New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

this is FUD.

it is obvious that the person posting these is busy in FUDing.

Re:this is FUD.

Obviously an NSA operation. From the trojan to the fabricated slashdot story.

Open source is more secure

After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly. This will be fixed quickly and only a few systems will be exploited. On Windows, however, this would be crippling, spreading to many millions of systems while Microsoft waited a month or two to issue a fix. This isn't a story because open source software is guaranteed to be fixed quickly.

Re:Open source is more secure

[Aristos+Mazer]

Patches may be available quickly. Whether those get applied or not is a different story.

Re:Open source is more secure

only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.

Re:Open source is more secure

[gweihir]

The finding is not the main thing. The main difference is that once you know you have a problem, with OSS you can do something about it, while with closed source you can only hope the vendor will.

Re:Open source is more secure

Guaranteed to be fixed quickly? Who's making this guarantee? I don't think you understand how open source software works.

Re:Open source is more secure

Windows updates will be issued in due time. Whether those get applied or not is a different story.

Re:Open source is more secure

Yeah. I mean we're all uberhackers with intimate knowledge of debugging and patching pwned kernels, network stacks or whatever else. Not too mention we've all got the spare time and energy to follow and research the latest 0 days before they even drop, what with our network of white/black hat contacts to keep us reliably informed.

It's *certainly* not the case that your average user essentially remains entirely at the mercies of knowledgeable 3rd parties to detect and fix it, and that the effective difference between open/closed source is mostly for epeen flamerights on irrelevant internet messageboards.

Re: Open source is more secure

Wow so clueless. Your attitude is why you can't do anything right. Go click the start menu, click shutdown -> shutdown now. Hand in your geek pass.

Re:Open source is more secure

[Rick+Zeman]

only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.

Yep. The glaring security holes in OpenSSL prove all of your points.

Re:Open source is more secure

Windows updates will be issued in due time

Except that, no, they are not.

Our group still has 35 zero day exploits present in all versions of windows since XP, all still exploitable in Win 10 today. Another 25 present since Vista and still exploitable today.

You won't be finding these bugs by looking at any of the closed source softwares source code, because you can't look at the source code.

And not a single one has a windows update available to fix them.

Re:Open source is more secure

After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly.

The fact that this is modded "insightful" despite truly technologically competent people knowing how false it is along with the ridiculousness of the statement that "millions of people" are looking at the code just shows how ignorant and out of touch so much of the slashdot audience is with the real world.

The security of Linux has been very much security through obscurity and its growth in usage (particularly in the mobile space) has begun to reveal this. The bigger problem is that whenever a bug is discovered in Linux the apologists immediately come out and start saying "Oh but Windows this or Windows that" or in the mobile space "iOS this or iOS that" as if any Linux user gives two shits about what Windows or iOS does. It's time you supposed Linux users climbed out of your own asses and stop obsessing over Windows and iOS all the time.

Re:Open source is more secure

Comparing Open Source and Closed Source is obviously idiotic because of the amount of unknowns. Open source makes it easier to find bugs because the code is visible, it makes it easier for both White Hat and Black Hat hackers to find bugs. Also just because an open source project is used by a lot of people doesn't mean a lot of people look at the source code, OpenSSL is a prime example of this. Just look at how far the Heartbleed bug spread because so many people were using it but nobody was looking at it.

Both open and closed source software is highly likely to have undiscovered security vulnerabilities and just because an issue is fixed doesn't mean it gets into all deployments, just look at Android for an example.

In an ideal world where every user is also a skilled developer and is looking at the code before they run it, building it from source and regularly updating the codebase for all their applications and components sure open source would theoretically be more secure, but that's not reality no matter how distorted your view might be.

Re: Open source is more secure

Everything he said is true. I still can't believe people believe you can just look at the source code to spot the security issues. Maybe when you graduate from high school and wander into the real world you will see just how ignorant you are.
The fan boy Linux zealots are so convinced their open source OS is secure that they dismiss every vulnerability report and firmly believe that millions of people are busy looking at the problem and a fix will be released in a few hours.

Re:Open source is more secure

Re: "...with closed source you can only hope the vendor will."

Wow, FUD much? You really cannot see the path of truth, right before your eyes, can you?

Closed source vendors routinely fix security problems, by the thousands. There is no objective evidence, at all, that FOSS is systematically safer than closed source.

Every day we hear about a new security vulnerability. Every day, FOSS advocates have one of 2 responses:

1). It's a Microsoft issue. "Told you so! MS isn't safe! Closed source is cancer!"
2). It's a FOSS issue. "This isn't a problem, and here is a long and boring list of excuses as to why it isn't a problem..."

Re: Open source is more secure

[gweihir]

The ignorant here is you and massively so. First, this is about what to do once a vulnerability is known. You, know, the time when it becomes really, really dangerous to leave it unfixed because all the script-kiddies start attacking it. And then, whoever said anything about you having to come up with patch yourself? That is the closed-source mind-set where every modification of software is almost a criminal act, to be committed in solitude and secrecy. Yes, somebody has to come up with a patch, and there are people out there that have a lot better skills at this than you (and yes, I mean you specifically) and can do it, and that still do not work for the vendor. If any one of them publishes a patch, the worst you have to do is verify it solves the problem, but even that is in basically all cases replaced by peer-review among those that have the required skills. This process works and has worked for decades. It is the main reason Linux exists.

Your hostility towards open source does one thing: It makes you look very, very stupid. It also makes you look like somebody that enjoys being at the mercy of a vendor, like a good little follower that submits to authority because that obviously is how one must live.

Re:Open source is more secure

[gweihir]

Fascinating. A new level of ignorance and stupidity is reached. Ever heard about known vulnerabilities that get not fixed for a long, long time in closed-source software? And ever heard about the same thing in open source software? Well, with the fuzziness of your thinking, you probably have heard of the second and not the first, but that has not even a distant relation to actual reality.

Re:Open source is more secure

Ever heard about known vulnerabilities that get not fixed for a long, long time in closed-source software?

Yes.

And ever heard about the same thing in open source software?

Yes of course, if you haven't then you obviously have no idea about open source whatsoever. If you go through the enormous list of known bugs in what is probably the most high profile open source project in the world you will find various privilege issues, buffer overruns, etc. that have been in there for a long time. You really don't think this is even more prevalent in less well-known projects?

Open source is not some magic pill where all bugs are quickly found and fixed, it's that idiotic attitude that led to critical open source security failures like Heartbleed. There was the assumption that open source was safe and somebody had looked at the code and fixed any bugs but in truth this was used by a vast amount of companies and people and nobody was looking at the code at all. That doesn't bode well for less visible projects.

Open source has some great qualities but it's people like you who take it to a religious level and defend it as though you are being criticised personally that cause the whole idea to over-promise and under-deliver. By now it should be a given that open source is a superior development model but it ends up hotly debated because the advantages OSS would have if the conditions for it were ideal are presented as the average case when that is not only completely removed from reality but in most cases isn't even practical.

Re:Open source is more secure

This ties in the the various "incompetent admin" related posts in this thread.

If you're on the ball, you keep shit updated, locked down, and monitored.

In this case, I'd recommend that step one be replacing Drupal with literally anything else.

Non-story

This has already been fixed.

PSA: This does not affect Windows

If you're a Windows user, you have nothing to worry about. Only Linux is affected by this trojan.

Re:PSA: This does not affect Windows

Shit, I don't know how to fix this. I was told Linux was safe. Will a fix be pushed out?

Re: PSA: This does not affect Windows

Sure, it's open source so go make the fix.

Re:PSA: This does not affect Windows

There is no fix for Drupal, other than to use a different piece of software.

Droop-all

This is why I don't install social bullshitting platforms, and I run custom-built web servers that only support the bare minimum subset of features that I absolutely need for my sites to function. Which means if I need dynamic content generated by a script, I'll run that script from an HTTP server written in bash. Web frameworks are for the weak minded,

You gotta love yellow journalism

[Rosco+P.+Coltrane]

Linux has nothing to do with this. It's a Drupal security issue.

I expected better reporting of an issue like this from Slashdot. Then again, maybe not...

Re:You gotta love yellow journalism

story seems accurate? what are you complaining about exactly. It is a Linux Trojan installed via drupal (exactly as the summary states), it doesn't say it was a Linux vulnerability.

Re:You gotta love yellow journalism

It just shows that with the right malware, you can get the full Windows experience on Linux.

Re:You gotta love yellow journalism

To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP

Re: You gotta love yellow journalism

I agree. Open source and Linux should never be criticized. Any criticism is false and, therefore, is yellow journalism. I find any criticism of Linux to be highly offensive and indicative of spamming from paid Microsoft trolls.

Re:You gotta love yellow journalism

Something on the internet was wrong! Just imagine how many other things taken on trust might be incorrect! Would you have questioned it had it been a MS problem? Etc.

Re: You gotta love yellow journalism

[Rosco+P.+Coltrane]

I agree. Open source and Linux should never be criticized. Any criticism is false and, therefore, is yellow journalism. I find any criticism of Linux to be highly offensive and indicative of spamming from paid Microsoft trolls.

Way to mix issues here.

1/ Should open source or Linux be criticized? Hell yes, if there are reasons to.

2/ You conflate Linux and open-source. They aren't the same issues - they aren't even the same thing. Open-source is a development and business model and Linux is a fucking kernel.

3/ Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux. But in this case, it ain't the culprit.

I can sort of understand people mixing up GNU things and the Linux kernel, because it's been done for years, and people grew tired of hearing Stallman repeat "it's not Linux, it's GNU/Linux" a long time ago. But Drupal has never been remotely connected to Linux. What next? Run Drupal on FreeBSD and claim FreeBSD has been owned by a trojan?

Re:You gotta love yellow journalism

The story is accurate. The targeted platform is Linux. The infection vector is Drupal and others. Linux apologists will always make fun of Windows as being weak, even if the infection vector is a fake Flash update and stupid users, not a weakness in Windows itself.

Re:You gotta love yellow journalism

[StormReaver]

To be honest, anyone still using Drupal or Wordpress (or any other database-aware software that doesn't use prepared statements) has actively begged to be owned, and should probably just be placed in a job more appropriate to their skill sets (such as janitorial work).

The term "SQL Injection" should have been relegated to the history books a decade ago, as avoiding it is easier than being subject to it.

Re: You gotta love yellow journalism

[ljw1004]

Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux.

Never heard:

"People should call it a vulnerability in GNU/Linux, not just a vulnerability in Linux".

Re:You gotta love yellow journalism

[MisterSquid]

To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP

This isn't a problem of the "widespread deployment of shitty PHP and Java apps". The vulnerability which this Trojan exploits is CVE-2014-3704 and was patched by Drupal Security Team on the 15th of October in 2014

The circumstances and agents which have led to this Trojan exploiting Linux systems and Drupal frameworks in the wild is, as with many such things, are multiple and varied. They include installations that are underresourced, shops with critical dependencies that cannot easily upgrade, web apps that at first and second glance do not have interfaces outside an intranet, etc. etc. and so on and so forth

The key is to stop pointing fingers and laying blame, unless the fingers point to the creators and distributors of the malware. The exploitation and abuse of computer infrastructure is part of territory. Blaming failures on the vulnerable is a sysadmin's version of victim-blaming and does little to mitigate the problem and much to generate community dysfunction.

Instead of finger pointing, spread the word, inform your unknowing and unwitting colleagues, train junior developers about how to remain secure for multiple computing environments with complex layers of computing infrastructure.

Our great-great-great-great grandchildren will thank you.

Re:You gotta love yellow journalism

[angel'o'sphere]

And what has Java to do with that?

Considering that in Java you automatically use prepared statements 90% of the time ... and none of the softwares you mention are written in Java.

Re:You gotta love yellow journalism

I suggest you check the list again. -PCP

Re: You gotta love yellow journalism

Linux is a fucking kernel.

So that's where baby corn comes from!

Re:You gotta love yellow journalism

I am CONSTANTLY spreading the word. It usually goes something like this:

"Drupal. Not even once."

Re: You gotta love yellow journalism

Whenever I hear someone specifically using the term "GNU/Linux" my first instinct is to want to grab a brick and use it to crush their skull. It is honestly difficult to quantify how much of an annoying and pedantic fucking asshole you are if you do it.

Words

[wonkey_monkey]

in its attempt to install (and fail) web ransomware

It attempted to "fail" web ransomware? What does that mean?

That trojan, named Rex, has evolved

No, it's been reprogrammed.

Re:Words

That trojan, named Rex, has evolved

No, it's been reprogrammed.

Hey now, that's just intelligent design at work. -PCP

Re:Head in the sand Linux security

It will only affect Linux servers that are run by people who have a single-user OS mindset (AKA Windows). Anyone with a clue doesn't run Linux with full superuser permissions.

Re:Head in the sand Linux security

So every Desktop Linux OS being used as a server.

As it is, the best way to solve this is to quit using shitty CMS software that is full of holes like Wordpress (The "Microsoft Windows" of the CMS's)

Too many "off the shelf" software is used by people who don't know about about security, and Wordpress comes with NOTHING to prevent being taken over. It's Windows 95 all over again.

Re:Head in the sand Linux security

[gweihir]

Quite a bit of the world's banking infrastructure, including customer-facing sites run on Linux. That alone shows the utter cluelessness of morons like you.

Of course, an incompetent Linux admin (for example a former incompetent Windows admin) can configure Linux to be insecure and install insecure versions of applications.

microsoft could learn a thing or two from this..

if at first you don't succeed... (95rtm, 98rtm, me, vista, 8, 10) try, try again... even the malware on linux is showing-up microsoft.

the problem is, that's exactly what they do... every time they fuck up windows real good, they've followed-up with something usable... until now.. they seem to have forgotten that lesson and just shovel more shit these days: 10... backported bullshit updates... all-or-nothing cumulative updates for 7/8... ms account required just to install a *store bought* office... bribes^H^H^H^H^H^Hpaying users to use their stuff (edge, bing before that)...

"incredibly simplistic and laughable"

I'm reading from this that nerds are easy to socially engineer. If you want them to fix something - even the code in your prototype malware - all you do is put it out and wait for them to give a scathing but accurate critique, then follow their advice.

For there is nothing so insecure as a nerd's ego, which means they're willing to demonstrate their prowess at every opportunity.

It's like the adage that if you want a right answer to something on the Internet, you don't ask a question, but give the wrong answer.

Re:Head in the sand Linux security

Alert. Clueless Windows user thinks desktop Linux runs like desktop Windows.

Unpossible

Unpossible. Linux is secure by design. Stop FUDing you Micro$oft SHILLS!

That's mildly infuriating

[rebelwarlock]

A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites

Let's go ahead and fix that:

A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt (and failure) to install web ransomware on compromised websites

Much better.

Re: Head in the sand Linux security

This. Dumbest comment I've read on slashdot.

Re:Linux is a Blaster worm waiting to happen

[jedidiah]

...except this is NOTHING like Blaster.

This is a Trojan, which by definition requires a great deal of user intent in order to work.

No, this is much more like Microsoft Office.

Re: Head in the sand Linux security

And that is really saying something. It is Slashdot.....

Re:Head in the sand Linux security

unfortunately just like Windows Linux is not secure by default, it actually requires skilled admins to correctly lock it down. Many hobbyists or home users just jump on the "Linux is secure" bandwagon and don't realise that security actually requires effort on their part. This is why there are so many compromised Linux servers, bad admins are common and many of them don't even realise they are bad.

Re:Head in the sand Linux security

[gweihir]

The claim is that a) it is significantly easier to lock Linux down and b) the result is far better. With an incompetent admin, Linux is not more secure. No argument there. But this is also not a surprise. In actual fact, a networked computing device will be insecure, unless competently configured and administrated. Eventually, this may change, but not anytime soon.

The other thing is that admins that are actually competent often consider Windows to be an insult, because of how hard it makes good system administration.

Re: Head in the sand Linux security

Yes it is always Microsoft or Wordpress. Never Linux. As someone who uses both regularly, I agree Linux is more secure and Microsoft products are 10 times easier to use then their overly complex Linux analogues.

Re:Head in the sand Linux security

With an incompetent admin, NOTHING is secure.

Your last comment is spot on. About 15 years ago I was bounced out the door of a not so small manufacturing business because someone higher up came in and thought we needed to be running Windows servers instead of HP/UX (and I had no problem with telling him what I thought of the idea.) Within a year, he had replaced one part time administrator (me, who was free to do things like user support literally half of every day) with three full time administrators. Between that, new hardware, licensing costs, and as it turned out training, the budget increased by literally a factor of five, or so I was told.

So yeah, the updated version of the old saying might be "nobody ever got fired for buying Microsoft" but honestly they should be.

Year of the Linux Botnet

[stub667]

Yes, security holes in WordPress, Magento, Jetspeed, Exarid, AirOS get the malware onto the system. But the malware is for Linux, and the subject and summary valid.