Slashdot Mirror

← Back to Stories (view on slashdot.org)

ESET Discovers 21 New Linux Malware Families (zdnet.com)

Posted by msmash on from the watch-list dept.

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

3 of 67 comments (clear)

  1. Re:But, but, but, but... by Anonymous Coward · · Score: 1, Informative

    To use any of this stuff you need to already be on the box and already be root. This ain't easy to do at all unless you have an idiot for a user that will run your dropper as root for you. Ain't nothing Linux can do about that.

  2. Re:Stupid by whoever57 · · Score: 4, Informative

    Could go the Windows route and deem certain files critical to the system (ie - only trusted publishers are allowed to update the OS files), but then you'd have to have a list of publishers (based on certs) allowed to update the system. I don't think it's an entirely bad idea.

    Furthermore, you could require that the binaries are delivered in collections called "packages" and have the system require a valid signature and only recognize some signatures. Then you could have a distributed system for providing downloads of the signed packages. As long as the signature is valid, it doesn't matter what the source is.

    Oh, wait, every major Linux distribution has done this since almost forever, probably before Windows installers were signed.

    --
    The real "Libtards" are the Libertarians!
  3. Re:APK & hosts files to the rescue (again)... by arth1 · · Score: 5, Informative

    1 botnet used IP address ONLY (unusual as ICANN sinkholes those fast & I've seen an 'uptick' in it lately - perhaps hosts IS making a 'dent' in 'badguys': For that - you need a firewall block rule OR wait out ICANN).

    No, you can easily block individual addresses through the routing table.
    ip route add prohibit N.N.N.N
    This works with networks too, like:
    ip route add prohibit 185.224.136.0/23

    If you have all of the nasties in a file, you can do something like this at startup, in an rc.local file or similar:
    xargs -r -n1 </etc/ipblocklist ip route add prohibit

    Also, while I have you here, many modern distros default to prefer DNS over /etc/hosts and only use /etc/hosts as a fallback, in which case your /etc/hosts list will not have any effect unless /etc/nsswitch.conf is modified.

    Example line in /etc/nsswitch.conf that will not work:
    hosts: dns [!UNAVAIL=return] files
    Example line in /etc/nsswitch.conf that will work:
    hosts: files dns