New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com)

← Back to Stories (view on slashdot.org)

New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com)

Posted by EditorDavid on Saturday August 20, 2016 @07:30PM from the revenge-of-the-fake-ransomware dept.

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

26 of 63 comments (clear)

Min score:

Reason:

Sort:

Open source is more secure by Anonymous Coward · 2016-08-20 19:54 · Score: 4, Insightful

After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly. This will be fixed quickly and only a few systems will be exploited. On Windows, however, this would be crippling, spreading to many millions of systems while Microsoft waited a month or two to issue a fix. This isn't a story because open source software is guaranteed to be fixed quickly.
1. Re:Open source is more secure by Aristos+Mazer · 2016-08-20 19:57 · Score: 4, Insightful
  
  Patches may be available quickly. Whether those get applied or not is a different story.
2. Re:Open source is more secure by Anonymous Coward · 2016-08-20 20:35 · Score: 1
  
  only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.
3. Re:Open source is more secure by gweihir · 2016-08-20 22:30 · Score: 4, Interesting
  
  The finding is not the main thing. The main difference is that once you know you have a problem, with OSS you can do something about it, while with closed source you can only hope the vendor will.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
4. Re:Open source is more secure by Rick+Zeman · 2016-08-21 07:46 · Score: 1
  
  only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.
  Yep. The glaring security holes in OpenSSL prove all of your points.
5. Re:Open source is more secure by Anonymous Coward · 2016-08-21 08:02 · Score: 1
  
  Windows updates will be issued in due time
  Except that, no, they are not.
  Our group still has 35 zero day exploits present in all versions of windows since XP, all still exploitable in Win 10 today. Another 25 present since Vista and still exploitable today.
  You won't be finding these bugs by looking at any of the closed source softwares source code, because you can't look at the source code.
  And not a single one has a windows update available to fix them.
6. Re: Open source is more secure by gweihir · 2016-08-22 03:15 · Score: 1
  
  The ignorant here is you and massively so. First, this is about what to do once a vulnerability is known. You, know, the time when it becomes really, really dangerous to leave it unfixed because all the script-kiddies start attacking it. And then, whoever said anything about you having to come up with patch yourself? That is the closed-source mind-set where every modification of software is almost a criminal act, to be committed in solitude and secrecy. Yes, somebody has to come up with a patch, and there are people out there that have a lot better skills at this than you (and yes, I mean you specifically) and can do it, and that still do not work for the vendor. If any one of them publishes a patch, the worst you have to do is verify it solves the problem, but even that is in basically all cases replaced by peer-review among those that have the required skills. This process works and has worked for decades. It is the main reason Linux exists.
  Your hostility towards open source does one thing: It makes you look very, very stupid. It also makes you look like somebody that enjoys being at the mercy of a vendor, like a good little follower that submits to authority because that obviously is how one must live.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:Open source is more secure by gweihir · 2016-08-22 03:20 · Score: 1
  
  Fascinating. A new level of ignorance and stupidity is reached. Ever heard about known vulnerabilities that get not fixed for a long, long time in closed-source software? And ever heard about the same thing in open source software? Well, with the fuzziness of your thinking, you probably have heard of the second and not the first, but that has not even a distant relation to actual reality.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
PSA: This does not affect Windows by Anonymous Coward · 2016-08-20 20:19 · Score: 4, Funny

If you're a Windows user, you have nothing to worry about. Only Linux is affected by this trojan.
You gotta love yellow journalism by Rosco+P.+Coltrane · 2016-08-20 20:33 · Score: 4, Informative

Linux has nothing to do with this. It's a Drupal security issue.
I expected better reporting of an issue like this from Slashdot. Then again, maybe not...

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:You gotta love yellow journalism by Anonymous Coward · 2016-08-20 20:37 · Score: 1
  
  story seems accurate? what are you complaining about exactly. It is a Linux Trojan installed via drupal (exactly as the summary states), it doesn't say it was a Linux vulnerability.
2. Re:You gotta love yellow journalism by Anonymous Coward · 2016-08-20 20:38 · Score: 1
  
  It just shows that with the right malware, you can get the full Windows experience on Linux.
3. Re:You gotta love yellow journalism by Anonymous Coward · 2016-08-20 21:16 · Score: 3, Informative
  
  To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP
4. Re: You gotta love yellow journalism by Rosco+P.+Coltrane · 2016-08-20 22:28 · Score: 4, Insightful
  
  I agree. Open source and Linux should never be criticized. Any criticism is false and, therefore, is yellow journalism. I find any criticism of Linux to be highly offensive and indicative of spamming from paid Microsoft trolls.
  Way to mix issues here.
  1/ Should open source or Linux be criticized? Hell yes, if there are reasons to.
  2/ You conflate Linux and open-source. They aren't the same issues - they aren't even the same thing. Open-source is a development and business model and Linux is a fucking kernel.
  3/ Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux. But in this case, it ain't the culprit.
  I can sort of understand people mixing up GNU things and the Linux kernel, because it's been done for years, and people grew tired of hearing Stallman repeat "it's not Linux, it's GNU/Linux" a long time ago. But Drupal has never been remotely connected to Linux. What next? Run Drupal on FreeBSD and claim FreeBSD has been owned by a trojan?
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
5. Re:You gotta love yellow journalism by StormReaver · 2016-08-21 01:13 · Score: 1
  
  To be honest, anyone still using Drupal or Wordpress (or any other database-aware software that doesn't use prepared statements) has actively begged to be owned, and should probably just be placed in a job more appropriate to their skill sets (such as janitorial work).
  The term "SQL Injection" should have been relegated to the history books a decade ago, as avoiding it is easier than being subject to it.
6. Re: You gotta love yellow journalism by ljw1004 · 2016-08-21 02:43 · Score: 1
  
  Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux.
  Never heard:
  "People should call it a vulnerability in GNU/Linux, not just a vulnerability in Linux".
7. Re:You gotta love yellow journalism by MisterSquid · 2016-08-21 03:56 · Score: 4, Insightful
  
  To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP
  This isn't a problem of the "widespread deployment of shitty PHP and Java apps". The vulnerability which this Trojan exploits is CVE-2014-3704 and was patched by Drupal Security Team on the 15th of October in 2014
  The circumstances and agents which have led to this Trojan exploiting Linux systems and Drupal frameworks in the wild is, as with many such things, are multiple and varied. They include installations that are underresourced, shops with critical dependencies that cannot easily upgrade, web apps that at first and second glance do not have interfaces outside an intranet, etc. etc. and so on and so forth
  The key is to stop pointing fingers and laying blame, unless the fingers point to the creators and distributors of the malware. The exploitation and abuse of computer infrastructure is part of territory. Blaming failures on the vulnerable is a sysadmin's version of victim-blaming and does little to mitigate the problem and much to generate community dysfunction.
  Instead of finger pointing, spread the word, inform your unknowing and unwitting colleagues, train junior developers about how to remain secure for multiple computing environments with complex layers of computing infrastructure.
  Our great-great-great-great grandchildren will thank you.
  
  --
  blog
8. Re:You gotta love yellow journalism by angel'o'sphere · 2016-08-21 09:46 · Score: 1
  
  And what has Java to do with that?
  Considering that in Java you automatically use prepared statements 90% of the time ... and none of the softwares you mention are written in Java.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Words by wonkey_monkey · 2016-08-20 21:05 · Score: 1

in its attempt to install (and fail) web ransomware
It attempted to "fail" web ransomware? What does that mean?

That trojan, named Rex, has evolved
No, it's been reprogrammed.

--
systemd is Roko's Basilisk.
Re:Head in the sand Linux security by Anonymous Coward · 2016-08-20 21:15 · Score: 1

It will only affect Linux servers that are run by people who have a single-user OS mindset (AKA Windows). Anyone with a clue doesn't run Linux with full superuser permissions.
Re:Head in the sand Linux security by gweihir · 2016-08-20 22:29 · Score: 3, Insightful

Quite a bit of the world's banking infrastructure, including customer-facing sites run on Linux. That alone shows the utter cluelessness of morons like you.
Of course, an incompetent Linux admin (for example a former incompetent Windows admin) can configure Linux to be insecure and install insecure versions of applications.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Head in the sand Linux security by Anonymous Coward · 2016-08-21 00:58 · Score: 2, Insightful

Alert. Clueless Windows user thinks desktop Linux runs like desktop Windows.
That's mildly infuriating by rebelwarlock · 2016-08-21 04:14 · Score: 1

A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites
Let's go ahead and fix that:
A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt (and failure) to install web ransomware on compromised websites
Much better.
Re:Linux is a Blaster worm waiting to happen by jedidiah · 2016-08-21 06:10 · Score: 2

...except this is NOTHING like Blaster.
This is a Trojan, which by definition requires a great deal of user intent in order to work.
No, this is much more like Microsoft Office.

--
A Pirate and a Puritan look the same on a balance sheet.
Re:Head in the sand Linux security by gweihir · 2016-08-21 11:59 · Score: 2

The claim is that a) it is significantly easier to lock Linux down and b) the result is far better. With an incompetent admin, Linux is not more secure. No argument there. But this is also not a surprise. In actual fact, a networked computing device will be insecure, unless competently configured and administrated. Eventually, this may change, but not anytime soon.
The other thing is that admins that are actually competent often consider Windows to be an insult, because of how hard it makes good system administration.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Year of the Linux Botnet by stub667 · 2016-08-22 21:45 · Score: 1

Yes, security holes in WordPress, Magento, Jetspeed, Exarid, AirOS get the malware onto the system. But the malware is for Linux, and the subject and summary valid.