Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers (softpedia.com)

Posted by BeauHD on from the system-to-system dept.

An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that don't have an admin account password, access the database, and then download itself on the new target. The trojan mines for the Monero crypto-currency, the same one used by another worm called PhotoMiner, which targets vulnerable FTP servers. According to a recent Risk Based Security report from last month, there are over 30,000 Redis servers available online without a password, of which 6,000 have already been compromised by various threat actors.

25 of 62 comments (clear)

  1. But I've thought that linux was secure by Anonymous Coward · · Score: 3, Funny

    clearly the story is a fake there is no virus for linux because linux is OPEN SORES which means its BUGS are shallow and it is FREE FROM MALWARE. Wasn't freedom from malware one of the four freedoms?

  2. Ok by Anonymous Coward · · Score: 1

    Set a password. Problem solved. There is literally nothing being exploited except total lack of a password to get in.
    Same thing would happen if you put up a Windows server with no password.

    1. Re:Ok by roger_that · · Score: 1

      I don't have any Mod points today, but someone should mod this up. This is not a Linux failure, but a Redis admin failure.

  3. Um... What Access Control? by ewhac · · Score: 5, Insightful
    The developers are fairly up-front about this:

    Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. [ emphasis mine ]

    There is an "authentication" feature, but it's amazingly primitive, and the credentials are sent in the clear -- in other words, next to useless. The rest of the page makes it fairly clear: If you are running a Redis server accepting connections from the open Internet, you are an idiot.

    --
    Editor, A1-AAA AmeriCaptions
    1. Re: Um... What Access Control? by bestweasel · · Score: 1

      The result is that there are thousands of Redis servers exposed to malware. Clearly administrators can't always be trusted to do what's right which is why I find Redis' attitude irresponsible.

      by default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user.

      If Redis shipped with sensible defaults, none of this would have happened.

  4. Clickbait by ilsaloving · · Score: 4, Insightful

    So in other words, the whole article/summary is flamebait/clickbait. Only an idiot would install a server and not configure an admin password.

    Saying that "Linux has malware!" because morons misconfigure an application running on Linux, is like saying "Windows has malware!" because SQL Server was installed with a blank sa password. I mean, sure, Windows does have malware, but this is just clickbait nonsense.

    1. Re:Clickbait by houstonbofh · · Score: 1

      Can you really call it hacking a server when there is no password? Doesn't that make it an open server, kinda like open wifi?

    2. Re:Clickbait by Bert64 · · Score: 1

      You can come in uninvited, and if you don't someone else will. The easier you make it, the more people will be capable of doing it.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Clickbait by Ol+Olsoc · · Score: 1

      Saying that "Linux has malware!" because morons misconfigure an application running on Linux, is like saying "Windows has malware!" because SQL Server was installed with a blank sa password. I mean, sure, Windows does have malware, but this is just clickbait nonsense.

      But this makes the Windows lads feel much better about themselves. While it is whacked to say that an open server is a Linux malware, It allows them to say, just like in the summary "Linux has malware too". Nope. It's a badly written bit of kit.

      For all of the multitudes of Windows malware, the idea of pointing a finger at an open server and saying that Linux has Malware too!" is preposterous.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:Clickbait by JustAnotherOldGuy · · Score: 1

      Can you really call it hacking a server when there is no password? Doesn't that make it an open server, kinda like open wifi?

      "Hacking" might not be the best description or word to use, but it seems like an unauthorized entry or use of the platform.

      I know it's a bit fuzzy in terms of terminology, but the lack of a password on something doesn't automatically grant carte blanche permission to do whatever you want.

      Not having a lock on my door doesn't mean you have permission to open it and come in.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:Clickbait by ilsaloving · · Score: 1

      It's not even close to the same reasoning. Just because something is open, doesn't automatically mean you have a right to it.

      Granted, most things that are open (eg: wifi), are left open on purpose because the administrator specifically wants to encourage people to use it, but unless you are absolutely sure that you have been given permission to use a service, then what you are doing is trespassing, period.

    6. Re:Clickbait by ilsaloving · · Score: 1

      Shame you posted AC. That comment is worth a +5 Funny.

    7. Re:Clickbait by ilsaloving · · Score: 1

      No, it doesn't. Unless the administrator has specifically declared that the open service is open on purpose, you cannot assume that it's there as a free-for-all.

      The vast majority of consumer-facing services, like open wifi, websites, ftp sites, etc, make it easy to forget that those services were left open *on purpose*. For example, the vast majority of (properly set up) wifi access points will present you with a guest access ToS screen.

      Unfortunately not everyone is competent in setting up front-facing services, and may do something boneheaded like what is described in the article. Accessing services that weren't specifically declared to be public is still effectively trespassing. The best analogy I can think of is a wasp that paralyzes a caterpillar and injects an egg into it. Just because you *can* do something, doesn't automatically mean it's cool to do so.

    8. Re:Clickbait by ilsaloving · · Score: 1

      Sorry, ignore my other comment. I conflated what you wrote with what you quoted.

    9. Re:Clickbait by ilsaloving · · Score: 1

      No, it doesn't. Unless the administrator has specifically declared that the open service is open on purpose, you cannot assume that it's there as a free-for-all.

      The vast majority of consumer-facing services, like open wifi, websites, ftp sites, etc, make it easy to forget that those services were left open *on purpose*. For example, the vast majority of (properly set up) wifi access points will present you with a guest access ToS screen.

      Unfortunately not everyone is competent in setting up front-facing services, and may do something boneheaded like what is described in the article. Accessing services that weren't specifically declared to be public is still effectively trespassing. The best analogy I can think of is a wasp that paralyzes a caterpillar and injects an egg into it. Just because you *can* do something, doesn't automatically mean it's cool to do so.

    10. Re:Clickbait by ilsaloving · · Score: 1

      Oh FFS. Ok, no more slashdot while it's so hot I can't focus clearly enough to reply on the correct comment. Twice. :P

  5. Hey we've arrived! by rune2 · · Score: 2

    This is the year of the Linux desktop! ;-)

  6. In another installment of "BeauHD is an idiot"... by Nutria · · Score: 1

    our faithful "editor" has apparently never heard of the Morris Worm.

    --
    "I don't know, therefore Aliens" Wafflebox1
  7. Okay, let me be the first to ask by 93+Escort+Wagon · · Score: 1

    What the heck is Redis? Okay, I see that it's some sort of database server... but why would anyone use it instead of software people have heard of?

    --
    #DeleteChrome
    1. Re:Okay, let me be the first to ask by Narcocide · · Score: 2

      Its just memcache for hipsters.

    2. Re:Okay, let me be the first to ask by PRMan · · Score: 1

      Everywhere I've been they've had Redis servers. You need to get out more.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  8. Re:Um... What Access Control? by houstonbofh · · Score: 1

    If you are running a Redis server accepting connections from the open Internet, you are an idiot.

    Good thing we don't have too many of them! No, wait...

  9. Unfit stance on security for the 21st century by burni2 · · Score: 2

    I think that this "trusted" within "trusted environments" scheme is unfit for todays and future IT integration.

    Because it will not encourage the developer(s) to write code with security in mind(*). Because it will remove this vector from their mindset.

    Secondly as an integrator you would need to built that trusted environment, infrastructure and with a "security neglecting" application another headache.

    Many security breaches manifest themself with a breakin into those "trusted enviroments", and my personal point is there is no such thing like a "trusted environment" instead it should be called "not-directly-exposed environment"

    And yes even your localhost applications should have authentification, because that todays infrastructure is so complex even without neglectence it is so incredible easy to do things wrong.[1]

    (*)Security in mind:
    - Learn from mistakes of other - read exploited code understand why it was exploited and learn from the safe replacement

    - Thinking: your program is prey in a big bucket filled with parasites as well as predators that will use every chance you give them

    - basically secure by default, not secured by a long terms of service.

    [1] https://apache.slashdot.org/st...

    1. Re:Unfit stance on security for the 21st century by burni2 · · Score: 1

      1.) You did not understand what I said,
      I didn't say that you should scrape your DMZ for secure apps.

      I said that developers should focus on security, because even a DMZ can be broken into, AND THEREFORE DEVELOPERS AND USERS SHOULD FOCUS ON SECURITY TO CONTAIN THE IMPACT OF THEIR HOLE IN THEIR DMZ CONFIGURATION.

      And DMZ should not equal to a free-for-all zone.

      I know that security is relative, however if you can put the bars higher with relatively low effort you should do it.

      2.) You like your features till the day you are blamed for the major fuck up.

      3.) I hope you have realized that the trend in politics and future law making is going towards accountability in security and therefore this topic will get much more important for the survival of companies.

      4.) And btw. performance and security is possible[1], if you just reduce the middle-ware-middle-ware and do it right for the first time.

      [1] https://www.fefe.de/gatling/

  10. Re: Why is Monero different? by aminorex · · Score: 1

    True but that doesn't explain why it is the first proper e -cash. The answer is that , because the blockchain is opaque, monero is fungible in contrast to bitcoin where all interactions on the blockchain are readable by all parties. XMR transactions are actually unlinkable and untraceable unless a private key is provided for purposes of auditability. Therefore, unlike Bitcoin, your funds cannot be blacklisted if they are Politically Incorrect.

    --
    -I like my women like I like my tea: green-