New Linux Crypto-miner Steals Your Root Password and Disables Your Antivirus (zdnet.com)

← Back to Stories (view on slashdot.org)

New Linux Crypto-miner Steals Your Root Password and Disables Your Antivirus (zdnet.com)

Posted by msmash on Friday November 23, 2018 @07:25PM from the security-woes dept.

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. ZDNet reports: The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn't have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.

15 of 110 comments (clear)

Min score:

Reason:

Sort:

Oh! Naming Contest! by SuperKendall · 2018-11-23 19:38 · Score: 3, Funny

This new malware strain doesn't have a distinctive name, yet,
How about:
VeggieCow (roots!)
AVTerminator
NohupForAll (read the article)
MinerMiner209-519er (perhaps too much a stretch).
Actually you really should read through the article, more interesting than I thought it would be from the summary and this little bugger really does a number on a system.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
relies on 2 and 5 year old exploits... by Anonymous Coward · 2018-11-23 19:43 · Score: 5, Insightful

that have long since been patched.
update your damn systems, people.
1. Re:relies on 2 and 5 year old exploits... by Anonymous Coward · 2018-11-23 21:29 · Score: 4, Funny
  
  Windows 10 is safer than Linux. It checks for updates every hour and installs them immediately. The user can't even disable that!
2. Re: relies on 2 and 5 year old exploits... by Zero__Kelvin · 2018-11-23 22:06 · Score: 2
  
  IOW, it is industry best practice to run the most up to date malware.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re: relies on 2 and 5 year old exploits... by reanjr · 2018-11-24 00:52 · Score: 2
  
  If you don't want to update software for personal reasons, then you probably should stop using the software for security reasons.
4. Re:relies on 2 and 5 year old exploits... by Anonymous Coward · 2018-11-24 02:35 · Score: 2, Informative
  
  MS does this because of all the bad press botnets have received over the years when people did not do updates on their systems.
just wondering,.. by Selur · 2018-11-23 20:50 · Score: 2

Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"
1. Re:just wondering,.. by Anonymous Coward · 2018-11-23 22:22 · Score: 3, Interesting
  
  Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"
  Not really.
  Did you know that hacked Facebook accounts are worth more than credit card numbers?
  That is because Facebook accounts are less likely to be blocked out so they still have their value while credit cards typically are blocked by the time the buyer tries to use them.
  Essentially there aren't much you can get your hands on in an automated fashion that has value.
  Unless you resort to targeted attacks to get hold on specific information to sell to a specific buyer (Industrial or military espionage.) cryptocurrency is your best bet and is less likely to make powerful people notice you.
  As for bitcoins the energy cost of mining them is higher than what you get out of it. It isn't profitable to mine bitcoins if you pay for the electricity yourself.
  Instead you either sneak in computers into a server farm where someone else pays for the energy or you use malware to mine on some other persons computer. (Javascript miners hidden in an ad is fairly popular.)
Why local privilege escalations matter by Shinobi · 2018-11-23 20:59 · Score: 4, Insightful

This is an example of why local privilege escalations should never be scoffed at. You can blather all you want about permissions etc, but only one slip is required, and you're shit out of luck
The sad thing is that I've had to argue this point for 20 years now
Scaremongering much? by Anonymous Coward · 2018-11-23 22:00 · Score: 5, Interesting

Not one shred of information on /how/ the script got on the system in the first place
I'm calling bullshit on the article.
With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.
1. Re:Scaremongering much? by loonycyborg · 2018-11-23 22:56 · Score: 2
  
  Nope. It works on standard linux systems relying on two long fixed root exploits.
2. Re:Scaremongering much? by Gavagai80 · 2018-11-24 00:42 · Score: 5, Informative
  
  Every Linux "virus" article I've seen, and there've been a lot of them, has turned out to be about a trojan. Apparently people can't tell the difference anymore. It's a safe bet that this gets on your system by your choosing to download and install a random piece of software you have no reason to trust, instead of sticking to your repositories.
  
  --
  This space intentionally left blank
3. Re:Scaremongering much? by Typing_Ptarmigan · 2018-11-24 06:41 · Score: 2
  
  Not one shred of information on /how/ the script got on the system in the first place
  I'm calling bullshit on the article.
  With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.
  A link in TFA leads to the "cure"... Surprise! It's a recommendation to run the antivirus maker's antivirus software!
Re:Oh! Naming Contest! by Calydor · 2018-11-24 03:03 · Score: 4, Funny

The Summary Wrote:

This script is the first file executed on an infected Linux system.
Let's name it systemd!

--
-=This sig has nothing to do with my comment. Move along now=-
Re:Oh! Naming Contest! by arth1 · 2018-11-24 03:43 · Score: 2

One may gobble up all resources on a system, rely on privilege escalation, hide logs, and be very hard to get rid of.
The other one is just malware.