Neutrino Exploit Kit Has a New Way To Detect Security Researchers

itwbennett writes: [The Neutrino exploit kit] is using passive OS fingerprinting to detect visiting Linux machines, according to Trustwave researchers who found that computers they were using for research couldn't make a connection with servers that delivered Neutrino. Daniel Chechik, senior security researcher at Trustwave's SpiderLabs division wrote that they tried changing IP addresses and Web browsers to avoid whatever was causing the Neutrino server to not respond, but it didn't work. But by fiddling with some data traffic that Trustwave's computers were sending to the Neutrino server, they figured out what was going on.

This is not the year.

Until we get proper malware support there can be no year of the linux desktop.

Re:This is not the year.

[JustAnotherOldGuy]

Until we get proper malware support there can be no year of the linux desktop.

I know- as someone who's in the process of switching to Linux Mint, I'm having trouble finding replacements for stuff like Zeus, Conficker, Koobface, Rustock, and Cutwail.

If someone could point me towards some quality malware to infect my Linux box with, I'd be grateful.

Re:This is not the year.

https://www.winehq.org/ You're welcome

Re:This is not the year.

Just Google "systemd", and enjoy the unstable goodness.

Re:This is not the year.

[NotInHere]

On desktop linux, even the viruses are open source!

Re:This is not the year.

[dimko]

Not good enough. Remove wine and mentioned above won't work.

Re:This is not the year.

On desktop Linux, virus opens you!

Re:This is not the year.

Indeed, google proves this. Google for "linux systemd malware", you get 267000 results. If you google for "neutrino malware", you get 89400 results.

Re:This is not the year.

[Ol+Olsoc]

If someone could point me towards some quality malware to infect my Linux box with, I'd be grateful.

Dual boot with Windows - that should do it.

Re:This is not the year.

[ArmoredDragon]

I think "virus opens you" is applicable to any platform. Allusion to Russian jokes notwithstanding.

Re: This is not the year.

With Linux, you are the infection.

Re:This is not the year.

[hankwang]

"point me towards some quality malware to infect my Linux box with, I'd be grateful."

Set a password 'root' for the root user, let sshd listen to the internet from the default port, and wait a few days.

Re: This is not the year.

With Windows I never had to go through all that trouble, it just worked!

Re:This is not the year.

You claim to have worked for Microsoft. Prove it. Yet another lie from JustAnotherOldBLOWHARDDoucheLIAR!

Re:This is not the year.

He's run from proof that lie of his for days. It's obvious by now he can't prove it. He deludes himself that contracting for an outfit that did work for Microsoft is working for MS but I'd bet his W2 or W4 doesn't have Microsoft on it for filing taxes.

Re:This is not the year.

[JustAnotherOldGuy]

Set a password 'root' for the root user, let sshd listen to the internet from the default port, and wait a few days.

I'm probably not technically proficient enough to figure out how to do that, so for the time being I guess I'll have to search the repositories for some highly-rated malware. Sadly there doesn't appear to be a version of Macafee Anti-Virus for Linux yet.

I did find something called "mkfs.ext4 /dev/sda1" which looks promising; I'll try it and let you know how it wo*J^$ - @~_![[^8(fx4| 5n är föd#&

Headline

[Livius]

For a second I thought sub-atomic particles were turning the tables on physicists.

(Seriously, we need more original names for these things.)

Re:Headline

Original like: QNX Neutrino RTOS ?

So spoof packets and find safety?

[140Mandak262Jamuna]

So a windows wanting to avoid infection from neutrino should spoof the TCP packets and pretend to be Linux?

Re:So spoof packets and find safety?

Shush! Will you idiots please stop telling people how to blend in with the cool kids? We've all but lost the ad blocking advantage because you blabbed! Now you're going to ruin the network shibboleth?

Re:So spoof packets and find safety?

[klui]

The second link states passive OS fingerprinting, p0f, was developed by Michal Zalewski. http://lcamtuf.coredump.cx/p0f... shows your connection's fingerprint. It may be as easy as using a proxy such as Squid to perform the "spoofing."

Linux fails again

[shawn2772]

Yet again, Linux fails to be properly interoperable with the Windows ecosystem. Heck, I'll bet you can't even get properly detected and infected by Neutrino when running WINE.

Sigh.

Re:Linux fails again

Look mummy, I can type :)

Re:Linux fails again

Anyone got a tool to easily impersonate other OSes?

I run firefox on linux, but I set my browser user-agent to say Chrome on Win10 in order to improve my privacy and security. Neutrino probably aren't the only ones doing passive OS fingerprinting. I'd like to send the right fingerprints to match my browser user-agent.

I'm sure I could figure it out and do it by hand by dicking around with sysctl() knobs. But it would be nice if there was a tool that did all the heavy lifting for me.

Re:Linux fails again

Anyone got a tool to easily impersonate other OSes?

Ya, it's called a virtual machine.

Re:Linux fails again

Look, mummy, I'm a complete failure, even as an AC troll on Slashdot.

TFTFY, sonny.

Re:Linux fails again

Maybe you can use a VM, but my dick is way too big to fit. I'm sorry your dick is so small.

Honeypot VMs as a solution?

Would running, as it were, a scratch monkey Windows in a VM and setting it to bridge the network interface solve this, or would the outgoing traffic still be seen as Linux?

This is interesting though because it tells us that most malware writers actually are effectively stopped by Linux. Much like how the NSA doesn't seem to have an answer for proper crypto yet...

Re:Honeypot VMs as a solution?

ALWAYS run a scratch monkey!

Wait, what?

[iwaybandit]

Malware devs are protecting malware researchers? Hey, thanks!

CSO spam site

Can we stop it with silly news from CSO already.... are you guys getting paid to promote their crap?
Nobody cares what an exploit kit is, rather how its "creators" are avoiding researchers.

Fatal flaw?

If the exploit kit won't talk to malware detectors, it's possible to spoof all computers so they look like malware detectors, and the exploit is rendered harmless.

Re:Fatal flaw?

[silentcoder]

In this case it sounds like that's basically exactly what happens for Linux users, we'll be basically immune to Neutrino since the server will refuse packets from us.

well

[rossdee]

your tinfoil hat certainly won't stop neutrinos

oh, we are not talking about the massless subatomic particle?

AdBlock+ = inferior & 'souled-out' vs. hosts

Can adblock+ do 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dynamic dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up surfing (adblock & hardcoded favs)
14.) Works on anything webbound multiplatform.
15.) EZ data control
16.) Block ads better vs. addons more efficiently

* ANSWER ="NO" on ab+ doing it as well or @ ALL + hosts = on devices natively.

APK

P.S.=> Ab+ does less vs. hosts less efficiently - hosts do MORE w/ less + Hosts start w/ IP stack before REDUNDANT inefficient addons BEGIN operation (as 1st resolver).

---

Ab+'s a 128-151mb memory hog http://cdn.ghacks.net/wp-conte... (hosts use 3-11mb w/ my program initially). Even FireFox 41 adblock eats 65++mb http://www.ghacks.net/2015/06/...

---

ClarityRay defeats it seeing addons via native browser methods!

---

Ab+'s bribed not to work by default http://www.businessinsider.com... & ABP bought out adblock http://www.theregister.co.uk/2...

---

Ab+ adds complexity in slower usermode (w/ more messagepassing overhead + context switch vs. hosts in kernelmode).

---

AdBlock's SLOWER: http://superuser.com/questions...

---

What's best?

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee who verified its source is safe http://forum.hosts-file.net/vi... ) hosts & recommends it http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's safe per 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

a 32-bit model too https://www.virustotal.com/en/...

& Installer -> http://f.virscan.org/APKHostsF...

But you ARE a webmaster right?

See subject: One that is paid by ads & doesn't mind crippled almostalladsblocked. Answer it (or your past posts will for you) as once you do I'll slice you to bits with it.

* IRONIC: Captcha = SUNLIGHT (& I'm going to use it on you... shortly!)

APK

P.S.=> I'm going to anyway, exposing you, so you might as well be truthful & DIE here publicly with some grace @ least, lol - because "the end cometh" for you chump... & "here 'tis", merely acting as the INSTRUMENT to do it!

... apk

Re:But you ARE a webmaster right?

[JustAnotherOldGuy]

Yes, I run several sites. What's your point?

Gpgcheck=0

Other than the usual browser based nonsense, the other way would probably be to convince you to gpgcheck=0 and infect you that way. Or the usual chubby twerp walking into your place and replacing your kernel.

Which sites & do you get paid by ads on them?

Which sites & do you get paid by ads on them? Finish the answer & point them out so I can verify this... as I am fairly certain by this point that's your motivations for the bullshit you say about me more than anything else.

APK

P.S.=> Let's see your answer - I suspect you'll evade this to NO end... apk

Re:Which sites & do you get paid by ads on the

3 days now! JustAnotherOldGuy'll never answer apk. You've seen right thru his petty motives for putting you down and his liking AlmostALLAdsBlocked that doesn't block ads he's paid by on his alleged websites. He gets messages from posts under his. He's seen this and is running.

Re:Which sites & do you get paid by ads on the

[JustAnotherOldGuy]

Which sites & do you get paid by ads on them? Finish the answer & point them out so I can verify this...

Lol, like I would tell a scumbag like you specifically what sites I run. Thanks, but I don't need some shitbag like you trying to DDOS me or hack my sites.

To answer your second question, some some make money from ads, some some sell products.

11 days later his DIM brain has bs answer lol!

You've DDoS'd yourself webwally: Avoiding answering proves my point! You run ads NOT blocked by AlmostALLAdsBlocked (but they are by my program which YOU FEAR because of that). Did you think your doubletalk bs fools anyone other than your dumbass self? You fail. Is your favorite color TRANSPARENT? Must be. I see right thru you and so does everyone else webstooge!

Scumbag? LMAO - Did you think you could FINALLY answer & that Logan Abbott's WEAK PUNY "defense" could stop me and I couldn't continue to SHIT ON YOU? Guess again, you LOSE, loser.

APK

P.S.=> So much for you - thanks for letting me make others LAUGH @ U & Logan Abbott/whipslash too - nothing stops me - least of all, "webchumps"... apk