Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Multi-Purpose Backdoor Targets Linux Servers

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it. "First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task," the researchers explained.

60 of 98 comments (clear)

  1. i must click dem! by sneakyimp · · Score: 5, Funny

    Well those certainly look like reputable links by famous 'researchers' to me! As an IT guy, I'll definitely have to go click on them so that my workstation gets infected too.

    1. Re:i must click dem! by jellomizer · · Score: 4, Insightful

      If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
      vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
      emacs (This sounds like a Macintosh emulator to me)
      nano (Disk Compression tool?)

      Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

      With us living in a mostly Linux world, the idea that there are professionals that don't know much about Linux is hard to imagine, but they are there. And sometimes they will get dumped a Linux box to manage, even if they don't know much about it.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:i must click dem! by Anonymous Coward · · Score: 1

      From the linked article:

      "It's also good to know that Xnote gets installed on a target machine only if it's been launched with root privileges"

    3. Re:i must click dem! by arth1 · · Score: 1

      Or notepad2 if you don't want bloatware.
      Or just install cygwin and use red like Ken intended.

    4. Re:i must click dem! by puzzled_decoy · · Score: 1

      XNote also sounds very similar to XPad, which is a really useful note-taking utility.

    5. Re:i must click dem! by wonkey_monkey · · Score: 1

      Pah. Programmer's Notepad, you rebel scum!

      --
      systemd is Roko's Basilisk.
    6. Re:i must click dem! by mlts · · Score: 1

      SSL connections out or in? Most machines (other than webservers) should not be accepting SSL connections from the Internet.

      SSL connections out are a different story. For general Web browsing, running a browser without a sandbox, VM, or both is going to get one nailed, no matter what the OS. Even on Android, there are sites which try to foist "securityupdate.apk" on the user.

    7. Re:i must click dem! by cyberchondriac · · Score: 1

      Or UltraEdit, but it's not free.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    8. Re:i must click dem! by arth1 · · Score: 1

      Or use a USB key formatted to NTFS.

    9. Re:i must click dem! by sneakyimp · · Score: 1

      In any case, clicking links to a honeypot will only help the hackers find you more quickly.

    10. Re:i must click dem! by drinkypoo · · Score: 2

      gvim FTW! It is the bridge. I had already figured out the vi basics before it existed, but it's still cool.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    11. Re:i must click dem! by morgauxo · · Score: 1

      "professionals that don't know much about Linux is hard to imagine, but they are there"

      Well, yah ya know... it's not like they haven't had 20 years or so to catch up. I mean... Linux just took over everything in a single night!

    12. Re:i must click dem! by citizenr · · Score: 1

      If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
      vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
      emacs (This sounds like a Macintosh emulator to me)
      nano (Disk Compression tool?)

      Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

      There is always Midnight Commander editor (mcedit) for such idiots like me (hate vi, will never touch emacs).

      --
      Who logs in to gdm? Not I, said the duck.
  2. HAHA by Anonymous Coward · · Score: 2, Informative

    You have to run the file as a system admin for it even to work. This is a non issue joke.

    1. Re:HAHA by jellomizer · · Score: 4, Insightful

      The sys-admin is actually a Windows Admin with a Linux box... He doesn't know better.

      The system was setup by the bosses kid nephew who is good with computers, gives everyone admin access because he doesn't know how to manage permissions.

      Lazy administrators tired of fixing permissions just gives everyone root access...

      Sure we can make fun of the people and say due to their neglect it is their own damn fault... But once it gets in, the damage is real.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:HAHA by Anonymous Coward · · Score: 1

      That doesn't make it any less their fault.

      "He doesn't know better?" Then he shouldn't be in charge of someone's equipment and security, someone who knows better does. Period.

      "Lazy administrators tired of fixing permissions just gives everyone root access?" I've never heard of a single instance of any server administrator giving root access to everybody to get around file permission issues. Not once, ever. If that's the sort of thing you or the people who employ you are doing, see the first point.

      "But once it gets in, the damage is real." Yes it is. It's also damage that could have been avoided if the system admin in question got a clue and actually read up on securing the system they're responsible for.

      Keep making as many excuses as you want for incompetent system admins, there is no excuse for an incompetent system admin. If you _have_ an incompetent system admin, you'll wind up having problems with things like this. Things that wouldn't have affected you if the person responsible for your security actually had a sweet clue what they're doing.

      As for your "bosses nephew" example...yeah, that kind of stupidity doesn't even deserve sympathy. If he's "good with computers" then he knows better than to give anyone root access, no? If he's good with computers, servers in particular, he should have more than enough knowledge about permissions and how to manage them without giving "everyone admin access?" You contradict yourself in your own example. The boss' nephew shouldn't be setting up a company server if he doesn't know what he's doing and neither should anyone else. if said nephew claims to be "good with computers" yet doesn't understand something as fundamental as file system permissions, he's lying through his teeth about being good with computers. He is most certainly _NOT_ good with computers and shouldn't be setting up anything other than his own desktop PC to play games on because no system admin worth their salt gives out admin access to anybody and everybody just because it took too much effort to do it properly.

      Every single one of your examples is an example of someone who "doesn't know better" and you completely fail at adequately explaining why anyone who "doesn't know better" should be in charge of a mission-critical corporate server. Windows admin that gets lumbered with a Linux box? READ A BOOK for fuck's sake. Hell, read the documentation that comes with the distribution, they've been doing that for quite a while now if you weren't already aware. There is simply NO EXCUSE for having someone administer your systems when they don't know how to do the job. You wouldn't hire someone to be a surgeon if they didn't know how to make an incision, you shouldn't be hiring a system admin that doesn't know how to secure a system.

    3. Re:HAHA by bobbied · · Score: 1

      IF you don't mind running my installer as a windows admin, I bet I can own your box in short order.... Linux is no different. Don't login to root, just like you don't use your Windows admin account..... You don't right????

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  3. Researchers? by JoeIsuzu83 · · Score: 5, Informative

    The source was Dr. Web's own marketing page.

    This smells like a press release (which smells coincidentally like spam).

    1. Re:Researchers? by sneakyimp · · Score: 2

      And spam smells suspiciously like malware which smells a lot like exploit.

  4. Quakin' in me booties by Anonymous Coward · · Score: 1

    They mount a bruteforce SSH attack.. for real.. Well, I say bring it on!

    1. Re:Quakin' in me booties by coop247 · · Score: 1

      Breaking news: If someone gets root access they can install things. Also breaking: bad guys will try to login with root.

      --
      //TODO: Insert catchy phrase
    2. Re:Quakin' in me booties by bobbied · · Score: 1

      Microsoft shills say "Cannot Happen on Windows!" Investigative reports on Evil Linux Admins...

      Film at 11!

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. Come on! by Anonymous Coward · · Score: 5, Interesting

    Come on!!!

    What vulnerability? What port? What gets attacked?

    Is there more than one vulnerability?

    I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

    What a loaded pile of crappy advertising.

    1. Re:Come on! by drinkypoo · · Score: 1

      I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

      Editors getting kickbacks? Only if they are getting paid. Slashdot has paid staff editors, so yes. Every paid staff editor is effectively getting paid by Slashdot hosting these slashvertisements.

      Welcome to modern journalism!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Come on! by bobbied · · Score: 1

      Come on!!!

      What vulnerability? What port? What gets attacked?

      Is there more than one vulnerability?

      I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

      What a loaded pile of crappy advertising.

      There you go, thinking like a Windows administrator....Thinking about $...

      Somehow they break in, manage to get root, and then, oh gasp, they install something you don't want... Yea, Linux suffers from that kind of thing...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. if they get you, they get you by Anonymous Coward · · Score: 1, Insightful

    "The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine."

    If someone brute-forces rootlevel creds on your machine, you're toast anyway, you always were.

  7. Re: ok by Anonymous Coward · · Score: 2, Insightful

    OpenBSD has always supported networking.

  8. slow day on slashdot, by nimbius · · Score: 4, Informative

    "The malware will only be installed in a system if it has been launched with superuser (root) privileges"

    aaaand i've already gone back to my tea.

    any sysop worth her salt knows the rules:
    0. It will build without root or not at all.
    1. It will come from a repository or reputable source.
    2. It will check its md5 and check it twice.
    3. It will be compatible with standard secops tools like chroot, jails, cgroups, propolice, and selinux. this includes sandboxing.
    4. Isolate, quarantine, and deploy the secops team. any compromised machine, any network, any server without question.
    5. Slap about with a large bit of herring or trout the dev or luser in accordance with LART policies.

    --
    Good people go to bed earlier.
    1. Re:slow day on slashdot, by Anonymous Coward · · Score: 1

      Aaaand, this is why nobody uses Linux. All that just to install a program isn't going to help transition any new users over from other OSes.

    2. Re:slow day on slashdot, by bobbied · · Score: 1

      "0. It will build without root or not at all."

      We look after 12 'off the shelf' unix systems which are supplied as is and supported by the supplier.

      For these machiens to work as intended they need: - network access (with rsh and ftp enabled) - root access and privledges for anything and everything

      The real kicker ? Everyone of these boxes in use (globaly) has the same root password ! Your are free to change it, however this will then brick the server . . . . .

      It goes without saying that the supplier of these boxes quite literally doesn't know jack about Linux security.... But, As long as you are forced to use them, make sure you have that CYA document that says you routinely objected to the lax security settings, signed by as many "higher ups" you can manage... Not that it will help with the inevitable happens and they are looking for someone to blame/fire....

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:slow day on slashdot, by schitso · · Score: 1

      Can't tell if troll, or stupid.

  9. So many holes in Linux systems.. by Anonymous Coward · · Score: 1

    Why bother with a backdoor? Just use a front door like SMB.

    1. Re:So many holes in Linux systems.. by deek · · Score: 2

      Actually, it's pretty simple to stop SystemD from listening on network ports. It's called "socket activation". Look it up. It's pretty neat. All you need to do is stop the specific socket service, and then edit the appropriate socket file.

      You'll also be interested to know that the Debian install of SystemD doesn't use socket activation by default. Not yet, anyway.

      As for systemd security auditing, from what I've heard, the people at Redhat run the source code through various tools designed to pick out bugs. Also, I've read of at least one person doing an independent audit of the code. I presume there would be many more than that. So, as far as security testing is concerned, it's far from having nothing done.

      There's always a workaround. Even for SystemD.

    2. Re:So many holes in Linux systems.. by deek · · Score: 1

      My turn to say "huh?"

      The post I replied to was talking about SystemD listening on network ports. In that context, socket activation _is_ everything. Any bug in the network listening code of SystemD cannot be triggered, if the software ain't listening in the first place.

      Honestly, kids these days. I blame the music they listen to. Turns the brain to mush.

  10. Awesome TFA by mi · · Score: 1

    The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine.

    What a fine description of the attack vector. OMG, we are all doomed!

    --
    In Soviet Washington the swamp drains you.
    1. Re:Awesome TFA by JohnVanVliet · · Score: 1

      quick everyone change the old SSL password from
      Pas: password
      to the NEW password
      Pas: password1234

      --
      "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
  11. News for nerd.... by tekrat · · Score: 2

    "Who also know nothing about Unix/Linux"....

    Who are the editors here, and have they ever even *used* a linux distribution????

    --
    If telephones are outlawed, then only outlaws will have telephones.
  12. Fascinating!! by EmagGeek · · Score: 1

    This is FASCINATING! Where can I buy Dr. Web antivirus for Linux? I'm seriously SOLD on this product that Dice has seen fit to advertise to me today.

    THANK YOU so much!!!

  13. I'm targeting this article by drinkypoo · · Score: 1

    I'm targeting this article with my multi-purpose back door right now.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I'm targeting this article by drinkypoo · · Score: 2

      That would have been funnier if you didn't refer to your "back door" as "Multi Purpose" :-0

      At minimum, it passes solids, liquids, and gases... and sometimes, you'd swear, plasma. I call that multi-purpose.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  14. Re:Attack vector Port is SSH (22), passwd guessing by Anonymous Coward · · Score: 5, Informative

    The linked article mistranslates the original russian.

    The vector is SSH, brute force attempts to guest the root password. The net-security article mistranslates to SSL.

  15. Re:"her" by Anonymous Coward · · Score: 1

    In what world do competent women admins exist?

    This one. The overwhelming majority of sysadmins I've seen all have boobs.

  16. Remember when /. was a serious technology mag .. by lippydude · · Score: 5, Insightful

    "A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers.

    How does the 'Trojan' get onto the target machines?

    "To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine .. The malware will only be installed in a system if it has been launched with superuser (root) privileges".

    For fucks-sake slashdot, remember when this was a serious technology mag, instead of providing free adverts to some AV company.

  17. Re:Attack vector Port is SSH (22), passwd guessing by dargaud · · Score: 1, Informative

    Most linux systems don't have root passwords anymore. Use sudo, don't allow root logins and you are safe from those stupid 'so 1996' kind of attacks.

    --
    Non-Linux Penguins ?
  18. Re:ok by unixisc · · Score: 1

    No, the BSDs instead. Particularly OpenBSD for this one, although FreeBSD may be just as good

  19. No mention of the path to the trojan? by nyet · · Score: 1

    Why doesn't the summary mention to look for /bin/iptable6?

    Wouldn't that be the single most important piece of information to convay? Oh. No. The single most important piece of information seems to be to plug some AV garbage.

  20. Re:ok by bobbied · · Score: 1

    Successful ones will indeed be much better...

    However, not allowing root logins, not running services as root, and keeping things in Chroot jails, makes the task of the virus writer gets so much more difficult, even if you get escalated to root on some buffer overflow, injection attack or something. Not to mention, Linux distributions seem to have a lot of different ideas about how and where the configuration files live, what init process they want to run and the default security settings they use for the various services...

    Taking all that into account will be some feat...

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  21. Re:Attack vector Port is SSH (22), passwd guessing by geantvert · · Score: 1

    The idea of using sudo instead of allowing ssh as root always sounded stupid to me.
    If an attacker gets access to your regular user account then it is game over the next time you try to sudo from there.

         

  22. Linux users mass-installing the exploit... by dark.nebulae · · Score: 1

    It's called systemd. Many users are installing it so now there's a whole slew of linux boxen under someone else's control...

  23. Re:Attack vector Port is SSH (22), passwd guessing by dbIII · · Score: 1

    There's a lot of those ssh brute force attacks going on at the moment, although they are trying usernames other than "root" and widely distributed so you get a couple of hundred machines taking turns of just a few attempts each so that it's harder to block.
    It's a problem a few years old with the recent twist being spreading out the attacks to avoid triggering "fail2ban" and other automated blocking measures.

  24. Sysops worth their salt aren't the issue by Sycraft-fu · · Score: 1

    They never are. It is the clueless users, of which there are plenty. As Linux gets more popular, it gets more of them. We have a lot where I work at a university. Grad students will decide they want to have a Linux system for something they are researching. They won't consult IT, they just go grab whatever distro they've heard of and install it. Then they start turning on every feature they can, SSH, web, etc, anything any of their software asks for or anything they think might be neat. They leave it on all the time and don't mind after it. Then it gets owned, and they are surprised.

    I care about malware notices not for my own system, I've never had any case of any kind of malware since I'm vigilant in my security. I care because I work in IT and have to deal with people who are not careful. Also because the more of these infected systems there are, the shittier a place the Internet is in general.

  25. Re:Attack vector Port is SSH (22), passwd guessing by chihowa · · Score: 1

    But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  26. Re:Attack vector Port is SSH (22), passwd guessing by cstacy · · Score: 1

    chihowa writes:
    But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?

    Well, not before today...

  27. Please clarify the exposure or remove by See+Attached · · Score: 1

    What is the exposure by which the Trojan is actually planted, and how does it differ from any other trojan? If this is not a BackDoor, then its not a news item and deserves to be taken off the site.

    --
    Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
  28. Re:Attack vector Port is SSH (22), passwd guessing by maestroX · · Score: 1

    Good luck guessing with major distro's defaulting to "PermitRootLogin no" nowadays.

  29. Re:Attack vector Port is SSH (22), passwd guessing by geantvert · · Score: 1

    So that is only an additional layer of security by obscurity. Still not convinced!

  30. Re:Attack vector Port is SSH (22), passwd guessing by Gunstick · · Score: 1

    google translate, translates correctly to SSH

    DrWeb, such good "researchers" they can't even translate their own shit

    --
    Atari rules... ermm... ruled.
  31. Re:Attack vector Port is SSH (22), passwd guessing by Gunstick · · Score: 1

    just renamed all my "root" users to "admin" :-)
    Try to bruteforce that!
    Maybe I should rename to "Ht695rdwP"

    --
    Atari rules... ermm... ruled.
  32. Re:Attack vector Port is SSH (22), passwd guessing by antdude · · Score: 1

    Guest? :P

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  33. Re:Attack vector Port is SSH (22), passwd guessing by chihowa · · Score: 1

    Good security includes such layers (but doesn't rely only on them). It's entirely effective against non-targeted automated attacks, which comprise well over 99% of the attacks your network will face. (Of course, a good password or key based auth is just as effective. A good password or key and no root login is more effective.) Allowing root login adds another attack opportunity with predictable parameters. It's all about minimizing the surface open to attack.

    Since >99% of all ssh attacks on the internet are automated and target root, you can drop (or tarpit or whatever) all of those attempts without affecting legitimate users. This leaves your attention free to address the attacks that are actually dangerous (and leaves your logs less cluttered or easily filtered).

    Look at it another way... what do you gain, security wise, from allowing a superuser to login directly from the network? Especially when most of the attacks you see are trying to log in directly as that superuser.

    [As an aside, "security by obscurity" gets a bad rap and the term is often bandied about as a self-evident truth like "correlation is not causation". "Security by obscurity" refers to keeping the design of an implementation secret, not to using secrets in your implementation (is having a password security by obscurity?).

    Depending only on obscurity is poor security, but using obscurity as a layer (where it's effective) in a larger security process can be extremely effective. Schneier has a good essay on this subject.]

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.