Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers

An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that don't have an admin account password, access the database, and then download itself on the new target. The trojan mines for the Monero crypto-currency, the same one used by another worm called PhotoMiner, which targets vulnerable FTP servers. According to a recent Risk Based Security report from last month, there are over 30,000 Redis servers available online without a password, of which 6,000 have already been compromised by various threat actors.

But I've thought that linux was secure

clearly the story is a fake there is no virus for linux because linux is OPEN SORES which means its BUGS are shallow and it is FREE FROM MALWARE. Wasn't freedom from malware one of the four freedoms?

Re:But I've thought that linux was secure

What it is, oh wise burning ant that you are... is FBI stay out of people's shit.

Re:But I've thought that linux was secure

damn! redis torvaldjan!

Re:But I've thought that linux was secure

if it's something about *nix, you can be sure a M$ puppet is near.

FBI BIG FAT SLIP TOO

>there are over 30,000 Redis servers available online without a password, of which 6,000 have already been compromised by v arious threat actors.

That is specific FBI language, used only by FBI.

FBI BurEAU HeaD
ur

Re:FBI BIG FAT SLIP TOO

various threat actors

they are taught that in school.

Re: FBI BIG FAT SLIP TOO

Or people who watch a lot of cop shows on TV.

Ok

Set a password. Problem solved. There is literally nothing being exploited except total lack of a password to get in.
Same thing would happen if you put up a Windows server with no password.

Re:Ok

[roger_that]

I don't have any Mod points today, but someone should mod this up. This is not a Linux failure, but a Redis admin failure.

Re:Ok

The vast majority of security hacks taking place today are the result of poor system administration, faulty configuration, and social engineering vectors. And this particular case is a good example. The problem comes in when the Linux fanbois do not extend the same level of rational thinking whenever a MS system is compromised. Then all of a sudden the problem is blamed solely on the MS software being unsecure. This leads to the erroneous conclusion that some how Linux is a safer option when that case has never been proven. Something to keep in mind is that Linux has it's fare share of stupid admins and users who are perfectly capable creating security nightmares. In some cases they are even susceptible to believing Linux is so safe it doesn't really matter how they administer their systems. There is no real centralized security and bug fix repository for the Linux ecosystem. There is no equivalent to the MS auto updates. And a lot of people complain about the MS auto updates but that service targets the average user not the experienced IT professional. Where as keeping a Linux system up to date with all the latest security patches and various application bug fixes is a time consuming and difficult operation that an average user is not going to do.

Re:Ok

Set a password. Problem solved. There is literally nothing being exploited except total lack of a password to get in.
Same thing would happen if you put up a Windows server with no password.

That's all cool and good. Except even a Windows server, which comes with a whole shit load of needless network services turned on and is insecure to the level that giving one to another person should be a criminal offense, doesn't leave a default database install turned on passwordless.

This is not 1995 any more and there is no excuse for not setting the password by default and letting the user know what it is or change it if they like.

Re: Ok

Your claim of no centralized security / auto update linux ecosystem is completely false.

Um... What Access Control?

[ewhac]

The developers are fairly up-front about this:

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. [ emphasis mine ]

There is an "authentication" feature, but it's amazingly primitive, and the credentials are sent in the clear -- in other words, next to useless. The rest of the page makes it fairly clear: If you are running a Redis server accepting connections from the open Internet, you are an idiot.

Re: Um... What Access Control?

[bestweasel]

The result is that there are thousands of Redis servers exposed to malware. Clearly administrators can't always be trusted to do what's right which is why I find Redis' attitude irresponsible.

by default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user.

If Redis shipped with sensible defaults, none of this would have happened.

Clickbait

[ilsaloving]

So in other words, the whole article/summary is flamebait/clickbait. Only an idiot would install a server and not configure an admin password.

Saying that "Linux has malware!" because morons misconfigure an application running on Linux, is like saying "Windows has malware!" because SQL Server was installed with a blank sa password. I mean, sure, Windows does have malware, but this is just clickbait nonsense.

Re:Clickbait

[houstonbofh]

Can you really call it hacking a server when there is no password? Doesn't that make it an open server, kinda like open wifi?

Re:Clickbait

Only an idiot would install a server and not configure an admin password.

Ergo the world is full of servers without admin passwords.

Re:Clickbait

Can you really call it hacking a server when there is no password? Doesn't that make it an open server, kinda like open wifi?

If you don't lock your front door, does that mean that I can come in uninvited, help myself to your fridge, and kick back on your couch while watching your television? Same reasoning.

Re:Clickbait

[Bert64]

You can come in uninvited, and if you don't someone else will. The easier you make it, the more people will be capable of doing it.

Re:Clickbait

[Ol+Olsoc]

Saying that "Linux has malware!" because morons misconfigure an application running on Linux, is like saying "Windows has malware!" because SQL Server was installed with a blank sa password. I mean, sure, Windows does have malware, but this is just clickbait nonsense.

But this makes the Windows lads feel much better about themselves. While it is whacked to say that an open server is a Linux malware, It allows them to say, just like in the summary "Linux has malware too". Nope. It's a badly written bit of kit.

For all of the multitudes of Windows malware, the idea of pointing a finger at an open server and saying that Linux has Malware too!" is preposterous.

Re:Clickbait

[JustAnotherOldGuy]

Can you really call it hacking a server when there is no password? Doesn't that make it an open server, kinda like open wifi?

"Hacking" might not be the best description or word to use, but it seems like an unauthorized entry or use of the platform.

I know it's a bit fuzzy in terms of terminology, but the lack of a password on something doesn't automatically grant carte blanche permission to do whatever you want.

Not having a lock on my door doesn't mean you have permission to open it and come in.

Re:Clickbait

[ilsaloving]

It's not even close to the same reasoning. Just because something is open, doesn't automatically mean you have a right to it.

Granted, most things that are open (eg: wifi), are left open on purpose because the administrator specifically wants to encourage people to use it, but unless you are absolutely sure that you have been given permission to use a service, then what you are doing is trespassing, period.

Re:Clickbait

[ilsaloving]

Shame you posted AC. That comment is worth a +5 Funny.

Re:Clickbait

[ilsaloving]

No, it doesn't. Unless the administrator has specifically declared that the open service is open on purpose, you cannot assume that it's there as a free-for-all.

The vast majority of consumer-facing services, like open wifi, websites, ftp sites, etc, make it easy to forget that those services were left open *on purpose*. For example, the vast majority of (properly set up) wifi access points will present you with a guest access ToS screen.

Unfortunately not everyone is competent in setting up front-facing services, and may do something boneheaded like what is described in the article. Accessing services that weren't specifically declared to be public is still effectively trespassing. The best analogy I can think of is a wasp that paralyzes a caterpillar and injects an egg into it. Just because you *can* do something, doesn't automatically mean it's cool to do so.

Re:Clickbait

[ilsaloving]

Sorry, ignore my other comment. I conflated what you wrote with what you quoted.

Re:Clickbait

[ilsaloving]

No, it doesn't. Unless the administrator has specifically declared that the open service is open on purpose, you cannot assume that it's there as a free-for-all.

The vast majority of consumer-facing services, like open wifi, websites, ftp sites, etc, make it easy to forget that those services were left open *on purpose*. For example, the vast majority of (properly set up) wifi access points will present you with a guest access ToS screen.

Unfortunately not everyone is competent in setting up front-facing services, and may do something boneheaded like what is described in the article. Accessing services that weren't specifically declared to be public is still effectively trespassing. The best analogy I can think of is a wasp that paralyzes a caterpillar and injects an egg into it. Just because you *can* do something, doesn't automatically mean it's cool to do so.

Re:Clickbait

[ilsaloving]

Oh FFS. Ok, no more slashdot while it's so hot I can't focus clearly enough to reply on the correct comment. Twice. :P

Owned doesn't quite cover it....

"Misconfigured" is an understatement. If your server got rekt like this, I say you deserve a personal verbal smackdown by Linus himself. Complete with vulgar suggestions on how your mother bangs farm animals from three counties over.

Really, this is like having a tank, and losing in single combat to Zangief. Sure, he wrestles bears for fun, but c'mon, he can't pile drive a frickin' TANK.

Open Source security

Operating in the sphere of open source security, I know very well how secure open source software CAN be. But I know too well how often people cut corners because of the feeling of herd security and the trust that "the community" will take care of it. Sadly, this behavior often comes from the technical folks...

%%%% SLASHDOT IS FBI %%%%

fact.

Hey we've arrived!

[rune2]

This is the year of the Linux desktop! ;-)

Re:Hey we've arrived!

The FBI took a default 2 to 1 on your mod points. Linux fucks their spying up the ass.

Change your PC clocks too. Timelogging is the default traffic monitoring failsafe. Just set it to off by as much as you can.

There was another story this morning that these FBI bitches on Slashdot quoted Arstechnica. They said it was a Linux bug so they were recommending making changes to the TCP/IP stack. They are out of ways to control the population so they are just farts in the wind.

Do every and all things to block all US Government monitoring. It matters right now.

Re:Hey we've arrived!

They put 1 back like you knew they would.

STUPID argument.

This comment is FBI Slashdot too.

Just try shutting the fuck up? Maybe pass out parking tickets?

Find a school hallway to monitor?

You can have the most secure OS in the world and get hosed from social engineering. That is the world of spycraft. Slashdot right now is exactly that. A lot of recent stories have been all bait. Slashdot asks: Where do you get YOUR torrents from. etc.

If your Apache server fucks up it is not because of Linux. If your Redis server or samba server fuck up it is not because of Linux either. If something does go wrong they will patch it asap. This is not like Microsoft which is spyware itself. It is also not closed source like Apple nor is it gay. Linus works very hard to do what he's done and now even the International Space Station is on Linux. Everywhere is Linux, including Slashdot. This is why the FBI killed Ian Murdock of Debian. It is mature and stable and a very high number of users are loyal to it.

Head's up again on THIS FUCKING SITE FUCK YOU DICE and Debian.

In another installment of "BeauHD is an idiot"...

[Nutria]

our faithful "editor" has apparently never heard of the Morris Worm.

Re:In another installment of "BeauHD is an idiot".

What does the Morris worm have to do with BeauHD and this article?

Only 6k?

Only 6000 compromised servers? We need the full 30k! Cmon guys, get on the ball here! That worm doesn't spread itself fast enough. All those servers must be pwned immediately!

Okay, let me be the first to ask

[93+Escort+Wagon]

What the heck is Redis? Okay, I see that it's some sort of database server... but why would anyone use it instead of software people have heard of?

Re:Okay, let me be the first to ask

If you don't know redis, then you have never administered a unix based webserver for PHP websites of any scale. Just because you aren't familiar with something, doesn't mean it is not well known.

Re:Okay, let me be the first to ask

[Narcocide]

Its just memcache for hipsters.

Re:Okay, let me be the first to ask

[PRMan]

Everywhere I've been they've had Redis servers. You need to get out more.

Re:Okay, let me be the first to ask

Redis is one of the more common NoSQL thingies. I'd figure you'd have heard of it if you at all pay attention to databases (even if you aren't interested in NoSQL).

Re:Um... What Access Control?

[houstonbofh]

If you are running a Redis server accepting connections from the open Internet, you are an idiot.

Good thing we don't have too many of them! No, wait...

systemd

Maybe Lennart Poettering could take some tips from linux malware writers on how to write working code.

Redis is bad, sorry

I had a properly configured redis server once, then it got hacked. Like, within a month. Fortunately it was all statistical data on it, but I'll never use this product again since the hacker was able to get root access on the server.

Unfit stance on security for the 21st century

[burni2]

I think that this "trusted" within "trusted environments" scheme is unfit for todays and future IT integration.

Because it will not encourage the developer(s) to write code with security in mind(*). Because it will remove this vector from their mindset.

Secondly as an integrator you would need to built that trusted environment, infrastructure and with a "security neglecting" application another headache.

Many security breaches manifest themself with a breakin into those "trusted enviroments", and my personal point is there is no such thing like a "trusted environment" instead it should be called "not-directly-exposed environment"

And yes even your localhost applications should have authentification, because that todays infrastructure is so complex even without neglectence it is so incredible easy to do things wrong.[1]

(*)Security in mind:
- Learn from mistakes of other - read exploited code understand why it was exploited and learn from the safe replacement

- Thinking: your program is prey in a big bucket filled with parasites as well as predators that will use every chance you give them

- basically secure by default, not secured by a long terms of service.

[1] https://apache.slashdot.org/st...

Re:Unfit stance on security for the 21st century

There are too many attack vectors for the average web developer to spend as much time being safe as you advocate. There is a reason we have developed firewalls, DMZs, and middle-ware for authentication - security is VERY FUCKING HARD. And its not just web developers - most applications are not meant to have their ports exposed. Difficulty in security is directly and exponentially proportional to features and performance, and we live in an age where features are by far the most important thing.

And don't expect us to go back to the computing dark ages. I like my features. I don't want to give them up.

So considering that - If your data is exposed to random clicks, regardless of whether you have encrypted auth enabled, you're doing it wrong.

I don't expect Postgres or Maria or Redis or Mongo folk to focus on SECURITY SECURITY SECURITY! I expect them to focus on performance, features, and stability. I expect my network proximity team and architects to focus on perimiter security.

Re:Unfit stance on security for the 21st century

[burni2]

1.) You did not understand what I said,
I didn't say that you should scrape your DMZ for secure apps.

I said that developers should focus on security, because even a DMZ can be broken into, AND THEREFORE DEVELOPERS AND USERS SHOULD FOCUS ON SECURITY TO CONTAIN THE IMPACT OF THEIR HOLE IN THEIR DMZ CONFIGURATION.

And DMZ should not equal to a free-for-all zone.

I know that security is relative, however if you can put the bars higher with relatively low effort you should do it.

2.) You like your features till the day you are blamed for the major fuck up.

3.) I hope you have realized that the trend in politics and future law making is going towards accountability in security and therefore this topic will get much more important for the survival of companies.

4.) And btw. performance and security is possible[1], if you just reduce the middle-ware-middle-ware and do it right for the first time.

[1] https://www.fefe.de/gatling/

Re:Unfit stance on security for the 21st century

You are neither an 'integrator', nor a moral or legal authority on anything.

You are a douche, on Slashdot. With all the other douches.

You need to get laid.

Re:Unfit stance on security for the 21st century

Redis is a backend service. It should not be on a DMZ.
Also, microservice-based architectures mean a lot of services, it is counterproductive to have to authenticate all the time to each service. The group of services should be secured at the edge.

Re:Um... What Access Control?

I agree with the design. If you want things like this to be secure you want to use them over the internet, you should use TLS with pinned certificates on both the client and server.

Designing security into most protocols is stupid and superfluous when TLS already provides the necessary mechanisms of AA&C.

I'm of the further opinion that TLS should be removed from the daemon process, and provided by the kernel or NIC, because it decomplicates software design and makes it more modular: want to rip out TLS and replace it with CurveCP, go ahead, no changes to the software required.

When you combine that with a good security model like Capsicum+CloudABI you end up with a highly secureable system, that doesn't take much thought to get right.

For Gods sake, what is Redis?

Would that kill you to put in the summary? SMTP server? RDBMS? A game?

I see from a link that a reader posted that they have ".io" domain, which tells me that they're hipster crapware, so its hardly surprising its a target (of other hipsters, running THEIR crapware).

Edit, for crying out loud.

does redis listen on global addresses by default?

here's an idea for redis, and such systems that aren't supposed to directly on the internet:

- by default, don't listen on any "public" IPv4 or IPv6 global unicast addresses:
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml

- but do listen on all other "internal" IPv4 and IPv6 addresses:
https://en.wikipedia.org/wiki/Unique_local_address
https://en.wikipedia.org/wiki/Link-local_address
https://en.wikipedia.org/wiki/Localhost
https://en.wikipedia.org/wiki/Private_network
Reference: https://en.wikipedia.org/wiki/Reserved_IP_addresses

- Of course, have a configuration setting available to override that check, with a comment\warning that a firewall must be configured to block ports, xyz, from untrusted networks to prevent redis from being hacked.

Why is Monero different?

Why use Monero?

Re:Why is Monero different?

its the first proper e-cash and has a group of highly intelligent developers around it.

Re: Why is Monero different?

[aminorex]

True but that doesn't explain why it is the first proper e -cash. The answer is that , because the blockchain is opaque, monero is fungible in contrast to bitcoin where all interactions on the blockchain are readable by all parties. XMR transactions are actually unlinkable and untraceable unless a private key is provided for purposes of auditability. Therefore, unlike Bitcoin, your funds cannot be blacklisted if they are Politically Incorrect.

2016

Finally, the year of the Windows desktop is here!

Oh for fucks sake, people.

GNU/LINUX *IS* secure. This article is clickbait bullshit.

Imagine seeing a story about how someone hacked a car's engine start system to allow an unauthorized user to start the car and drive it away. The "hack" only requires that the keys are left in the ignition, and the driver's side window is left rolled down.

It's bullshit. This is a flaw caused by retards who aren't competent being allowed to administer systems. It's not even a hole in the OS, it's some software package.

Congrats, Assdot. Another non-story.

devs

another in a long line of reasons why devs should not be allowed to use networks.

Not Even Wrong

No. This is so wrong it is Not Even Wrong.

But the devs documented it, and clearly too! How can this be wrong?

It's wrong because the security perimeter has collapsed. All the best security information says so; every network of non-trivial size is already compromised. Thus the dev advice to deploy Redis "by trusted clients inside trusted environments" is brain-dead. There are no such environments anymore, not in the wild.

OK, if you set up an isolated lab, not connected to the internet, and surrounded by a Faraday cage. You also have to eliminate the human factor, so no users are permitted, not even trusted admins. What have you got? A laboratory curiosity, not useful and not of interest. It's a proverbial hothouse for navel gazers.

In this day and age, sending credentials in clear text is "commit the developer to a home for the insane" level of irresponsible. It would be acceptable only in Alpha stage software, pre version 1.0 and when credential encryption is still on the To-Do List. And by the way, if Microsoft had done this, the Linux fans out there would be savaging them mercilessly. Which for once, would be the correct thing to do.