New Linux Crypto-miner Steals Your Root Password and Disables Your Antivirus (zdnet.com) 110
Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. ZDNet reports: The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn't have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.
Oh! Naming Contest! (Score:4, Funny)
This new malware strain doesn't have a distinctive name, yet,
How about:
VeggieCow (roots!)
AVTerminator
NohupForAll (read the article)
MinerMiner209-519er (perhaps too much a stretch).
Actually you really should read through the article, more interesting than I thought it would be from the summary and this little bugger really does a number on a system.
Re:Oh! Naming Contest! (Score:5, Funny)
The Summary Wrote:
This script is the first file executed on an infected Linux system.
Let's name it systemd!
Re: (Score:3)
One may gobble up all resources on a system, rely on privilege escalation, hide logs, and be very hard to get rid of.
The other one is just malware.
Re: (Score:2)
Re: (Score:1)
See it was worth reading! It had all kinds of interesting stuff packed in there.
relies on 2 and 5 year old exploits... (Score:5, Insightful)
that have long since been patched.
update your damn systems, people.
Re: relies on 2 and 5 year old exploits... (Score:3)
If you don't want to update software for personal reasons, then you probably should stop using the software for security reasons.
Re:relies on 2 and 5 year old exploits... (Score:4, Funny)
Windows 10 is safer than Linux. It checks for updates every hour and installs them immediately. The user can't even disable that!
Re: relies on 2 and 5 year old exploits... (Score:3)
Re: (Score:1)
Every present day Linux distribution automatically checks for updates. You then have to authorize installation. Alternatively, you can also switch to automatic update, which then runs while you are working not when you want to leave. BTW you can deactivate auto update in Windows 10.
Re: (Score:1)
My Linux distro gives me a choice. I do manual updates.
You cannot disable automatic updates in Windows 10 unless you totally disable the update software. That means every time you want to update, you have to reenable everything, let it update, then disable it all again. Also, you can't choose which updates you want. It's all or nothing.
Windows 10 is the single worst operating system ever made by anyone in the entire history of computing.
Re: (Score:2, Informative)
MS does this because of all the bad press botnets have received over the years when people did not do updates on their systems.
bad press? (Score:2)
MS appears not to care about bad press. The botnet stink gets replaced by the we'll force updates to 10 policy, we-control-your-W10-PC update policy, and the Windows as a recurring revenue service so we can push advertisements in programs forthcoming policy
Re: bad press? (Score:1)
To defeat the botnet we must become the botnet.
Re: (Score:2)
Actually Windows will "say" it has checked for updates in the past day or so but 90% of the time if I press "Check for Updates", it finds one or more to download. I take care of a couple handfuls of Win10 Pro boxes and they all do this from time to time. Maybe it's for one of the less critical updates, but still. If you say there are no updates in the past day, don't start downloading updates that were released 2 weeks ago when I hit check for updates.
Re: (Score:2)
just what i though when reading this, but then i wondered that the actual target machines are probably IoT devices or consumer network stuff or maybe even old-ass Android phones still in use (wouldn't be that crazy). All those things run outdated, unpatched, insecure linux installations out of the box, with almost no chance of ever seeing an update.
mod parent up [nt] (Score:1)
Re: (Score:2)
Re: (Score:2)
Beat me to it:
CVE-2016-5195 [redhat.com]
CVE-2013-2094 [nist.gov]
Seriously, this has nothing to do with "Linux is more secure than Windows". If you're running this old ass code in the wild, you sort of deserve it at this point.
Re: Massive? (Score:1)
Depends if its the compacted obfuscated form or not. Having seen a lot of exploit shell, the original stuff is going to be very low information density.
just wondering,.. (Score:3)
Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"
Re: Proof of concept or demonstration. (Score:2)
Re: just wondering,.. (Score:1)
Re: (Score:1)
It is profitable if you don't have to pay for the electricity or hardware costs
Re: (Score:3, Interesting)
Seeing the bitcoin prices falling and falling I wonder: "Why would malware creators still create such stuff, isn't there anything more profitable than this?"
Not really.
Did you know that hacked Facebook accounts are worth more than credit card numbers?
That is because Facebook accounts are less likely to be blocked out so they still have their value while credit cards typically are blocked by the time the buyer tries to use them.
Essentially there aren't much you can get your hands on in an automated fashion that has value.
Unless you resort to targeted attacks to get hold on specific information to sell to a specific buyer (Industrial or military espionage.) crypt
Re: (Score:2)
Everything is done for free on another CPU using a free OS.
The results are networked back for free.
Would Linux users wonder why their CPU is in use more often?
Re: (Score:2)
Would Linux users wonder why their CPU is in use more often?
Possibly. Add a comma, and I'd say certainly: Linux users would wonder why their CPU is in use, more often.
This is due to all the commonly used standard tools that would give an indication, including but not limited to w, uptime, top and ps.
Re: (Score:2)
Why local privilege escalations matter (Score:5, Insightful)
This is an example of why local privilege escalations should never be scoffed at. You can blather all you want about permissions etc, but only one slip is required, and you're shit out of luck
The sad thing is that I've had to argue this point for 20 years now
Re: (Score:1)
They do matter, but you still have to get a way in.
You still have get the user to somehow run this script. Considering that scripts aren't even executables as such to begin with, and the considerably better average computer literacy among Linux users, this doesn't sound like too much of a threat. This doesn't preclude that some "user-friendly" [techrepublic.com] applications muck things up, ofc. Stupid will always find a way, no matter what you do, but that's no different from things have always been.
Re: Why local privilege escalations matter (Score:2)
"and the considerably better average computer literacy among Linux users, this doesn't sound like too much of a threat."
I don't agree. There is a growing base of Linux users who do not know what's going on and living in some grand illusion that they're safe because it's Linux. I've ran into facilities who are running their own Linux servers with no IT specialists, giving root access to plant managers who don't know what they're doing because that's what their "Enterprise" software devs encourage because t
Re: (Score:2)
Based on the attacks I see daily most exploited Linux machines seem to be at self-hosted VPS outfits like OVH and Linode.
Re: (Score:2)
You forget the people who install a user friendly distro on the advice of their supposedly tech competent friends or relatives, or have had Linux installed by them. The same people who then come and say "I've given them a default setup, and I no longer get any virus calls, because they have Linux now", in a very arrogant manner.
And even competent people make mistakes in configuration.
Scaremongering much? (Score:5, Interesting)
Not one shred of information on /how/ the script got on the system in the first place
I'm calling bullshit on the article.
With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.
Re: (Score:2)
Because the article describes writing to a "folder" and disabling antivirus, it's clear it's not about exploiting a regular distro. My guess is that it's WSL-only, requiring an usual Windows security hole of the hour as the initial vector.
Re: (Score:3)
Re: (Score:1)
I am still missing the crucial piece of information: how does the script get executed in the first place? Do we assume that the user is silly enough to run random script s/he downloaded?
Re: (Score:2)
Re: (Score:2)
I get damned suspicious whenever something prompts me for a password on another machine. I don't share authorization keys (allowing password prompt bypass) between any machines other then a few of my own. And the effort needed to infect any of those is equivalent to that needed to infect my local machine.
Re: (Score:2)
The malware has the functionality to hijack ssh connections to other systems and execute itself remotely.
So you have to have a system that already allows remote root access from other insecure systems, AND someone who invokes that ssh connection from an infected system? That doesn't sound like it will hit very many...
Re:Scaremongering much? (Score:5, Informative)
Every Linux "virus" article I've seen, and there've been a lot of them, has turned out to be about a trojan. Apparently people can't tell the difference anymore. It's a safe bet that this gets on your system by your choosing to download and install a random piece of software you have no reason to trust, instead of sticking to your repositories.
Re: (Score:1)
If I had mod points I would waste them on the AC. That is my big question, how did it get there in the first place ?
[ ] running a bitcoin miner
[ ] Windows subsystem for Linux
[ ] someone downloaded it and said "what the hell, lets go for it"
[ ] magic
If via Windows then that is interesting, now some Linuxes will get to enjoy the fun and excitement Windows brings us
Re: (Score:2)
Not one shred of information on /how/ the script got on the system in the first place
I'm calling bullshit on the article.
With such a critical piece of information missing, it's clearly scaremongering and pretty close to fake news.
A link in TFA leads to the "cure"... Surprise! It's a recommendation to run the antivirus maker's antivirus software!
Re: (Score:2)
Not one shred of information on /how/ the script got on the system in the first place
Someone downloaded it and executed it. This is has been how all of these scripts on all operating systems work. Only Apple can fix this. It's time to take away sudo rights from Linux users.
Re: (Score:2)
And it seduces your mum and steals your bike.
Can't be all bad then. At least it leaves my dog alone!
root, why not rename it? (Score:2, Interesting)
Most Unix like systems are happy without a "root" user as long as there is a user 0 called something.
I still don't agree with the POSIX standard that allows root to write to mode 000 files. If its 000, it was done for a reason and that means even root shouldn't be able to screw with it particularly if it is root:root mode 000.
Re: root, why not rename it? (Score:2)
Then how would you grant permissions back to the file if you can't use root to do it?
Re: (Score:2)
How would you access the file, without modifying the file, for backup operations of a read-only filesystem? This happens enough that I cannot see supporting the change.
Re: root, why not rename it? (Score:2)
But if you're root, you can access the disk device. So what do you gain by not letting root write to the file? All you're doing is making the code that writes to disk far more error prone and likely to open up a security hole.
Re: (Score:2)
"I still don't agree with the POSIX standard that allows root to write to mode 000 files."
I probably agree with your rationale. The semantics of 000 are fairly clear, so it seems there's no reason to "overwrite" them just because (specially when a root user could easily change back the file's permissions before editing it).
But then, there is chattr (or chflags) to deal with that case. I think they are no POSIX-compliant, though.
Re: (Score:2)
This is probably a stupid question because I haven't finished my first cup of coffee yet, but why would you want a 000 file? That's just an inode and a chunk of disk space that can't be used for anything.
Oh. It still has attributes. It can be used for something.
Never mind.
Re: (Score:2)
This is probably a stupid question because I haven't finished my first cup of coffee yet, but why would you want a 000 file? That's just an inode and a chunk of disk space that can't be used for anything.
Oh. It still has attributes. It can be used for something.
Never mind.
---------- 1 root root 0 Oct 15 22:07 this_file_is_inaccessible_but_its_name_means_something
Yeah, it's stupid. But it's not entirely useless.
Don't have those. (Score:2)
No antivirus and no root password. I have one machine that's pretty much always idle and another that's a laptop. I would notice the fans kick on if either of those started mining.
I think I'm good.
using years old cves? (Score:1)
Is this really malware that is targeting systems that haven't been patched in two years?
Re: using years old cves? (Score:2)
Re: (Score:2)
This. Just about every multifunction business copier in existence across the major brands runs a 2.x version of linux.
UNIX worms are rare, but not unique (Score:2)
A good precedent is the Morris Worm, the first major worm attack against UNIX systems. Published on Nov. 2, 1988, the worm used known vulnerabilities in popular UNIX tools such as sendmail, and also cracked weak passwords. Defenders effectively _broke_ the early Internet to contain the Morris Worm and while they frantically applied patches they'd considered risks to production systems before that day. Its author was eventually convicted, but Robert Tappan Morris had the best "get out of jail free" card on
Re: (Score:2)
People who have a clue do not work for insurance companies.
1000 lines (Score:2)
Remember back when companies in the early 2000s would brag that their software was over a million lines of code, as a testament to some sort of level of complexity? Apparently that threshold has been pushed all the way back to only 1000 lines of code. Honestly, I blame all these copy-paste script kiddies who have never actually written code for thinking that a 1000 line program is "complex" or "large" by any stretch of the imagination.
Bring them all on. (Score:1)
Bring them all on. Linux is rock solid and all I got to say is bring them all on.
./unsigned.sh (Score:1)
Having to run unsigned binary executables isn't exactly linux but a bastardisation huh? It's common now. Run as root too
What antivirus? (Score:1)