New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

Open source is more secure

After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly. This will be fixed quickly and only a few systems will be exploited. On Windows, however, this would be crippling, spreading to many millions of systems while Microsoft waited a month or two to issue a fix. This isn't a story because open source software is guaranteed to be fixed quickly.

Re:Open source is more secure

[Aristos+Mazer]

Patches may be available quickly. Whether those get applied or not is a different story.

Re: You gotta love yellow journalism

[Rosco+P.+Coltrane]

I agree. Open source and Linux should never be criticized. Any criticism is false and, therefore, is yellow journalism. I find any criticism of Linux to be highly offensive and indicative of spamming from paid Microsoft trolls.

Way to mix issues here.

1/ Should open source or Linux be criticized? Hell yes, if there are reasons to.

2/ You conflate Linux and open-source. They aren't the same issues - they aren't even the same thing. Open-source is a development and business model and Linux is a fucking kernel.

3/ Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux. But in this case, it ain't the culprit.

I can sort of understand people mixing up GNU things and the Linux kernel, because it's been done for years, and people grew tired of hearing Stallman repeat "it's not Linux, it's GNU/Linux" a long time ago. But Drupal has never been remotely connected to Linux. What next? Run Drupal on FreeBSD and claim FreeBSD has been owned by a trojan?

Re:Head in the sand Linux security

[gweihir]

Quite a bit of the world's banking infrastructure, including customer-facing sites run on Linux. That alone shows the utter cluelessness of morons like you.

Of course, an incompetent Linux admin (for example a former incompetent Windows admin) can configure Linux to be insecure and install insecure versions of applications.

"incredibly simplistic and laughable"

I'm reading from this that nerds are easy to socially engineer. If you want them to fix something - even the code in your prototype malware - all you do is put it out and wait for them to give a scathing but accurate critique, then follow their advice.

For there is nothing so insecure as a nerd's ego, which means they're willing to demonstrate their prowess at every opportunity.

It's like the adage that if you want a right answer to something on the Internet, you don't ask a question, but give the wrong answer.

Re:Head in the sand Linux security

Alert. Clueless Windows user thinks desktop Linux runs like desktop Windows.

Re:You gotta love yellow journalism

[MisterSquid]

To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP

This isn't a problem of the "widespread deployment of shitty PHP and Java apps". The vulnerability which this Trojan exploits is CVE-2014-3704 and was patched by Drupal Security Team on the 15th of October in 2014

The circumstances and agents which have led to this Trojan exploiting Linux systems and Drupal frameworks in the wild is, as with many such things, are multiple and varied. They include installations that are underresourced, shops with critical dependencies that cannot easily upgrade, web apps that at first and second glance do not have interfaces outside an intranet, etc. etc. and so on and so forth

The key is to stop pointing fingers and laying blame, unless the fingers point to the creators and distributors of the malware. The exploitation and abuse of computer infrastructure is part of territory. Blaming failures on the vulnerable is a sysadmin's version of victim-blaming and does little to mitigate the problem and much to generate community dysfunction.

Instead of finger pointing, spread the word, inform your unknowing and unwitting colleagues, train junior developers about how to remain secure for multiple computing environments with complex layers of computing infrastructure.

Our great-great-great-great grandchildren will thank you.