Slashdot Mirror
ESET Discovers 21 New Linux Malware Families (zdnet.com)
In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.
Is there anything about this that checking the digital signature of the OpenSSH files wouldn't work? That probably should be done at boot time and then periodically after that.
How is it malware, if you have to compromise the server first??
If you manage to compromise a system, then you can just put anything in there. Duh.
Was this written by somebody from generation "i" again?
Or at least can happen, if you set it up.
On Linux, you usually have a package manager. Which keeps the checksums/signatures of every file it installed, so it can do its package managing job. It will complain, when you try to uninstall/reinstall the package, and things have changed behind its back. (Unless it’s a configuration/data file, of course.) /var/db/pkg and compare the info there to the files. There’s certainly a tool for it, that I can't remember right now.)
Want a regular check? Just use your package manager's helper tools in a cron script.
(On Gentoo, you could query
On top of that, you have RBAC systems, that generally disallow even altering such files by anyone, unless authorized. (E.g. the package manager would be authorized.)
But all of this is utterly pointless. Because, as you can read, the whole thing requires that the server is first compromised, before the "trojan" is installed. (Making it not a trojan.)
My current explanation is, that the writer must have been utterly clueless about all things computer.
Go back to your Macbook, fool.
From the report infection vectors are:
We're unsure.
Worming into other systems with stolen credentials.
Brute force password attacks.
Traditional unpatched system/process vulnerabilities.
Yawn...
Unless Linux owners go out of their way to misconfigure their servers, for convenience's sake, they should be safe from most of these attacks.
Politics; n. : A religion whereby man is god.
Page 22 of the report discusses detection. It can absolutely be done with signatures but... 'signature detection isn't as easy as it is with Microsoft signed program executables'. So, totally detectable, but not stupid simple.
This is OpenSSH, not Linux. There can be millions of trojanized programs out there. These "security researchers" get more and more idiotic every year.
To use any of this stuff you need to already be on the box and already be root. This ain't easy to do at all unless you have an idiot for a user that will run your dropper as root for you. Ain't nothing Linux can do about that.
Us zealots told you Mac Faggots that we are unable to understand what you are saying when you talk with a huge dripping cock in your mouth.
You must have had a dripping load of spluge in your ear when we said it.
The evil maid strikes again!
Seven puppies were harmed during the making of this post.
How is it malware
Because it does something malicious.
That's the only requirement.
So, nothing new.
Is it a virus?
A worm?
Then itâ(TM)s malware. Pretty basic dude.
1 botnet used IP address ONLY (unusual as ICANN sinkholes those fast & I've seen an 'uptick' in it lately - perhaps hosts IS making a 'dent' in 'badguys': For that - you need a firewall block rule OR wait out ICANN).
No, you can easily block individual addresses through the routing table.
ip route add prohibit N.N.N.N
This works with networks too, like:
ip route add prohibit 185.224.136.0/23
If you have all of the nasties in a file, you can do something like this at startup, in an rc.local file or similar:
xargs -r -n1 </etc/ipblocklist ip route add prohibit
Also, while I have you here, many modern distros default to prefer DNS over /etc/hosts and only use /etc/hosts as a fallback, in which case your /etc/hosts list will not have any effect unless /etc/nsswitch.conf is modified.
Example line in /etc/nsswitch.conf that will not work: /etc/nsswitch.conf that will work:
hosts: dns [!UNAVAIL=return] files
Example line in
hosts: files dns
Just add water!
Those who do not learn from commit history are doomed to regress it.
HOWEVER: If bad host-domain names get CHANGED to another hosting provider (possible there are 'dirty ones') using ip = useless.
* The 1 member I saw that DID use an IP address (very odd, most botnets use hostnames by FAR over IP address & partially for the reason above, others being for FastFluxing MANY names thru an IP address etc. (there's other reasons but those are a couple))?
You CAN do what YOU said OR use a hardware router firewall (most I've seen use IP address block tables even in CHEAP home routers but the listsize = limited on them IF they have that that is).
APK
P.S.=> Some routers will take hostnames though, that's STILL another way (or using firewall software - but Windows native one, last I used it in Win7, only used IP addresses & that is not always available as an "IOC" indicator of compromise in security articles, mostly they list hostnames malware/botnets etc. use)... apk
I noticed the "first breach the server" hand wave. It reminded me of Monty Python and the Holy Grail: "Well, now, uh, Lancelot, Galahad, and I, uh, wait until nightfall, and then leap out of the rabbit, taking the French, uh, by surprise. Not only by surprise, but totally unarmed!"
Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
FILE takes precedence in nsswitch as usual (file being hosts as primary default resolver) as IP stack's done since its beginning.
THEN remote DNS (Windows USED to have its faulty w/ large hosts files & security issues in it found too SLOWER usermode DNSCache service be 1st but afaik & have seen in Win7 @ least, it went back to TRADITIONAL file/hosts as 1st resolver).
Less overhead pure kernelmode IP stack resolution (& all calls to IP boil down to sys/sockets.h in linux kernelmode) + once ANY OS diskcache (in kernelmode, dumb otherwise) caches it is even FASTER in local system RAM.
Doing it ANY OTHER WAY (especially REMOTE DNS from ISPs, of which a good 90% HAVEN'T PATCHED vs. Kaminsky flaw REDIRECT POISONING mind you) = RISK!
APK
P.S.=> OpenDNS is patched vs it (what I fall back on only like sub 4% of the time here due to my fav 100 sites @ TOP of hosts for FASTEST/SAFEST LOCAL RAM CACHED RESOLUTION, no redirect poisoning risks)... apk
As was the poster you responded to.
To take it one step further, wasting time installing a pre-compromised version of openssh is dumb for three reasons:
1. It creates an evidence trail. The package manager and the log systems of any secure router / firewall would detect the connection attempt to download / install it. Which would happen because....
2. If you already have control over the package manager for a given system, you already have the ability to execute things as the root user. As such you could just as easily run your pre-compromised ssh daemon or any other payload without installing anything directly from RAM. Obviously the people who made the Trojan utilize the package manager didn't consider that once detected, the first things the admins would do is check for inconsistencies. (Including their package lists, sources, AND signatures.) Running program images and their threads can't be sigcheck'd.
3. Even if you are going for persistence, there are often far better ways of doing it that don't require the use of the package manager, and are much less likely to be detected. Hint: Get persistence and hijack the kernel's stat() functions. No sense in giving them more evidence of a compromise when the whole point is to conceal your presence.
Also as to this excerpt:
Easy as defined in:
1. Run "sfc /scannow" on the command prompt.
2. Not realize that program and the system APIs that it calls would be one of the first things any decently written malware would subvert / disable once the system was compromised.
3. Utterly fail to realize that a compromised system or a system suspected of compromise cannot be trusted when it itself claims "I am not compromised."
4. ???
5. Default!
Of course there are more issues and ways of dealing with them, but just like under Windows, the malware was obviously made for turn-key use by unskilled wannabe script-kiddies and malcontents.
See subject: DNS tracks ya (hosts help 4 anonymity avoiding it + kaminsky redirectpoisoning most ISP dns' aren't patched vs. & resolve faster vs. remote DNS!
* Just as I said here (however I omitted tracking being impossible on DNS request logs for where you spend most time that you put into hosts as FAV SITES @ top of it so they resolve fastest) https://linux.slashdot.org/com...
NOT doing it as I do in hosts? IS RISKY BUSINESS per all of this. IF Linux is doing remote DNS 1st?? RELYING ON REMOTE DNS, especially what systemd does DEFAULTING to your ISP DNS if your router doesn't allow changing to say, OpenDNS I fall back on IF a site's NOT in my hosts file @ top for fastest possible resolution AVOIDING DNS TRACKING TOO? IS RISKY!
APK
P.S.=> Funny how what I put out THAT WORKS (faster, more anonymously w/ less security risk vs. DNS) is 'downmodded' but YOU are upmodded, eh? NOT... apk
# /etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] dns
* From KUbuntu 18.04 LTS fully patched!
LMAO!
Doing what YOU SAID risks that MOST DNS from ISP's aren't PATCHED vs. KAMINSKY redirect poisoning = STUPID defaulting to DNS as 1st resolver (UBUNTU DOESN'T) that you said "modern Linux" does? DUMB!
Mine IS modern & SAFE vs. it (+ I use OpenDNS as the fallback, patched vs. redirect poisoning but rare here using DNS byusing HOSTS (file) 1st + RESOLVES FASTER & AVOIDS DNS requestlog tracking (where you spend most time via hosts files favs @ top of hosts I do)).
APK
P.S.=> file (hosts) = DEFAULT 1st resolver (traditional & SMART vs. ISP dns systemd defaults to from router DNS in routers NOT allowing DNS change) in resolv.conf
This is another example of how Slashdot hires fifth grade senior editors. OpenSSH is not part of the Linux kernel, so that calling it Linux malware is a misnomer. OpenSSH was developed by a private company in Helsinki, Finland. Let's just say that it is a fork of an old version of their product, and that it runs in user space. It is bundled with GNU/Linux distributions, as well as with Microsoft Windows.
See subject + proof via KUbuntu & what systemd does defaulting to router DNS https://linux.slashdot.org/com... risking kaminsky redirect poisoning in security, slower resolution via remote dns, & TRACKING by dns requestlogs.
* Amusing I SCHOOL "wannabe Linux gurus" here - "by rote" mere tech menials that don't LEARN THIS @ LEVELS LIKE CODERS LIKE ME KNOW IT!
(By ME writing stuff on the IP stack as I have that WORKS VS. THIS THREAT https://linux.slashdot.org/com... + resolves FASTER vs. REMOTE dns & protects vs. DNS requestlog tracking & IS IMMUNE TO KAMINSKY REDIRECT POISONING (avoiding DNS).
Systemd F's users defaulting to ISP DNS (resolv.conf) & IF your modem (ISP ones dont most times) can't ALLOW DNS changes like OpenDNS. patched vs. redirect I use IF my fav 100 sites @ top of hosts don't satisfy a request (rare)!
APK
P.S.=> Linux distros DO what HE said = STUPID - not KUbuntu! Nsswitch uses FILE (hosts) 1st - SMART IP STACK CONFIGS DO!
See subject & WITH proof https://linux.slashdot.org/com...
APK
P.S.=> Either arth1 is LYING (or just rookie stupid) OR the Linux distros he speaks of are due to ISP dns NOT being patched MOSTLY vs. KAMINSKY REDIRECT POISONING + not defaulting to file (hosts) as 1st resolver AND when systemd DEFAULTS to modems that do NOT ALLOW DNS CHANGE (to patched DNS like OpenDNS vs. redirect poisonings)... apk
See subject & WITH proof https://linux.slashdot.org/com...
APK
P.S.=> Either arth1 is LYING (or just rookie stupid) OR the Linux distros he speaks of are due to ISP dns NOT being patched MOSTLY vs. KAMINSKY REDIRECT POISONING + not defaulting to file (hosts) as 1st resolver AND when systemd DEFAULTS to modems that do NOT ALLOW DNS CHANGE (to patched DNS like OpenDNS vs. redirect poisonings)... apk
No. Unlike OSes designed for morons like you, Linux does allow you to misconfigure everything as much as you like, because it assumes the system administrator actually knows his/her job.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It is malware for the role of "backdoor". As such it does not server to do an initial system compromise, but serves to maintain system access after that. As it does really not have legitimate purposes besides that, it is "malware".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Also don't forget about tools like AIDE.
On a long enough timeline, the survival rate for everyone drops to zero.
compared to the more widely used Windows
Actually Linux is more widely used overall, windows is only ahead of linux on desktops/laptops. Total worldwide instances of the linux kernel are likely to massively outnumber windows.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It's malware, but more commonly described as "a rootkit"...
Traditional malware gets itself executed by someone who isn't aware what they're executing, a rootkit is intentionally installed by someone who has already obtained privileged access.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
See subject & a quote "I take it you're not a sysadmin, then :p" from YOU - CLUE: U=OFF - 0 can't be used for 0.0.0.0 since 12/08/2010 patch tuesday for Windows - I ran into it w/ hosts (since 0 = smaller line for line in hosts vs. larger 0.0.0.0 I used it - MS changed it making LOAD/RELOAD time of hosts LONGER).
All you KNOW's Linux & that's proof, limited range wannabe you are!
* Your "BRAGGADOCIO" got the BEST OF YOU THERE & I did here so EAT YER WORDS:
https://linux.slashdot.org/com...
Just as I did vs. YOU on "4 billion entries" BLUNDER you made (lol, ah memories).
& you got a +5? How many sockpuppets for self-upmod do you use arth1?
APK
P.S.=> I prove a MODERN distro in KUbuntu uses FILE/hosts as DEFAULT 1st resolver & ISP supplied modems mostly don't allow DNS change (cheap crap & also don't allow port filtering WHICH I VALUE (& I demanded a BETTER one)? SystemD DEFAULTS TO ROUTER SUPPLIED isp DNS & most aren't PATCHED vs. Kaminsky redirect poisoning
See subject & "wannabe sysadmin" arth1 https://linux.slashdot.org/com... arth1 (who got a +5 for his ERRONEOUS BULLSHIT before it I totally PROVED WRONG & how so).
(arth1 also stfu after I shut him up here + long ago on "4 billion entries')
* He told ME "modern linux distros default to DNS as primary 1st resolver"? THAT IS DUMB & why??
FACT:
Most ISP DNS aren't patched vs. KAMINSKY REDIRECT POISONING & modems they supply don't allow DNS change (hence default to isp unpatched unsafe DNS via systemD, yes, it happens here & rewrite resolv.conf vs it changing to PATCHED vs. Kaminsky REDIRECT POISONING PROOF OpenDNS on bootup).
APK
P.S.=> & IF he's RIGHT on 'modern linux distros' (KUbuntu 18.04 LTS proves he's not)? Linux distro makers doing DNS default resolver BETTER GET THEIR SHIT STRAIGHT for reasons I note above... apk
Evil maid would have no way to compromise my Linux desktop, and I leave it logged into the user all day long while I'm at work. To to anything to the system you need to enter the user password. Which is not password1(hint: maybe Password2 will work) In all seriousness though. this is slashdot so I did not RTFA but i skimmed the summary, and sounds like a root is already required.
--Highdude702(mods)
See subject: WANNABE 'linux gurus'/wannabe "sysadmins" in arth1 https://linux.slashdot.org/com... PROVEN WRONG.
* Why? To RUB IT IN arth1's face!
No "1st" him taking 'shots' @ me!
Once to me he said "malware has billions of entries you can't store on disk in hosts to block 'em" -
Then a botnet herder CAN'T MANAGE HIS malicious creation minus being able to HOLD STATE either!
Arth1's a by-rote MENIAL & or Linux distros DEFAULTING to DNS = "modern stupid" IF they do!
Most ISP dns != patched vs. Kaminsky flaw & their supplied modems OFTEN DON'T ALLOW CHANGE from ISP DNS & so SystemD DEFAULTS to ISP supplied SLOWER RESOLVING security issue riddled TRACKS YA by dns requestlogs ISP DNS!
KUbuntu 18.04 LTS a MODERN Linux defaults FILE (hosts) in nsswitch (so resolv.conf doesn't F ya via SystemD) vs. his either LIE or mistake in linux distros he mentions.
APK
P.S.=> & either /. users = STUPID or arth1 sockpuppet UPMODS himself (+5? & I was downmodded for what STOPS THIS?)
The only OS that was slower to adopt this than Microsoft Windows was HP-UX and... Oh, wait, you were trolling! Well played, little norn, well played!
Go away impostor. You are not APK and you are pathetic.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
See subject: Especially as you KNOW idiots impersonate me verbatim https://it.slashdot.org/commen... & WHO ELSE could ANNIHILATE these wannabes like I did here in my INIMITABLE style (fact) https://linux.slashdot.org/com... ? Nobody BUT me...
* :)
Pathetic's arth1 above there... & you don't DENY it either.
(Thanks for your help in the link above by the by - I owe you one - they even tried to IMPERSONATE you once to stir you up vs. me, remember? Only we BOTH had the presence of mind to know better that time & you in the link above too).
APK
P.S.=> Everyone makes a mistake now & then (even me, maybe once every 20 yrs. or so, lol) & you have man... apk
0.0.0.0 patf.site90.net
0.0.0.0 site90.net
0.0.0.0 draqusor.hi2.ro
0.0.0.0 hi2.ro
0.0.0.0 hackingoriginal.ro
0.0.0.0 aridan.hol.es
0.0.0.0 hol.es
0.0.0.0 diicot.altervista.org
0.0.0.0 werwolf.altervista.org
0.0.0.0 altervista.org
0.0.0.0 sonic.do.am
0.0.0.0 prg.do.am
0.0.0.0 do.am
0.0.0.0 havijuu.pe.hu
0.0.0.0 pe.hu
0.0.0.0 status-ok.com
0.0.0.0 hagaipipko.net
0.0.0.0 javacdnupdate.com
0.0.0.0 linux-flavor.net
* SOURCE https://www.welivesecurity.com...
1 botnet used IP address ONLY (unusual - ICANN sinkholes those fast & I see 'upticks' in it lately - perhaps hosts made 'dents' in 'badguys': For it you need a firewall block rule OR wait out ICANN).
APK
P.S.=> For the best hosts file:
APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)
APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)
See subject: "... IF u strike me down I become MORE POWERFUL than u can possibly imagine!" https://linux.slashdot.org/com...
* :)
APK
P.S.=> Undeniable fact & "UNLIMITED POSTING POWER!!!" per Darth Sidious, lol... apk
"Not as clumsy/random as a blaster - An elegant weapon 4 a more civilized age" https://news.slashdot.org/comm...
* "For over a 1,000 generations Jedi Knights were guardians of peace & justice in the old Republic. Before the dark times. Before the EMPIRE"
(Hosts = light sabres & wildcard tools = blasters above)
APK
P.S.=> Many here know https://linux.slashdot.org/com... & enjoy greater speed/security/reliability & anonymity hosts yield natively speeding you up 2 ways (adblocks & hardcodes that protect vs. DNS security issues in redirect poisoning + request tracking logs & RESOLVE FASTER locally from RAM driven by KERNELMODE speed vs. slow usermode in "solutions" packed w/ security issues (DNS/Antivirus) OR not working fully by default (adblock) in usermode addons easily detected by webmasters & blocked doing less but using more)... apk