Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Windows Linux

New Linux/Windows Malware Allows Arbitrary Execution of Shell Commands (bleepingcomputer.com) 80

"Researchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines," reports Bleeping Computer: The malware dubbed ACBackdoor is developed by a threat group with experience in developing malicious tools for the Linux platform based on the higher complexity of the Linux variant as Intezer security researcher Ignacio Sanmillan found. "ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities," the Intezer researcher found.

Both variants share the same command and control (C2) server but the infection vectors they use to infect their victims are different: the Windows version is being pushed through malvertising with the help of the Fallout Exploit Kit while the Linux payload is dropped via a yet unknown delivery system... Besides infecting victims via an unknown vector, the Linux malicious binary is detected by only one of the anti-malware scanning engines on VirusTotal at the time this article was published, while the Windows one is detected by 37 out of 70 engines. The Linux binary is also more complex and has extra malicious capabilities, although it shares a similar control flow and logic with the Windows version...

ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system.

The article warns that the Linux version will disguise itself as the Ubuntu UpdateNotifier utility, renaming its process as the Linux kernel thread [kworker/u8:7-ev].
This discussion has been archived. No new comments can be posted.

New Linux/Windows Malware Allows Arbitrary Execution of Shell Commands

Comments Filter:
  • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Saturday November 23, 2019 @01:41PM (#59446316) Homepage Journal

    the Linux payload is dropped via a yet unknown delivery system

    If it is not yet known, maybe, ringing the alarm of "arbitrary execution of shell commands" is a bit premature, eh?

    Because, after all, sshd, rlogind, and telnetd have all been allowing just that for decades too...

    • by Zero__Kelvin ( 151819 ) on Saturday November 23, 2019 @01:48PM (#59446338) Homepage
      Exactly. What they really mean is that they have some code that can be installed by someone who already has root access to the system and the code has no way of infecting Linux. In other news there is some Linux malware called 'rm- which can be used to destroy Linux systems if someone has root access, and someone surreptitiously added it to the core of the system decades ago! DOH!
      • Why are you making an assumption about what they mean? Unless you wrote the code, you don't know how it gets on Linux machines.
    • Juust great.

    • by ufgrat ( 6245202 )
      Has anyone actually *seen* this malware on a linux system outside the security blogger's lab?
    • by gweihir ( 88907 )

      Indeed. No attack capabilities against Linux. Pure FUD.

  • So, how does it get into a Linux system? TFA doesn't know.

    • by gweihir ( 88907 )

      This one does not get into Linux. It may at some time have been part of a root-kit for Linux, but it cannot attack Linux systems. TFA says it only has attack-capabilities against Windows.

  • Adblock Plus (Score:5, Interesting)

    by Brain-Fu ( 1274756 ) on Saturday November 23, 2019 @01:47PM (#59446330) Homepage Journal

    The windows version is deployed by ads. That would suggest that those running ad blockers are safe, or at least safer.

    I think of examples like these every time I hit a site that tires to guilt me into turning off Adblock. They act as if I am some kind of greedy freeloader, but their spin on the situation neglects to consider the fact that they are asking me to put myself in danger. The answer is "no."

    Adblock Plus will allow non-dangerous ads through. If the industry would be content with safe ads, there wouldn't be any issue at all. But they insist on obnoxious ads that require far too much functionality to be safe. And this recklessness gives rise to attacks like these. This is *the* reason that I don't feel any guilt about keeping ads blocked.

    • Re:Adblock Plus (Score:5, Interesting)

      by sjames ( 1099 ) on Saturday November 23, 2019 @02:41PM (#59446456) Homepage Journal

      This exactly! I notice on the various beg screens they try to guilt me into disabling ad blocking to help them pay for the site, but nowhere in there is any indication that they give the ads even a cursory screening for malware. That would be because they don't do such a screening and are unwilling to take any level of responsibility for the ads they are begging me to allow. They might as well beg me to please leave my car unlocked in un-guarded public parking with the sign disclaiming any responsibility for theft.

      Notably, if they would just serve the ads from their own site, they would display, but that would make them responsible for any problems, so they won't do that.

      • If they have an actually valuable service, they can demand money upfront.

        If they don't then there is no justification to give them my actually valuable money or time and brain power.

        If they merely give me copies of some information, that they worked for once, to create, then in return, they too will have to accept mere copies of what I worked for once, to create.
        (How about a nice $100 bill, put on the color copier, with a large "SPECIMEN" stamp added as DRM? They can also have copies of that song I made, at

    • Re:Adblock Plus (Score:5, Informative)

      by JustAnotherOldGuy ( 4145623 ) on Saturday November 23, 2019 @03:45PM (#59446540) Journal

      The windows version is deployed by ads. That would suggest that those running ad blockers are safe, or at least safer.

      This is really the main reason I run Adblock and Noscript- it's not the ads themselves (which are annoying) but the potentially malicious payloads that they'recapable of delivering.

      I don't understand why more people don't run ad blockers and stuff like Noscript.

      I mean, given the choice, why in the world would I give a million different bits of code (ads) the chance to run on my computer when I can avoid it? What possible benefit is there for me to allow ads to run?

      • Noscript can be a nuisance. On some sites I've had to reload a page 4 or more times, each time enabling more sites, just to get basic functionality or all relevant images. I'm willing to do it, but it's easy to understand why many people wouldn't.
        • Noscript can be a nuisance. On some sites I've had to reload a page 4 or more times, each time enabling more sites, just to get basic functionality or all relevant images.

          I agree 100%, it can be a pain to "turn on" one site after another until the page loads, but it's worth it to me. It's kind of depressing to see how so many sites are dependent on gobs of remotely-loaded shit from who knows where.

          I used Noscript and Adblock on Win7 for a decade without getting infected (as far as I know), and I'm still using them now after switching to Linux. They're two critical plugins in my opinion.

    • Adblock Plus became a no-go, ever since they selectively let ads through when they were paid for it.

      uBlock has a horribly obfuscated interface though. #ThanksMozilla!

      • by Megane ( 129182 )
        You can turn off the ABP whitelist. In fact, I turn off all their lists and only use my own rules, which include entire sites or sub-paths, and also .js files. I'm also not just blocking ads, I block auto-play video whenever I can, and sometimes even those stupid "share" links. If an ad does slip through, I stop what I'm doing, go to the blockable items list, and block anything obviously suspicious.
  • Did you have a look at the dropper in the debugger/disassembler, or didn't you?

    If you did, the point where it starts to act like "I'm in" should be clearly visible. I'm assuming, given your job, you can handle obfuscation techniques?

    Or is it written in only MOV instructions? ;)

    • by sjames ( 1099 ) on Saturday November 23, 2019 @02:46PM (#59446468) Homepage Journal

      Apparently they didn't find a dropper for Linux in the exploit kit, just some string remnants that indicate that the RAT itself targeted Linux at some point.

    • by Anonymous Coward

      There is no reason for a dropper and the malware being dropped to be the same executable.
      This is actually what we mean by "dropper", a program that "drop" a second different program.
      Since the remote execution tool was found, the dropper that put it there was done with its one task in life, and no longer needed to remain on the system.

      In fact remaining on the system can be a bad thing from the malware point of view. That would leave traces behind that will lead to an infection vector, which tends to prompt

      • ... given that they declared its capabilities.

        In my book, they may very well not have a dropper at all, and just wish they had one. Or use a different pre-existing one. Or the coder is some kind of admin for others and puts it on there by hand, to bootstrap his botnet.
        Fact is: We don't know.
        So declaring what it can do in the headlines, is silly and unprofessional.

  • by engineer37 ( 6205042 ) on Saturday November 23, 2019 @01:54PM (#59446360)
    Any sufficiently complex program has security vulnerabilities, and Linux is no exception. Even the best designs have unforeseen bugs and problems.
  • by 140Mandak262Jamuna ( 970587 ) on Saturday November 23, 2019 @02:10PM (#59446398) Journal
    The attack vector in linux for this malware is based on the Open Source honor system.

    It is simply an email with a tar file attachment. The email says, "You have been infected with an Open Source virus. Please untar the attachment and execute the binary. And forward this email to all in your .mailrc. Thank you"

    • by williamyf ( 227051 ) on Saturday November 23, 2019 @02:16PM (#59446414)

      The attack vector in linux for this malware is based on the Open Source honor system.

      It is simply an email with a tar file attachment. The email says, "You have been infected with an Open Source virus. Please untar the attachment and execute the binary. And forward this email to all in your .mailrc. Thank you"

      That's not the OpenSource Honor system Virus. Is a very old virus called:

      The Polish Virus, for USoA-sians.
      El Virus Gallego, para nosotros en LatAm.
      El Virus de Lepe, para los Españoles.
      Le Virus Belge, pour les Fran'cophones.
      The Austrian Virus, for the Gramn Speakers.
      or
      the Burgenl"ander Virus, for those in austria...

      • Also called the Portuguese Virus (Virus portugues) for Brazilians, and the Brazilian Virus for those in Portugal.

      • by hawk ( 1151 )

        The honor virus predates coining the term "OpenSource".

        The earliest version I saw didn't even have the tarball. It simply stated that it was an honor based virus, and that you were obligated to delete some number of random files and send it to some number more people.

  • firefox (Score:3, Interesting)

    by Ruede ( 824831 ) on Saturday November 23, 2019 @02:21PM (#59446420)

    apparmor alerted me about unusual input/mice access from firefox...

  • This is why I never run "do-release-upgrade" when a new version of Linux comes out. I make backups of /etc and /root, burn a DVD, boot it, and install onto a freshly formatted root partition. My /home partition survives but all my executables are on the root partition and must by rebuilt from source code after each upgrade.

    • When confronted with such upgrades, I tend to make a complete backup image of _everything_. I used to switch the jumpers to "read-only" on the backup drive, but those are not available with most modern hard drives or USB drives.

      • It will be some time before the first software-controlled telekinesis in a computer virus emerges.

        (Which is technically not impossible, as long as you have any directable EM radiation source with enough energy. Even if you have to alter the matter in the wrong direction to give you a source in the right direction.)

    • by ufgrat ( 6245202 )
      Well, that certainly won't protect you from a vulnerability in a system daemon that allows root access via an exploit.

      Tell me, do you reformat your system every time a security update comes out?
  • New Linux/Windows Malware Allows Arbitrary Execution of Shell Commands

    ... when I let my niece use my computer. Not sure which one of us is the malware...

  • from the article: the Linux malicious binary is detected by only one of the anti-malware scanning engines on VirusTotal at the time this article was published Does anyone know what anti-malware this is?
  • by gweihir ( 88907 ) on Saturday November 23, 2019 @10:19PM (#59447456)

    The article says that this malware has attack vectors only for windows. It does say that there are some file-paths in it that indicate it may run on Linux as well, but if it cannot get in, how is that relevant?

    So, no, this is Windows malware, not Linux malware at this time.

When you are working hard, get up and retch every so often.

Working...