Slashdot Mirror
ESET Discovers 21 New Linux Malware Families (zdnet.com)
In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.
Is there anything about this that checking the digital signature of the OpenSSH files wouldn't work? That probably should be done at boot time and then periodically after that.
How is it malware, if you have to compromise the server first??
If you manage to compromise a system, then you can just put anything in there. Duh.
Was this written by somebody from generation "i" again?
Or at least can happen, if you set it up.
On Linux, you usually have a package manager. Which keeps the checksums/signatures of every file it installed, so it can do its package managing job. It will complain, when you try to uninstall/reinstall the package, and things have changed behind its back. (Unless it’s a configuration/data file, of course.) /var/db/pkg and compare the info there to the files. There’s certainly a tool for it, that I can't remember right now.)
Want a regular check? Just use your package manager's helper tools in a cron script.
(On Gentoo, you could query
On top of that, you have RBAC systems, that generally disallow even altering such files by anyone, unless authorized. (E.g. the package manager would be authorized.)
But all of this is utterly pointless. Because, as you can read, the whole thing requires that the server is first compromised, before the "trojan" is installed. (Making it not a trojan.)
My current explanation is, that the writer must have been utterly clueless about all things computer.
Unless Linux owners go out of their way to misconfigure their servers, for convenience's sake, they should be safe from most of these attacks.
Politics; n. : A religion whereby man is god.
This is OpenSSH, not Linux. There can be millions of trojanized programs out there. These "security researchers" get more and more idiotic every year.
To use any of this stuff you need to already be on the box and already be root. This ain't easy to do at all unless you have an idiot for a user that will run your dropper as root for you. Ain't nothing Linux can do about that.
The evil maid strikes again!
Seven puppies were harmed during the making of this post.
1 botnet used IP address ONLY (unusual as ICANN sinkholes those fast & I've seen an 'uptick' in it lately - perhaps hosts IS making a 'dent' in 'badguys': For that - you need a firewall block rule OR wait out ICANN).
No, you can easily block individual addresses through the routing table.
ip route add prohibit N.N.N.N
This works with networks too, like:
ip route add prohibit 185.224.136.0/23
If you have all of the nasties in a file, you can do something like this at startup, in an rc.local file or similar:
xargs -r -n1 </etc/ipblocklist ip route add prohibit
Also, while I have you here, many modern distros default to prefer DNS over /etc/hosts and only use /etc/hosts as a fallback, in which case your /etc/hosts list will not have any effect unless /etc/nsswitch.conf is modified.
Example line in /etc/nsswitch.conf that will not work: /etc/nsswitch.conf that will work:
hosts: dns [!UNAVAIL=return] files
Example line in
hosts: files dns
Just add water!
Those who do not learn from commit history are doomed to regress it.
I noticed the "first breach the server" hand wave. It reminded me of Monty Python and the Holy Grail: "Well, now, uh, Lancelot, Galahad, and I, uh, wait until nightfall, and then leap out of the rabbit, taking the French, uh, by surprise. Not only by surprise, but totally unarmed!"
Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
This is another example of how Slashdot hires fifth grade senior editors. OpenSSH is not part of the Linux kernel, so that calling it Linux malware is a misnomer. OpenSSH was developed by a private company in Helsinki, Finland. Let's just say that it is a fork of an old version of their product, and that it runs in user space. It is bundled with GNU/Linux distributions, as well as with Microsoft Windows.
No. Unlike OSes designed for morons like you, Linux does allow you to misconfigure everything as much as you like, because it assumes the system administrator actually knows his/her job.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It is malware for the role of "backdoor". As such it does not server to do an initial system compromise, but serves to maintain system access after that. As it does really not have legitimate purposes besides that, it is "malware".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Also don't forget about tools like AIDE.
On a long enough timeline, the survival rate for everyone drops to zero.
compared to the more widely used Windows
Actually Linux is more widely used overall, windows is only ahead of linux on desktops/laptops. Total worldwide instances of the linux kernel are likely to massively outnumber windows.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It's malware, but more commonly described as "a rootkit"...
Traditional malware gets itself executed by someone who isn't aware what they're executing, a rootkit is intentionally installed by someone who has already obtained privileged access.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Go away impostor. You are not APK and you are pathetic.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.