Slashdot Mirror
New Multi-Purpose Backdoor Targets Linux Servers
An anonymous reader writes A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it. "First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task," the researchers explained.
Well those certainly look like reputable links by famous 'researchers' to me! As an IT guy, I'll definitely have to go click on them so that my workstation gets infected too.
time to run windows? j/k!
You have to run the file as a system admin for it even to work. This is a non issue joke.
The source was Dr. Web's own marketing page.
This smells like a press release (which smells coincidentally like spam).
Like aix doesn't have vulnerabilities...
They mount a bruteforce SSH attack.. for real.. Well, I say bring it on!
Come on!!!
What vulnerability? What port? What gets attacked?
Is there more than one vulnerability?
I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?
What a loaded pile of crappy advertising.
"The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine."
If someone brute-forces rootlevel creds on your machine, you're toast anyway, you always were.
"The malware will only be installed in a system if it has been launched with superuser (root) privileges"
aaaand i've already gone back to my tea.
any sysop worth her salt knows the rules:
0. It will build without root or not at all.
1. It will come from a repository or reputable source.
2. It will check its md5 and check it twice.
3. It will be compatible with standard secops tools like chroot, jails, cgroups, propolice, and selinux. this includes sandboxing.
4. Isolate, quarantine, and deploy the secops team. any compromised machine, any network, any server without question.
5. Slap about with a large bit of herring or trout the dev or luser in accordance with LART policies.
Good people go to bed earlier.
Why bother with a backdoor? Just use a front door like SMB.
What a fine description of the attack vector. OMG, we are all doomed!
In Soviet Washington the swamp drains you.
"Who also know nothing about Unix/Linux"....
Who are the editors here, and have they ever even *used* a linux distribution????
If telephones are outlawed, then only outlaws will have telephones.
What are you doing?
This is FASCINATING! Where can I buy Dr. Web antivirus for Linux? I'm seriously SOLD on this product that Dice has seen fit to advertise to me today.
THANK YOU so much!!!
I'm targeting this article with my multi-purpose back door right now.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The linked article mistranslates the original russian.
The vector is SSH, brute force attempts to guest the root password. The net-security article mistranslates to SSL.
That's even worse! On no, an SSH brute force attack? A bot installed? I first saw that in 1996, almost 20 years ago with Redhat.
Yeah, real new. Probably 100 new ones invented daily. Bah.
ha ha women r dumb dumbs
In what world do competent women admins exist?
This one. The overwhelming majority of sysadmins I've seen all have boobs.
This trojan doesn't seem to do much that you couldn't also accomplish with echo "COMPRIMIZEDPUBLICKKEY" >> ~/.ssh/authorized_keys
"A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers.
.. The malware will only be installed in a system if it has been launched with superuser (root) privileges".
How does the 'Trojan' get onto the target machines?
"To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine
For fucks-sake slashdot, remember when this was a serious technology mag, instead of providing free adverts to some AV company.
Most linux systems don't have root passwords anymore. Use sudo, don't allow root logins and you are safe from those stupid 'so 1996' kind of attacks.
Non-Linux Penguins ?
I don't know how useful this information is. I run windows and a linux server at home. I don't use XNote. I use vi. Etc. Anything I install is pretty much dependable and comes from known repositories or sources. No problem. That's normal, and most Linux admins do the same. I guess that the best question is, what is the best scanner that can be used to find these things and make sure your whole network is clean?
The overwhelming majority of sysadmins I've seen all have boobs.
Manboobs don't count.
Otoh, I've seen a depressing number of sysadmins (of various OS flavors) who are boobs.
Why doesn't the summary mention to look for /bin/iptable6?
Wouldn't that be the single most important piece of information to convay? Oh. No. The single most important piece of information seems to be to plug some AV garbage.
All the talk of what it does. But how does it get in.
SSL connection ?
Can someone explain.
Sorry for my lack of understanding. I have been using Linux since 1994 for almost everything.
Regards,
Khawar Nehal
http://atrc.net.pk
It's Linux and they have used brute force and established an SSL connection. Linux is shit at the best of times but a brute force attack are they serious. And why are they calling it a Trojan it's a script it's not pretending to be something other than it is. And why would it check to find out whether it has already written a script on the computer it has used brute force on. Do they not know which computer system they have just used brute force on. Brute force is a slow boring process. When is malware not malware. Also like Windows it would need to be root to do all this deleting and renaming directions and blah blah blah, so the brute force was on the root Linux account.. you can attack a root account? Mind you I know absolutely nothing about computers I hate the fucking things! My systems automatically block brute force attacks my HP server firewall would block the IP address for an hour automatically and e-mail me telling me of the attack and the IP address. it was not a Trojan it was not a worm it was a brute force successful attack.
The idea of using sudo instead of allowing ssh as root always sounded stupid to me.
If an attacker gets access to your regular user account then it is game over the next time you try to sudo from there.
It's called systemd. Many users are installing it so now there's a whole slew of linux boxen under someone else's control...
There's a lot of those ssh brute force attacks going on at the moment, although they are trying usernames other than "root" and widely distributed so you get a couple of hundred machines taking turns of just a few attempts each so that it's harder to block.
It's a problem a few years old with the recent twist being spreading out the attacks to avoid triggering "fail2ban" and other automated blocking measures.
They never are. It is the clueless users, of which there are plenty. As Linux gets more popular, it gets more of them. We have a lot where I work at a university. Grad students will decide they want to have a Linux system for something they are researching. They won't consult IT, they just go grab whatever distro they've heard of and install it. Then they start turning on every feature they can, SSH, web, etc, anything any of their software asks for or anything they think might be neat. They leave it on all the time and don't mind after it. Then it gets owned, and they are surprised.
I care about malware notices not for my own system, I've never had any case of any kind of malware since I'm vigilant in my security. I care because I work in IT and have to deal with people who are not careful. Also because the more of these infected systems there are, the shittier a place the Internet is in general.
But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
It's 2015. It's like the 80s called and wants vmd vmx multicore containers back.
chihowa writes:
But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?
Well, not before today...
The last part of the whole blurb was important: It's also good to know that Xnote gets installed on a target machine only if it's been launched with root privileges.
You have to go and get the software and install it on your local machine, then run it with root privileges. Running unknown software as root. WTF? All of the things it can do, you can also do from any common shell. If you gave it access, then it could just be a shell script and do all of that. And you don't have to be overly bright to write something that does all of that. Thanks for the heads up though. Its like the Linux virii that have been around forever. You have to download them yourself, give them execute permissions, then run them as root in order for them to be dangerous. I think this is why most distributions have verification, data/file checksums, and security.
I've been reading /. since it first showed up on the web. Crap "submissions" are getting too common. It's one thing for the posts to become less and less relevant, but for them to turn into outright SPAM? I hate to say it, but I think it's past time to move on.
What is the exposure by which the Trojan is actually planted, and how does it differ from any other trojan? If this is not a BackDoor, then its not a news item and deserves to be taken off the site.
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
Good luck guessing with major distro's defaulting to "PermitRootLogin no" nowadays.
So that is only an additional layer of security by obscurity. Still not convinced!
google translate, translates correctly to SSH
DrWeb, such good "researchers" they can't even translate their own shit
Atari rules... ermm... ruled.
just renamed all my "root" users to "admin" :-)
Try to bruteforce that!
Maybe I should rename to "Ht695rdwP"
Atari rules... ermm... ruled.
Guest? :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
... in other words, yet another instance of a human being exploited and not the machine. This issue is OS independent; if you have shit for brains, your machine will be taken over. It's that simple.
Good security includes such layers (but doesn't rely only on them). It's entirely effective against non-targeted automated attacks, which comprise well over 99% of the attacks your network will face. (Of course, a good password or key based auth is just as effective. A good password or key and no root login is more effective.) Allowing root login adds another attack opportunity with predictable parameters. It's all about minimizing the surface open to attack.
Since >99% of all ssh attacks on the internet are automated and target root, you can drop (or tarpit or whatever) all of those attempts without affecting legitimate users. This leaves your attention free to address the attacks that are actually dangerous (and leaves your logs less cluttered or easily filtered).
Look at it another way... what do you gain, security wise, from allowing a superuser to login directly from the network? Especially when most of the attacks you see are trying to log in directly as that superuser.
[As an aside, "security by obscurity" gets a bad rap and the term is often bandied about as a self-evident truth like "correlation is not causation". "Security by obscurity" refers to keeping the design of an implementation secret, not to using secrets in your implementation (is having a password security by obscurity?).
Depending only on obscurity is poor security, but using obscurity as a layer (where it's effective) in a larger security process can be extremely effective. Schneier has a good essay on this subject.]
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
That you think having boobs makes one a woman suggests that you have met very few sys admins. Otherwise, you would be able to recall a disgusting number of counterexamples.