Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Linux

ESET Discovers 21 New Linux Malware Families (zdnet.com) 67

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.
This discussion has been archived. No new comments can be posted.

ESET Discovers 21 New Linux Malware Families

Comments Filter:
  • by AlanObject ( 3603453 ) on Monday December 10, 2018 @05:04PM (#57782716)

    Is there anything about this that checking the digital signature of the OpenSSH files wouldn't work? That probably should be done at boot time and then periodically after that.

    • by Anonymous Coward

      Or at least can happen, if you set it up.

      On Linux, you usually have a package manager. Which keeps the checksums/signatures of every file it installed, so it can do its package managing job. It will complain, when you try to uninstall/reinstall the package, and things have changed behind its back. (Unless it’s a configuration/data file, of course.)
      Want a regular check? Just use your package manager's helper tools in a cron script.
      (On Gentoo, you could query /var/db/pkg and compare the info there to th

    • by gweihir ( 88907 )

      That would work. The classical approach to that is "tripwire". Also, just making sure your server is patched and you have good passwords does not let this malware in in the first place. From the article: "Unless Linux owners go out of their way to misconfigure their servers, for convenience's sake, they should be safe from most of these attacks."

  • by Anonymous Coward on Monday December 10, 2018 @05:21PM (#57782774)

    How is it malware, if you have to compromise the server first??

    If you manage to compromise a system, then you can just put anything in there. Duh.

    Was this written by somebody from generation "i" again?

    • by Dunbal ( 464142 ) *
      The evil maid strikes again!
    • I noticed the "first breach the server" hand wave. It reminded me of Monty Python and the Holy Grail: "Well, now, uh, Lancelot, Galahad, and I, uh, wait until nightfall, and then leap out of the rabbit, taking the French, uh, by surprise. Not only by surprise, but totally unarmed!"
    • by gweihir ( 88907 )

      It is malware for the role of "backdoor". As such it does not server to do an initial system compromise, but serves to maintain system access after that. As it does really not have legitimate purposes besides that, it is "malware".

    • by Bert64 ( 520050 )

      It's malware, but more commonly described as "a rootkit"...

      Traditional malware gets itself executed by someone who isn't aware what they're executing, a rootkit is intentionally installed by someone who has already obtained privileged access.

  • Article Summary (Score:5, Insightful)

    by BringsApples ( 3418089 ) on Monday December 10, 2018 @05:38PM (#57782870)
    Last sentence in the article:

    Unless Linux owners go out of their way to misconfigure their servers, for convenience's sake, they should be safe from most of these attacks.

    • by gweihir ( 88907 )

      And that is just it. Linux allows people to shoot themselves in the foot as much as they like. It even makes it easy. But unless you actually do it, you are pretty secure. And in addition, sometimes insecure configurations can have a legitimate purpose, hence they are allowed.

  • This is OpenSSH, not Linux. There can be millions of trojanized programs out there. These "security researchers" get more and more idiotic every year.
    • Could go the Windows route and deem certain files critical to the system (ie - only trusted publishers are allowed to update the OS files), but then you'd have to have a list of publishers (based on certs) allowed to update the system. I don't think it's an entirely bad idea.

      • Re:Stupid (Score:5, Informative)

        by whoever57 ( 658626 ) on Monday December 10, 2018 @07:00PM (#57783306) Journal

        Could go the Windows route and deem certain files critical to the system (ie - only trusted publishers are allowed to update the OS files), but then you'd have to have a list of publishers (based on certs) allowed to update the system. I don't think it's an entirely bad idea.

        Furthermore, you could require that the binaries are delivered in collections called "packages" and have the system require a valid signature and only recognize some signatures. Then you could have a distributed system for providing downloads of the signed packages. As long as the signature is valid, it doesn't matter what the source is.

        Oh, wait, every major Linux distribution has done this since almost forever, probably before Windows installers were signed.

        • SLS was doing this in 1992, Slackware had a better system in 1993, and both Debian and RedHat came out with decent package managers that used PGP/gpg signatures in 1994.

          Modern packaging systems do remember the hash of the files. A "rpm -Va" can easily point out changed binaries, and there are dedicated utilities like Tripwire and AIDE which do better.

        • Linux doesn't really support on boot hardware crypto does it? All my Linux admins always tell me to turn that stuff off before they install anything :(.

          But your right - this whole virus scare is as silly as that whitepaper on how to exploit wsus - which was posted on slashdot as well - and step 1 was turn off ssl... (which by default is on).

    • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      There are good security researchers out there. These just only rarely get the spotlight because the morons (like the ones here) make everything sound sensational and the press just loves that. The story does not seem to have any content beyond "there are trojaned OpenSSH versions around". Nobody with an actual clue about security cares as that is not a surprise at all.

  • Just add water!
  • by Anonymous Coward

    This is another example of how Slashdot hires fifth grade senior editors. OpenSSH is not part of the Linux kernel, so that calling it Linux malware is a misnomer. OpenSSH was developed by a private company in Helsinki, Finland. Let's just say that it is a fork of an old version of their product, and that it runs in user space. It is bundled with GNU/Linux distributions, as well as with Microsoft Windows.

  • compared to the more widely used Windows

    Actually Linux is more widely used overall, windows is only ahead of linux on desktops/laptops. Total worldwide instances of the linux kernel are likely to massively outnumber windows.

If you have a procedure with 10 parameters, you probably missed some.

Working...