Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Multi-Purpose Backdoor Targets Linux Servers

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it. "First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task," the researchers explained.

15 of 98 comments (clear)

  1. i must click dem! by sneakyimp · · Score: 5, Funny

    Well those certainly look like reputable links by famous 'researchers' to me! As an IT guy, I'll definitely have to go click on them so that my workstation gets infected too.

    1. Re:i must click dem! by jellomizer · · Score: 4, Insightful

      If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
      vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
      emacs (This sounds like a Macintosh emulator to me)
      nano (Disk Compression tool?)

      Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

      With us living in a mostly Linux world, the idea that there are professionals that don't know much about Linux is hard to imagine, but they are there. And sometimes they will get dumped a Linux box to manage, even if they don't know much about it.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:i must click dem! by drinkypoo · · Score: 2

      gvim FTW! It is the bridge. I had already figured out the vi basics before it existed, but it's still cool.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. HAHA by Anonymous Coward · · Score: 2, Informative

    You have to run the file as a system admin for it even to work. This is a non issue joke.

    1. Re:HAHA by jellomizer · · Score: 4, Insightful

      The sys-admin is actually a Windows Admin with a Linux box... He doesn't know better.

      The system was setup by the bosses kid nephew who is good with computers, gives everyone admin access because he doesn't know how to manage permissions.

      Lazy administrators tired of fixing permissions just gives everyone root access...

      Sure we can make fun of the people and say due to their neglect it is their own damn fault... But once it gets in, the damage is real.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Researchers? by JoeIsuzu83 · · Score: 5, Informative

    The source was Dr. Web's own marketing page.

    This smells like a press release (which smells coincidentally like spam).

    1. Re:Researchers? by sneakyimp · · Score: 2

      And spam smells suspiciously like malware which smells a lot like exploit.

  4. Come on! by Anonymous Coward · · Score: 5, Interesting

    Come on!!!

    What vulnerability? What port? What gets attacked?

    Is there more than one vulnerability?

    I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

    What a loaded pile of crappy advertising.

  5. Re: ok by Anonymous Coward · · Score: 2, Insightful

    OpenBSD has always supported networking.

  6. slow day on slashdot, by nimbius · · Score: 4, Informative

    "The malware will only be installed in a system if it has been launched with superuser (root) privileges"

    aaaand i've already gone back to my tea.

    any sysop worth her salt knows the rules:
    0. It will build without root or not at all.
    1. It will come from a repository or reputable source.
    2. It will check its md5 and check it twice.
    3. It will be compatible with standard secops tools like chroot, jails, cgroups, propolice, and selinux. this includes sandboxing.
    4. Isolate, quarantine, and deploy the secops team. any compromised machine, any network, any server without question.
    5. Slap about with a large bit of herring or trout the dev or luser in accordance with LART policies.

    --
    Good people go to bed earlier.
  7. News for nerd.... by tekrat · · Score: 2

    "Who also know nothing about Unix/Linux"....

    Who are the editors here, and have they ever even *used* a linux distribution????

    --
    If telephones are outlawed, then only outlaws will have telephones.
  8. Re:Attack vector Port is SSH (22), passwd guessing by Anonymous Coward · · Score: 5, Informative

    The linked article mistranslates the original russian.

    The vector is SSH, brute force attempts to guest the root password. The net-security article mistranslates to SSL.

  9. Re:I'm targeting this article by drinkypoo · · Score: 2

    That would have been funnier if you didn't refer to your "back door" as "Multi Purpose" :-0

    At minimum, it passes solids, liquids, and gases... and sometimes, you'd swear, plasma. I call that multi-purpose.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Remember when /. was a serious technology mag .. by lippydude · · Score: 5, Insightful

    "A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers.

    How does the 'Trojan' get onto the target machines?

    "To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine .. The malware will only be installed in a system if it has been launched with superuser (root) privileges".

    For fucks-sake slashdot, remember when this was a serious technology mag, instead of providing free adverts to some AV company.

  11. Re:So many holes in Linux systems.. by deek · · Score: 2

    Actually, it's pretty simple to stop SystemD from listening on network ports. It's called "socket activation". Look it up. It's pretty neat. All you need to do is stop the specific socket service, and then edit the appropriate socket file.

    You'll also be interested to know that the Debian install of SystemD doesn't use socket activation by default. Not yet, anyway.

    As for systemd security auditing, from what I've heard, the people at Redhat run the source code through various tools designed to pick out bugs. Also, I've read of at least one person doing an independent audit of the code. I presume there would be many more than that. So, as far as security testing is concerned, it's far from having nothing done.

    There's always a workaround. Even for SystemD.