Stealthy Linux Trojan May Have Infected Victims For Years

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

systemd hasn't been around that long, has it?

I thought that the systemd infection of Debian was much more recent than that. Like within the past year. But maybe I'm wrong, and it has been longer?

"Running arbitrary commands" is irrelevant

[gweihir]

The privilege system does not protect commands, it protects data. You can always run any command on any data that belongs to you. But when you want to access data of others or the system, you need elevated privileges and same for attacking to privileged network ports.

Re:"Running arbitrary commands" is irrelevant

[Antique+Geekmeister]

I';m personally aware of thousands of systems on which database data, backups, and system logs are not read protected from local users. They're left this way on the grounds that "if someone has local access, we're screwed anyway". They pass pass commercial security audits because the security companies do a handful of known external attacks, which giver a small set of tasks to fix the issue and do not address such fandamental issues.

This is particularly aggravated on systems with have password free sudo access for developers, which is very common on development environments, on systems with password free SSH keys casually stored with system wide access, and software systems that store passwords in clear text by default, such as Subversion HTTPS access. It's also compounded when home directories on which such information is stored is NFSv3 mounted and shared with all clients on the network. The concept of "data which belongs to you" breaks down quickly with NFS or CIFS without authentication in most environments. NFSv4 or Kerberized CIFS access can be helpful in restricting this, but I know very few partners or clients who go to the extra steps needed for this.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

Well, the other thing is that you cannot run commands on arbitrary data without privilege escalation, unless you are already root. It is simply conceptually impossible. Any process that allows you to access data above your privilege level includes a privilege escalation by definition.

My take is just that the article sound sensationalist and not very competent with regards to technology.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

I do not disagree. But that is a property of the target system, not of the attack.

Re:"Running arbitrary commands" is irrelevant

[Enigmafan]

Well, the other thing is that you cannot run commands on arbitrary data without privilege escalation, unless you are already root. It is simply conceptually impossible. Any process that allows you to access data above your privilege level includes a privilege escalation by definition.

My take is just that the article sound sensationalist and not very competent with regards to technology.

But if you run Linux from disk on a system, and you create a user with the same ID as the user data you're trying to access on that system, you can read all the data from that user. That is not privilege escalation, as far as I can see.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

The process that allows you to create that user already requires privilege escalation as non-root users are not allowed to create new users.

Re:"Running arbitrary commands" is irrelevant

[mlts]

In general, there has been a trend away from both local protection privilege escalation (from user to root.) Mainly the focus has been keeping people out of the box proper, although this does go against the defense in depth concept since once the box gets breached somehow (a security bug that commandeers a Web browser, for example), an attacker can gain a lot by running just with that user's context [1], or even using exploits to get root. Once root, burying kernel modules becomes quite doable.

There needs to be more focus on defense in depth. For example, there needs to be a separate context for a user's Web browser than his/her shell. This way, if/when the browser or add-ons get compromised, the hacked code doesn't have full run of the user account.

Local user protection on Linux has not been that much of an item that has been worked on. Usually at best, there might be a bootloader password or a LUKS encryption prompt to get the boot process past the initial RAM disk. What would be nice to see is work on both signed executables as well as the ability to use the TPM with LUKS for keeping volumes encrypted... but allowing the machine to boot completely without interaction (as the TPM supplies the keys to unlock the volumes.)

As for NFS v3 and earlier, it can be made decently secure if used only by a few hosts, and there can be made networking infrastructure to guard against spoofing, but if this can't be done, NFS v4 or even samba/CIFS might be the protocol of choice. However, as stated above, securing NFS in a shop takes a lot of time, either by having infrastructure in place for Kerberos for NFS v4 to work or having dedicated paths that are difficult for an unauthorized party to access so NFS v3 is secure. There is always going with samba/CIFS in general, but compatibility with the protocol can vary widely between UNIX variants, Linux distributions, or even versions in Linux distributions.

[1]: For the big bucks, just getting access to a user is enough. From there, an attacker can masquerade as that user with fake E-mail, upload documents used, use the user's LAN access to attack other boxes, or just encrypt all the documents for ransom. Spambots and such don't need root access to go out on port 25, nor do botnets need root to perform successful DDoS attempts.

Re:"Running arbitrary commands" is irrelevant

[turbidostato]

"There are a number of tools that give non-root users root access."

Yes. And all of them restort to already having root-level access so it is still a privilege scalation issue.

"Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist."

You are not too savvy about what Linux can and can't do, right?

"requires no elevated system privileges"??

If you are establishing a raw socket, you have to have privileges...

Hate being several clicks away from the actual inf

[ledow]

It's an ordinary piece of malware.

It talks home to a hard-coded URL.

It has to have a secret "knock" before it will talk back to you (port-knocking has uses both ways, it seems!).

It contains easily-greppable strings.

Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?

Re:kinda makes you wonder

[camperdave]

The NSA doesn't run botnets... well, not many, anyways. However, they do analyze botnets completely and thoroughly, and thus they can take command of known botnets in a heartbeat if the need arises.

Re:Security through Obscurity

[GameboyRMH]

With closed source there are also no guarantees the bad guys won't see the source either. And it's far better to make the code visible to all then to wait for the exploit to be found in the usual ways while everyone was in the dark about it.

Security through obscurity is just like peril-sensitive sunglasses. Having the code visible makes you nervous for some reason? Well we'll just keep you from seeing it! Problem solved!

Re:Security through Obscurity

[Goaway]

And it's far better to make the code visible to all then to wait for the exploit to be found in the usual ways while everyone was in the dark about it.

That is quite a strong claim to make without providing evidence to back it up.

Re:Well

[ruir]

And it is. The fact that you may have a 10-year old server infected with some malware, and a FUD article for someone with vested interests in running AV solutions for every machines does not disprove it. Plus it is very easy to have malware and or running external commands through applicational holes, like wordpress both in Windows or Linux if your PHP is not well configured, and it is not exactly "Linux" fault. Pity the article is more concerned with fear mongering than providing technical details.

Re:Security through Obscurity

[MikeBabcock]

Linux certainly isn't obscure, or you're being sarcastic and suck at it ...

FUD

[s.petry]

Reading TFA I see no mention of Linux at all, it mentions Windows and PHP. Perhaps the author is confused and believes that anything with .PHP must exist in Linux, but I'm skeptical. They spend lots of time talking about the various .exe files, "Administrator" privileges, and "Network Shares" which are exclusive terminology to the Windows OS. Nobody can be that ignorant as a technical writer.

Re:give Peace a Chance

[ChrisMaple]

There is a class of people, ranging from street thugs to vicious dictators, who choose to use violence or threat of violence to steal and destroy. I have two basic choices when faced with such people:

1. Submit. The thug prospers, I suffer and probably die early. If nearly all people do this, thugs find it an easy way to live, and the class of thugs expands until it dominates the whole world. The whole world becomes a cesspool like North Korea.
2. Arm myself to resist the thug, and on a national scale arm to resist thug-states. At the cost of defending myself, I can prosper in relative freedom. One of the worse costs is listening to ignorant tools like you advising me to let my throat be cut.

There are costs involved in all decisions. I can't drive a car without contributing to the cost of a road. I can't keep warm in a snowstorm without buying shelter. I can't prosper, or even live long, without paying for defense.

Do not rail against war and its expenses, but rather oppose those who use force to achieve their ends.

Re: kinda makes you wonder

[ColdWetDog]

Because obviously all the world's problems are always and only caused by government.

It's a pretty good first approximation ....

Kaspersky Labs discovers port knocking ..

[lippydude]

"This Turla cd00r-based malware .. can't be discovered via netstat, a commonly used administrative tool" link

'To activate the real remote access service (the attached code starts an inetd to listen on port 5002, which will provide a root shell), one has to send several packets (TCP SYN) to ports on the target system' link

How exactly does this 'Linux trojan' get onto the computers in the first place, without the end user going to a site and downloading the malware and explicidly running it and entering the root password.

Liar

If a user can read a file on a *nix system, and can write to even a *single* location, that user can execute that file.

1) Copy the file to the location where I can write.
2) Set the execute flag on the file.
3) Execute the file.

Permissions will prevent you from accessing data you don't have permission to, but will only prevent you from running an application if you can't even see it.

Re:Liar

[s.petry]

No they can't, and I gave the example. A socket is a file, so go ahead and open up a socket on port 99 as a user. After you figure out you are wrong come back and tell me so. I don't want to rub your nose in you being incorrect, I want others to see that you are incorrect.

If you want another example, go ahead and write and compile a piece of code that executes a shell with UID=0. This is 2 system calls, yet you won't be able execute the shell by running your code without root access, even though you can write the source and compile the binary. The system calls are "suid()" and system() just in case you are lost. Another example would be to copy the su command to what ever location you want and lets see how quickly you can su root. The protection in this case has absolutely nothing to do with what files you can read and where you can write.

File system protection is only 1 layer of *nix security, there is also process protection and memory protection. This does not even consider add on or additional tuning available in limits and SE *nix kernels.

Re: kinda makes you wonder

[Pieroxy]

A government, like any other entity, has a tendency to grow and expand its powers and perimeter. The problem is that the government also makes the laws, which makes it the worst and most dangerous of all entities, because if it doesn't have the absolute powers it's pretty damn close.