Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Linux

Stealthy Linux Trojan May Have Infected Victims For Years 129

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.
This discussion has been archived. No new comments can be posted.

Stealthy Linux Trojan May Have Infected Victims For Years

Comments Filter:
  • by Anonymous Coward on Tuesday December 09, 2014 @08:20AM (#48554529)

    I thought that the systemd infection of Debian was much more recent than that. Like within the past year. But maybe I'm wrong, and it has been longer?

    • by gweihir ( 88907 )

      It is just that these things evolve and eventually move into the light ;-)

      • As long as your sig is under construction it will not be ready to move into the light. Personally I prefer tailor made sigs.

        • by gweihir ( 88907 )

          I had one of those. But I found out my tailor was too limited for my tastes, so I upgraded to ultimate flexibility! ;-)

  • by gweihir ( 88907 ) on Tuesday December 09, 2014 @08:24AM (#48554547)

    The privilege system does not protect commands, it protects data. You can always run any command on any data that belongs to you. But when you want to access data of others or the system, you need elevated privileges and same for attacking to privileged network ports.

    • by Antique Geekmeister ( 740220 ) on Tuesday December 09, 2014 @08:36AM (#48554613)

      I';m personally aware of thousands of systems on which database data, backups, and system logs are not read protected from local users. They're left this way on the grounds that "if someone has local access, we're screwed anyway". They pass pass commercial security audits because the security companies do a handful of known external attacks, which giver a small set of tasks to fix the issue and do not address such fandamental issues.

      This is particularly aggravated on systems with have password free sudo access for developers, which is very common on development environments, on systems with password free SSH keys casually stored with system wide access, and software systems that store passwords in clear text by default, such as Subversion HTTPS access. It's also compounded when home directories on which such information is stored is NFSv3 mounted and shared with all clients on the network. The concept of "data which belongs to you" breaks down quickly with NFS or CIFS without authentication in most environments. NFSv4 or Kerberized CIFS access can be helpful in restricting this, but I know very few partners or clients who go to the extra steps needed for this.

      • by gweihir ( 88907 )

        I do not disagree. But that is a property of the target system, not of the attack.

      • by mlts ( 1038732 )

        In general, there has been a trend away from both local protection privilege escalation (from user to root.) Mainly the focus has been keeping people out of the box proper, although this does go against the defense in depth concept since once the box gets breached somehow (a security bug that commandeers a Web browser, for example), an attacker can gain a lot by running just with that user's context [1], or even using exploits to get root. Once root, burying kernel modules becomes quite doable.

        There needs

    • by mlts ( 1038732 )

      Protecting commands (data goes without saying as well) is handled by a MAC/MIC system like AppArmor or SELinux.

      What I don't get is how this Trojan could sit around for so long and not be caught by a competent admin. Between process accounting, Tripwire/Aide, mounting home directories with noexec, and finally a sane IDS/IPS [1] that does active protection, this should have been caught by someone and reported. Even a Linux based antivirus product like McAfee that uses the latest 2.6 kernel hooks to do realt

      • by gweihir ( 88907 )

        Indeed. But most Linux installations do not have those or only have a generic config, as doing them right is pretty hard. I have some experience in that area. You run into things like Acrobat reader doing and needing code execution on the stack and other "fun" stuff.

        As to your second point, you already said it: It needs a competent admin. Often that one is missing. It also needs a competent admin with the right to decide what to put on the machines and how to configure it. In large enterprises that is usual

    • by HiThere ( 15173 )

      Not necessarily true. If the comman resides in a directory that is read protected then you need to have the appropriate privileges to execute it. I've got an early version of Red Hat in a virtual machine where "shutdown" is protected in precisely that way.

  • just how many botnets the NSA is actually running?

    • The NSA doesn't run botnets... well, not many, anyways. However, they do analyze botnets completely and thoroughly, and thus they can take command of known botnets in a heartbeat if the need arises.
      • by Anonymous Coward

        Why should anyone trust these "labs" who seem to be always just a little behind the curve in releasing their dramatic security findings? Usually long after the security breach has fulfilled it's purpose. If they are so skilled at finding these complex security breaches they are certainly capable of creating the problems in the first place. And the skills attributed to the NSA or any government agency do not belong to any GS12 salaried government employee. They use highly paid contractors who, judged by the

      • by v1 ( 525388 )

        The NSA doesn't run botnets... well, not many, anyways.

        From TFA:

        The unknown attackers--who are probably backed by a nation-state, according to Symantec

        Even Symantec thinks it's a government operation. We're just starting to see them, but I think there's a lot more government-run botnets out there that haven't been outed yet. These sophisticated, highly targeted malware like Stuxnet are all government-run botnets.

        They either made them, or as you suggested, took them over for their own use. (that's actually a good idea, and I'd bet the more common option outside of say china or NK... those t

  • by Anonymous Coward

    If you are establishing a raw socket, you have to have privileges...

  • It seems to be anyone else.
    • by MrKaos ( 858439 )

      It seems to be anyone else.

      It seems too obvious, that is. I shouldn't post when tired.

      Stripped binaries, statically linked libraries, magic numbers in packets and so on. I'm sure there are a few shell vulnerabilities that we don't know about and certainly there are plenty of commands that can be exploited to escalate priviledge levels if required.

      • by ruir ( 2709173 )
        The last attacks I have seen they use coded transmission to talk with the CC, and I have seen a couple of instances where when running locally, they erase the binaries to not be tracked. If one is not careful analysing a system or too fast shutting down a compromised server, you will damage important data to be collected with foresync tools for sure.
        • by MrKaos ( 858439 )
          It looks like a good platform for assessing a local system and installing a more serious exploit, so I agree, it would be very difficult to isolate these and identify what they are doing.
  • by ledow ( 319597 ) on Tuesday December 09, 2014 @08:45AM (#48554655) Homepage

    It's an ordinary piece of malware.

    It talks home to a hard-coded URL.

    It has to have a secret "knock" before it will talk back to you (port-knocking has uses both ways, it seems!).

    It contains easily-greppable strings.

    Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?

    • FUD (Score:4, Informative)

      by s.petry ( 762400 ) on Tuesday December 09, 2014 @10:19AM (#48555451)
      Reading TFA I see no mention of Linux at all, it mentions Windows and PHP. Perhaps the author is confused and believes that anything with .PHP must exist in Linux, but I'm skeptical. They spend lots of time talking about the various .exe files, "Administrator" privileges, and "Network Shares" which are exclusive terminology to the Windows OS. Nobody can be that ignorant as a technical writer.
      • Take these comments from the article:

        Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers

        ....

        Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers

    • @ledow: "Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?"

      What this is even doing as an article on slashdot is beyond me, apart from giving Kaspersky some free advertising space.
  • Something does not compute here. The SecureList blog post says that the port knocking works by getting a raw socket from pcap and looking at the ack. On any Linux system I've ever used, this DOES require root privileges. And yet, they also claims it does not need any special privileges?

    • Something does not compute here. The SecureList blog post says that the port knocking works by getting a raw socket from pcap and looking at the ack. On any Linux system I've ever used, this DOES require root privileges. And yet, they also claims it does not need any special privileges?

      From what I gather from the linked articles from the summary link, you need root and command line access to install it, but after it is installed, it doesn't take root to activate it. That said, if somebody has access to root or the command line, you need a new security administrator.

      • Err so that just describes SUID. Nothing magical or unintended, it still can't operate on a system without root.

        And it being on a single computer for years just means it has been found on one single computer, with an admin who didn't look.

        • Err so that just describes SUID. Nothing magical or unintended, it still can't operate on a system without root.

          And it being on a single computer for years just means it has been found on one single computer, with an admin who didn't look.

          I don't disagree. Plus, from the article, it hasn't been found in the wild on any linux installations. It speculates that it could be a problem, but, without either root access or direct access to the box, I don't see how.

    • by Lumpy ( 12016 )

      It's because the Article is 100% FUD. Read it carefully, notice how there are zero details at all and a lot of things just dont add up about it.
      Then look at the source and realize it's a PR piece.

  • From the article link to from the article in the summary:

    Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet.

    It might be because you need root and command line access to install it. After that, however, it can be activated without root.

  • "This Turla cd00r-based malware .. can't be discovered via netstat, a commonly used administrative tool" link [securelist.com]

    'To activate the real remote access service (the attached code starts an inetd to listen on port 5002, which will provide a root shell), one has to send several packets (TCP SYN) to ports on the target system' link [phenoelit.org]

    How exactly does this 'Linux trojan' get onto the computers in the first place, without the end user going to a site and downloading the malware and explicidly running it and enteri
  • Speaking of links, the descriptive texts in the first two links in this post are backwards. The reference to the "siphon data from governments and pharmaceutical companies" links to the stealthy trojan link and the "stealthy trojan..." link, links to the "siphon data ..." article.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...