trying to find holes and more success. But it does not mean nobody is looking elsewhere for opportunity.

Re:Hate being several clicks away from the actual

To me the main difference seemed that this is a targeted malware, specifically showing up (in fairly small numbers) in places that might interest nation state level snoops. Not just some random financial information/game password/login trawling generic malware.

Liar

[s.petry]

Reading from disk is only one portion of a process and process protection, the actual execution occurs in memory and is _ALSO_ protected in *nix.. An easy example is to open a socket on a specific port as a user. A non privileged user can not open a port below 1024 because this is in protected space, but you can open a socket on 1025->64K without issues.

There is no point in attempting to explain SUID/SGID in addition to normal execution, because you don't even have the normal execution correct. I will however state that this is another dynamic to review after you figure out the difference between reading and executing.

Re:Liar

[gweihir]

You can stuff your patronizing attitude up you backside. I actually know very well what I am talking about, but you do not seem to have the first clue what a standard Linux protection model gives you and what not. For example, you seem to have no idea that a process is free to write as much code as it likes into the heap or onto the stack and execute it there.

Re:Liar

[gweihir]

And while that is convenient and simple to do, it is not even necessary. It is however a situation that is basically impossible to prevent (a very, very careful SELinux config might be able to do it), so it serves well to prove the point.

Re:Liar

[s.petry]

Bullshit! You stated if you can read it, you can execute it and that statement is patently false.

Your claim of a process being free to write memory fails to consider a process that already has claimed memory and it's protections. Yeah, forty fucking years ago I had to worry about a user reading and writing to my memory space as a Kernel, but that has been fixed for decades. I can also easily set limits to prevent you from having free reign to wipe a system out of memory because of memory protection built in to the kernel.

You claimed that a read is enough permission to execute, and that is absolutely false. If being wrong hurts your feelings ask mommy for a hug, not me. Go cry victim to someone who may actually give you sympathy, I'm not going to console you for making false statements.

Re:Liar

[s.petry]

No they can't, and I gave the example. A socket is a file, so go ahead and open up a socket on port 99 as a user. After you figure out you are wrong come back and tell me so. I don't want to rub your nose in you being incorrect, I want others to see that you are incorrect.

If you want another example, go ahead and write and compile a piece of code that executes a shell with UID=0. This is 2 system calls, yet you won't be able execute the shell by running your code without root access, even though you can write the source and compile the binary. The system calls are "suid()" and system() just in case you are lost. Another example would be to copy the su command to what ever location you want and lets see how quickly you can su root. The protection in this case has absolutely nothing to do with what files you can read and where you can write.

File system protection is only 1 layer of *nix security, there is also process protection and memory protection. This does not even consider add on or additional tuning available in limits and SE *nix kernels.

Re:Liar

[Pieroxy]

The original answer was to a post that claimed to have a filesystem "non-executable", which pretty much means nothing. Also, a socket does not reside on a file system (at least not a regular one). At last, a shell with UID=0 *can* be executed by at least one user. The original claim was for a "non-executable" filesystem.

The claim that was answered to implied that you can store any binary (say, gzip) on a "non-executable" filesystem and that would prevent users from ever running it. Which is moronic.

Context people, context.

Re:Liar

[Pieroxy]

Let's say you remove the executable flag on the GZIP binary, but leave me with read access to said binary. You think I won't be able to run GZIP on your box with a guest account and a writable home directory? (let's assume I can't bring in some other binary of my own, I just have access to your system)

Re:Liar

[s.petry]

You also need to be very careful about other tools, as for example TCC can compile and execute C code without writing it to disk first. The point is that the privilege system is concerned with read and write access, execution restrictions are just a side-effect of that and an imperfect one.

I was not defending the original post, but attempting to correct the bad response. Sockets are files, and I can create a socket in any directory I have write access to. /tmp is a safe "default" location because all users can write to /tmp, but there is no restriction on where I can create a socket in *nix by default.

I agree that the original logic is bad, but the explanation is wrong for why that logic is bad. As written, it claims that the only protections in *nix are at the file level.

Re:Liar

memory and it's protections

"its".

RAW sockets without escalation?

[Circuit+Breaker]

Something does not compute here. The SecureList blog post says that the port knocking works by getting a raw socket from pcap and looking at the ack. On any Linux system I've ever used, this DOES require root privileges. And yet, they also claims it does not need any special privileges?

Re:RAW sockets without escalation?

[Dcnjoe60]

Something does not compute here. The SecureList blog post says that the port knocking works by getting a raw socket from pcap and looking at the ack. On any Linux system I've ever used, this DOES require root privileges. And yet, they also claims it does not need any special privileges?

From what I gather from the linked articles from the summary link, you need root and command line access to install it, but after it is installed, it doesn't take root to activate it. That said, if somebody has access to root or the command line, you need a new security administrator.

Re:RAW sockets without escalation?

[Lumpy]

It's because the Article is 100% FUD. Read it carefully, notice how there are zero details at all and a lot of things just dont add up about it.
Then look at the source and realize it's a PR piece.

Re:RAW sockets without escalation?

[cheater512]

Err so that just describes SUID. Nothing magical or unintended, it still can't operate on a system without root.

And it being on a single computer for years just means it has been found on one single computer, with an admin who didn't look.

Re:RAW sockets without escalation?

[Dcnjoe60]

Err so that just describes SUID. Nothing magical or unintended, it still can't operate on a system without root.

And it being on a single computer for years just means it has been found on one single computer, with an admin who didn't look.

I don't disagree. Plus, from the article, it hasn't been found in the wild on any linux installations. It speculates that it could be a problem, but, without either root access or direct access to the box, I don't see how.

FUD

[s.petry]

Reading TFA I see no mention of Linux at all, it mentions Windows and PHP. Perhaps the author is confused and believes that anything with .PHP must exist in Linux, but I'm skeptical. They spend lots of time talking about the various .exe files, "Administrator" privileges, and "Network Shares" which are exclusive terminology to the Windows OS. Nobody can be that ignorant as a technical writer.

Re:FUD

Some of the other links randomly thrown into the summary talk about the discovery of the Linux component.

Sounds like part of the reason it hasn't been discovered is that it doesn't do much. It might be C&C for the Windows infections.

Re:FUD

[whoever57]

Take these comments from the article:

Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers

....

Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers under the control of attackers and functions allowing attackers to run commands of their choice and perform remote management.

Both of these statements cannot be true. Linux requires root privileges to listen on a port without opening it (essentially, packet dumping).

Let's be pragmatic. Kaspersky has no interest in there being a widespread view that Linux is less likely to be infected by malware than Windows.

Click-bait

[Dcnjoe60]

From the article link to from the article in the summary:

Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet.

It might be because you need root and command line access to install it. After that, however, it can be activated without root.

Re:give Peace a Chance

[ColdWetDog]

Group hug!

Re:give Peace a Chance

[ChrisMaple]

There is a class of people, ranging from street thugs to vicious dictators, who choose to use violence or threat of violence to steal and destroy. I have two basic choices when faced with such people:

1. Submit. The thug prospers, I suffer and probably die early. If nearly all people do this, thugs find it an easy way to live, and the class of thugs expands until it dominates the whole world. The whole world becomes a cesspool like North Korea.
2. Arm myself to resist the thug, and on a national scale arm to resist thug-states. At the cost of defending myself, I can prosper in relative freedom. One of the worse costs is listening to ignorant tools like you advising me to let my throat be cut.

There are costs involved in all decisions. I can't drive a car without contributing to the cost of a road. I can't keep warm in a snowstorm without buying shelter. I can't prosper, or even live long, without paying for defense.

Do not rail against war and its expenses, but rather oppose those who use force to achieve their ends.

SELinux and AppArmor

This is why you should set SELinux to Enforcing. It will limit the damage done by a rogue application.

Re:give Peace a Chance

[tehcyder]

There is a world of difference between spending enough money to defend yourself, and spending enough money to conquer or destroy the world.

Unless you want to do the latter, why spend so much money on preparing for it?

Kaspersky Labs discovers port knocking ..

[lippydude]

"This Turla cd00r-based malware .. can't be discovered via netstat, a commonly used administrative tool" link

'To activate the real remote access service (the attached code starts an inetd to listen on port 5002, which will provide a root shell), one has to send several packets (TCP SYN) to ports on the target system' link

How exactly does this 'Linux trojan' get onto the computers in the first place, without the end user going to a site and downloading the malware and explicidly running it and entering the root password.

Re:Kaspersky Labs discovers port knocking ..

[EvilIdler]

A little B&E might do it. Seems the targets were high-value targets.

Re:Hate being several clicks away from the actual

[lippydude]

@ledow: "Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?"

What this is even doing as an article on slashdot is beyond me, apart from giving Kaspersky some free advertising space.

Re:give Peace a Chance

[tburkhol]

Submit. The thug prospers, I suffer and probably die early. If nearly all people do this, thugs find it an easy way to live, and the class of thugs expands until it dominates the whole world. The whole world becomes a cesspool like North Korea.

Arm myself to resist the thug, and on a national scale arm to resist thug-states. At the cost of defending myself, I can prosper in relative freedom. One of the worse costs is listening to ignorant tools like you advising me to let my throat be cut.

Here is where your black-and-white, false dichotomy fails. You can "arm" yourself to resist the thug by hiring your own gang of thugs, by buying your own gun, or by buying armor. You can arm yourself against the worst thug your imagination can conjure, or against thugs that actually exist. You can prove the strength of your arms by walking into every dark alley, kicking down the doors of hovels and speakeasies, loudly proclaiming your invincibility, or you can follow open, well-lighted paths without offering to fight all comers, and at least pretend to be civil.

Re: give Peace a Chance

Or I can walk the well-lighted paths (those that still exist) and hose the dark corners with my flamethrower.

Liar

If a user can read a file on a *nix system, and can write to even a *single* location, that user can execute that file.

1) Copy the file to the location where I can write.
2) Set the execute flag on the file.
3) Execute the file.

Permissions will prevent you from accessing data you don't have permission to, but will only prevent you from running an application if you can't even see it.

Re:give Peace a Chance

one can debate how much defense is "good enough" relative to its cost, and further debate whether any particular country has reached or exceeded that threshold. but seems to me that having a defensive force that could, if so desired, conquer (with some very good odds) all other forces implies a high probability of success when defending against said forces. that is, the best defense is a good offense.

One of the Links if for Windows

One link is Epic Turla for Windows, the other is for Linux. https://securelist.com/blog/research/67962/the-penquin-turla-2/

I found it amusing that claims are made that the program needs no permissions, then the article demonstrates it running with root:

[root@localhost Turla]# ./Tur.1

Also, you have to have the "Snake" rootkit installed:

"The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago."

Ars adds, "Even a regular user with limited privileges can launch it" http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years/

Would this be a moron who just rooted their Android phone to use a Chinese app store?

FUD indeed!

Re:give Peace a Chance

[david_thornley]

However, consider the consequences. My country's armed forces are clearly for defense, and your country's are to potentially attack me. This means that, when I decide we need to spend more on defense, you feel threatened, and spend more on defense, meaning from my point of view you're preparing an attack, and I need more defense, etc.

This produces an arms race that can lead to war, when one side decides that its best chance to survive is to attack now.

There are ways to defuse this sort of arms race, such as maintaining good relations, but every warship launched is not only money that could be used productively but provokes yet more warships to be launched.

Re:give Peace a Chance

[FreedomFirstThenPeac]

Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed

Nice platitude. Prove it.

Re:give Peace a Chance

[FreedomFirstThenPeac]

Because in the end, someone has to be as powerful as the most powerful state we might logically fear. Right now that is the Russians (simple tanks and bombs), the Chinese (economic warfare), and the Islamofascists (intent). Of these, we cannot afford to fight the Chinese, we are not the bleeding edge in defending against the Russians, and we might be able to defeat the Islamofascists here at home using ideas, not so sure about in other countries.

But the old days of raising armies only when needed has gone the way of the horse and buggy. Unless you are the Swiss, who count on others to provide defacto long-arm defense, you probably cannot count on an armed population either ("Red Dawn not withstanding)

First two Links are Backwards

[tmjva]

Speaking of links, the descriptive texts in the first two links in this post are backwards. The reference to the "siphon data from governments and pharmaceutical companies" links to the stealthy trojan link and the "stealthy trojan..." link, links to the "siphon data ..." article.

Re: give Peace a Chance

Raising armies only when needed... Old idea?

Isn't it more of a new idea that really didn't pan out? Are there some examples throughout history of it being tried and working? We can't talk about it like it's merely outdated, it is a _bad_ idea. IMHO