Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Linux Crypto-miner Steals Your Root Password and Disables Your Antivirus (zdnet.com)

Posted by msmash on from the security-woes dept.

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. ZDNet reports: The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn't have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.

61 of 110 comments (clear)

  1. Oh! Naming Contest! by SuperKendall · · Score: 3, Funny

    This new malware strain doesn't have a distinctive name, yet,

    How about:

    VeggieCow (roots!)
    AVTerminator
    NohupForAll (read the article)
    MinerMiner209-519er (perhaps too much a stretch).

    Actually you really should read through the article, more interesting than I thought it would be from the summary and this little bugger really does a number on a system.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  2. relies on 2 and 5 year old exploits... by Anonymous Coward · · Score: 5, Insightful

    that have long since been patched.

    update your damn systems, people.

    1. Re:relies on 2 and 5 year old exploits... by Anonymous Coward · · Score: 4, Funny

      Windows 10 is safer than Linux. It checks for updates every hour and installs them immediately. The user can't even disable that!

    2. Re: relies on 2 and 5 year old exploits... by Zero__Kelvin · · Score: 2

      IOW, it is industry best practice to run the most up to date malware.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:relies on 2 and 5 year old exploits... by Anonymous Coward · · Score: 1

      Every present day Linux distribution automatically checks for updates. You then have to authorize installation. Alternatively, you can also switch to automatic update, which then runs while you are working not when you want to leave. BTW you can deactivate auto update in Windows 10.

    4. Re:relies on 2 and 5 year old exploits... by Anonymous Coward · · Score: 1

      My Linux distro gives me a choice. I do manual updates.

      You cannot disable automatic updates in Windows 10 unless you totally disable the update software. That means every time you want to update, you have to reenable everything, let it update, then disable it all again. Also, you can't choose which updates you want. It's all or nothing.

      Windows 10 is the single worst operating system ever made by anyone in the entire history of computing.

    5. Re: relies on 2 and 5 year old exploits... by reanjr · · Score: 2

      If you don't want to update software for personal reasons, then you probably should stop using the software for security reasons.

    6. Re:relies on 2 and 5 year old exploits... by Anonymous Coward · · Score: 2, Informative

      MS does this because of all the bad press botnets have received over the years when people did not do updates on their systems.

    7. Re:relies on 2 and 5 year old exploits... by sad_ · · Score: 1

      just what i though when reading this, but then i wondered that the actual target machines are probably IoT devices or consumer network stuff or maybe even old-ass Android phones still in use (wouldn't be that crazy). All those things run outdated, unpatched, insecure linux installations out of the box, with almost no chance of ever seeing an update.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
    8. Re:relies on 2 and 5 year old exploits... by gravewax · · Score: 1

      some of the most exploited vulnerabilities have all been old. The reality is a vast number of home users AND sys admins don't adequately maintain systems.

    9. Re:relies on 2 and 5 year old exploits... by TheDarkener · · Score: 1

      Beat me to it:

      CVE-2016-5195
      CVE-2013-2094

      Seriously, this has nothing to do with "Linux is more secure than Windows". If you're running this old ass code in the wild, you sort of deserve it at this point.

      --
      It is pitch black. You are likely to be eaten by a grue.
    10. Re:relies on 2 and 5 year old exploits... by TheDarkener · · Score: 1

      Actually Windows will "say" it has checked for updates in the past day or so but 90% of the time if I press "Check for Updates", it finds one or more to download. I take care of a couple handfuls of Win10 Pro boxes and they all do this from time to time. Maybe it's for one of the less critical updates, but still. If you say there are no updates in the past day, don't start downloading updates that were released 2 weeks ago when I hit check for updates.

      --
      It is pitch black. You are likely to be eaten by a grue.
  3. just wondering,.. by Selur · · Score: 2

    Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"

    1. Re: just wondering,.. by zynthaxx · · Score: 1

      If you just reap the fruit of another persons labor, it does not matter that you will be selling it below current market value - you are still making a profit.

    2. Re:just wondering,.. by Anonymous Coward · · Score: 1

      It is profitable if you don't have to pay for the electricity or hardware costs

    3. Re:just wondering,.. by Anonymous Coward · · Score: 3, Interesting

      Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"

      Not really.

      Did you know that hacked Facebook accounts are worth more than credit card numbers?
      That is because Facebook accounts are less likely to be blocked out so they still have their value while credit cards typically are blocked by the time the buyer tries to use them.

      Essentially there aren't much you can get your hands on in an automated fashion that has value.
      Unless you resort to targeted attacks to get hold on specific information to sell to a specific buyer (Industrial or military espionage.) cryptocurrency is your best bet and is less likely to make powerful people notice you.

      As for bitcoins the energy cost of mining them is higher than what you get out of it. It isn't profitable to mine bitcoins if you pay for the electricity yourself.
      Instead you either sneak in computers into a server farm where someone else pays for the energy or you use malware to mine on some other persons computer. (Javascript miners hidden in an ad is fairly popular.)

    4. Re:just wondering,.. by AHuxley · · Score: 1

      No power cost, no cooling costs.
      Everything is done for free on another CPU using a free OS.
      The results are networked back for free.
      Would Linux users wonder why their CPU is in use more often?

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:just wondering,.. by arth1 · · Score: 1

      Would Linux users wonder why their CPU is in use more often?

      Possibly. Add a comma, and I'd say certainly: Linux users would wonder why their CPU is in use, more often.
      This is due to all the commonly used standard tools that would give an indication, including but not limited to w, uptime, top and ps.

    6. Re:just wondering,.. by tirnacopu · · Score: 1

      Unfortunately malware with root access could easily hide from all utilities by hooking read calls to /proc/stat an returning lower values.

  4. Why local privilege escalations matter by Shinobi · · Score: 4, Insightful

    This is an example of why local privilege escalations should never be scoffed at. You can blather all you want about permissions etc, but only one slip is required, and you're shit out of luck

    The sad thing is that I've had to argue this point for 20 years now

    1. Re:Why local privilege escalations matter by Anonymous Coward · · Score: 1

      They do matter, but you still have to get a way in.

      You still have get the user to somehow run this script. Considering that scripts aren't even executables as such to begin with, and the considerably better average computer literacy among Linux users, this doesn't sound like too much of a threat. This doesn't preclude that some "user-friendly" applications muck things up, ofc. Stupid will always find a way, no matter what you do, but that's no different from things have always been.

    2. Re: Why local privilege escalations matter by nnull · · Score: 1

      "and the considerably better average computer literacy among Linux users, this doesn't sound like too much of a threat."

      I don't agree. There is a growing base of Linux users who do not know what's going on and living in some grand illusion that they're safe because it's Linux. I've ran into facilities who are running their own Linux servers with no IT specialists, giving root access to plant managers who don't know what they're doing because that's what their "Enterprise" software devs encourage because they suck. I'm sure a lot of exploited nix machines are coming from these places.

      So back to regular Linux home users. You have a slowly growing base in Linux that have no clue what's going on. And then add to the growing complexity of linux with systemd, selinux, and other bs, even expert users are having trouble.

    3. Re: Why local privilege escalations matter by ahodgson · · Score: 1

      Based on the attacks I see daily most exploited Linux machines seem to be at self-hosted VPS outfits like OVH and Linode.

    4. Re:Why local privilege escalations matter by Shinobi · · Score: 1

      You forget the people who install a user friendly distro on the advice of their supposedly tech competent friends or relatives, or have had Linux installed by them. The same people who then come and say "I've given them a default setup, and I no longer get any virus calls, because they have Linux now", in a very arrogant manner.

      And even competent people make mistakes in configuration.

  5. Scaremongering much? by Anonymous Coward · · Score: 5, Interesting

    Not one shred of information on /how/ the script got on the system in the first place

    I'm calling bullshit on the article.

    With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.

    1. Re:Scaremongering much? by KiloByte · · Score: 1

      Because the article describes writing to a "folder" and disabling antivirus, it's clear it's not about exploiting a regular distro. My guess is that it's WSL-only, requiring an usual Windows security hole of the hour as the initial vector.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Scaremongering much? by loonycyborg · · Score: 2

      Nope. It works on standard linux systems relying on two long fixed root exploits.

    3. Re:Scaremongering much? by Anonymous Coward · · Score: 1

      I am still missing the crucial piece of information: how does the script get executed in the first place? Do we assume that the user is silly enough to run random script s/he downloaded?

    4. Re:Scaremongering much? by Gavagai80 · · Score: 5, Informative

      Every Linux "virus" article I've seen, and there've been a lot of them, has turned out to be about a trojan. Apparently people can't tell the difference anymore. It's a safe bet that this gets on your system by your choosing to download and install a random piece of software you have no reason to trust, instead of sticking to your repositories.

      --
      This space intentionally left blank
    5. Re:Scaremongering much? by loonycyborg · · Score: 1

      The malware has the functionality to hijack ssh connections to other systems and execute itself remotely.

    6. Re:Scaremongering much? by PPH · · Score: 1

      I get damned suspicious whenever something prompts me for a password on another machine. I don't share authorization keys (allowing password prompt bypass) between any machines other then a few of my own. And the effort needed to infect any of those is equivalent to that needed to infect my local machine.

      --
      Have gnu, will travel.
    7. Re:Scaremongering much? by Typing_Ptarmigan · · Score: 2

      Not one shred of information on /how/ the script got on the system in the first place

      I'm calling bullshit on the article.

      With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.

      A link in TFA leads to the "cure"... Surprise! It's a recommendation to run the antivirus maker's antivirus software!

    8. Re:Scaremongering much? by arth1 · · Score: 1

      The malware has the functionality to hijack ssh connections to other systems and execute itself remotely.

      So you have to have a system that already allows remote root access from other insecure systems, AND someone who invokes that ssh connection from an infected system? That doesn't sound like it will hit very many...

    9. Re:Scaremongering much? by thegarbz · · Score: 1

      Not one shred of information on /how/ the script got on the system in the first place

      Someone downloaded it and executed it. This is has been how all of these scripts on all operating systems work. Only Apple can fix this. It's time to take away sudo rights from Linux users.

  6. Re: Proof of concept or demonstration. by Zero__Kelvin · · Score: 1

    No it doesn't. The term doesn't refer to using a script, but rather to download one you didn't write and/or understand and just use it.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  7. Re:Of course!! by TheRealQuestor · · Score: 1

    And it seduces your mum and steals your bike.

    Can't be all bad then. At least it leaves my dog alone!

  8. Re: Massive? by Anonymous Coward · · Score: 1

    Depends if its the compacted obfuscated form or not. Having seen a lot of exploit shell, the original stuff is going to be very low information density.

  9. root, why not rename it? by thogard · · Score: 1, Interesting

    Most Unix like systems are happy without a "root" user as long as there is a user 0 called something.

    I still don't agree with the POSIX standard that allows root to write to mode 000 files. If its 000, it was done for a reason and that means even root shouldn't be able to screw with it particularly if it is root:root mode 000.

    1. Re: root, why not rename it? by reanjr · · Score: 1

      Then how would you grant permissions back to the file if you can't use root to do it?

    2. Re:root, why not rename it? by turbidostato · · Score: 1

      "I still don't agree with the POSIX standard that allows root to write to mode 000 files."

      I probably agree with your rationale. The semantics of 000 are fairly clear, so it seems there's no reason to "overwrite" them just because (specially when a root user could easily change back the file's permissions before editing it).

      But then, there is chattr (or chflags) to deal with that case. I think they are no POSIX-compliant, though.

    3. Re: root, why not rename it? by Antique+Geekmeister · · Score: 1

      How would you access the file, without modifying the file, for backup operations of a read-only filesystem? This happens enough that I cannot see supporting the change.

    4. Re:root, why not rename it? by AJWM · · Score: 1

      This is probably a stupid question because I haven't finished my first cup of coffee yet, but why would you want a 000 file? That's just an inode and a chunk of disk space that can't be used for anything.

      Oh. It still has attributes. It can be used for something.
      Never mind.

      --
      -- Alastair
    5. Re:root, why not rename it? by ClickOnThis · · Score: 1

      This is probably a stupid question because I haven't finished my first cup of coffee yet, but why would you want a 000 file? That's just an inode and a chunk of disk space that can't be used for anything.

      Oh. It still has attributes. It can be used for something.
      Never mind.

      ---------- 1 root root 0 Oct 15 22:07 this_file_is_inaccessible_but_its_name_means_something

      Yeah, it's stupid. But it's not entirely useless.

      --
      If it weren't for deadlines, nothing would be late.
    6. Re: root, why not rename it? by reanjr · · Score: 1

      But if you're root, you can access the disk device. So what do you gain by not letting root write to the file? All you're doing is making the code that writes to disk far more error prone and likely to open up a security hole.

  10. Don't have those. by reanjr · · Score: 1

    No antivirus and no root password. I have one machine that's pretty much always idle and another that's a laptop. I would notice the fans kick on if either of those started mining.

    I think I'm good.

  11. using years old cves? by pmgst17 · · Score: 1

    "Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS."
    Is this really malware that is targeting systems that haven't been patched in two years?

    1. Re: using years old cves? by nnull · · Score: 1

      Still relevant. A lot of nix systems out there that's unpatched for years on. You can say they deserve it, but there are reasons for them being unpatched. A lot of them stupid reasons because the enterprise system they're using discourages updates because it breaks their stuff. I see this crap everywhere.

    2. Re: using years old cves? by blackpaw · · Score: 1

      This. Just about every multifunction business copier in existence across the major brands runs a 2.x version of linux.

  12. Re:Oh! Naming Contest! by Calydor · · Score: 4, Funny

    The Summary Wrote:

    This script is the first file executed on an infected Linux system.

    Let's name it systemd!

    --
    -=This sig has nothing to do with my comment. Move along now=-
  13. UNIX worms are rare, but not unique by Antique+Geekmeister · · Score: 1

    A good precedent is the Morris Worm, the first major worm attack against UNIX systems. Published on Nov. 2, 1988, the worm used known vulnerabilities in popular UNIX tools such as sendmail, and also cracked weak passwords. Defenders effectively _broke_ the early Internet to contain the Morris Worm and while they frantically applied patches they'd considered risks to production systems before that day. Its author was eventually convicted, but Robert Tappan Morris had the best "get out of jail free" card one could imagine. His father was the head of the NSA. He is now a professor of computer science at MIT, and his current projects are listed at https://www.csail.mit.edu/pers... .

  14. Re:Oh! Naming Contest! by arth1 · · Score: 2

    One may gobble up all resources on a system, rely on privilege escalation, hide logs, and be very hard to get rid of.
    The other one is just malware.

  15. bad press? by bagofbeans · · Score: 1

    MS appears not to care about bad press. The botnet stink gets replaced by the we'll force updates to 10 policy, we-control-your-W10-PC update policy, and the Windows as a recurring revenue service so we can push advertisements in programs forthcoming policy

    1. Re: bad press? by Anonymous Coward · · Score: 1

      To defeat the botnet we must become the botnet.

  16. Re:Oh! Naming Contest! by SuperKendall · · Score: 1

    See it was worth reading! It had all kinds of interesting stuff packed in there.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  17. Re:AV & root? My linux systems don't use those by Anne+Thwacks · · Score: 1
    I will let you into a secret:

    People who have a clue do not work for insurance companies.

    --
    Sent from my ASR33 using ASCII
  18. Re:Oh! Naming Contest! by MrMr · · Score: 1

    Ironically the script is placed in /etc/rc.local. Probably perfectly compatible with sysVinit.

  19. 1000 lines by darkain · · Score: 1

    Remember back when companies in the early 2000s would brag that their software was over a million lines of code, as a testament to some sort of level of complexity? Apparently that threshold has been pushed all the way back to only 1000 lines of code. Honestly, I blame all these copy-paste script kiddies who have never actually written code for thinking that a 1000 line program is "complex" or "large" by any stretch of the imagination.

  20. Bring them all on. by suezz · · Score: 1

    Bring them all on. Linux is rock solid and all I got to say is bring them all on.

  21. ./unsigned.sh by jago25_98 · · Score: 1

    Having to run unsigned binary executables isn't exactly linux but a bastardisation huh? It's common now. Run as root too

    --
    A blog I run for the wealth
  22. mod parent up [nt] by themusicgod1 · · Score: 1

    nt

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  23. What antivirus? by uldics · · Score: 1

    Since when Linux systems have antivirus as a norm? You could scan some unnecessary executable downloads, but that's it. There is no need for permanent resource hog sitting, eating and making you smile by a security illusion. When some bad code has run, the system has to be reinstalled fully. It's already dead inside. So when you install some unknown code, you could as well do that. The greatest security threat is still the promiscuous user.