New Linux/Windows Malware Allows Arbitrary Execution of Shell Commands

"Researchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines," reports Bleeping Computer: The malware dubbed ACBackdoor is developed by a threat group with experience in developing malicious tools for the Linux platform based on the higher complexity of the Linux variant as Intezer security researcher Ignacio Sanmillan found. "ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities," the Intezer researcher found.

Both variants share the same command and control (C2) server but the infection vectors they use to infect their victims are different: the Windows version is being pushed through malvertising with the help of the Fallout Exploit Kit while the Linux payload is dropped via a yet unknown delivery system... Besides infecting victims via an unknown vector, the Linux malicious binary is detected by only one of the anti-malware scanning engines on VirusTotal at the time this article was published, while the Windows one is detected by 37 out of 70 engines. The Linux binary is also more complex and has extra malicious capabilities, although it shares a similar control flow and logic with the Windows version...

ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system.
The article warns that the Linux version will disguise itself as the Ubuntu UpdateNotifier utility, renaming its process as the Linux kernel thread [kworker/u8:7-ev].

"Yet unknown", is it?

[mi]

the Linux payload is dropped via a yet unknown delivery system

If it is not yet known, maybe, ringing the alarm of "arbitrary execution of shell commands" is a bit premature, eh?

Because, after all, sshd, rlogind, and telnetd have all been allowing just that for decades too...

Re:"Yet unknown", is it?

[Zero__Kelvin]

Exactly. What they really mean is that they have some code that can be installed by someone who already has root access to the system and the code has no way of infecting Linux. In other news there is some Linux malware called 'rm- which can be used to destroy Linux systems if someone has root access, and someone surreptitiously added it to the core of the system decades ago! DOH!

Re:

[jmccue]

Linux has never been hacked and is bug free and has never had a remote exploit in any standard install. So, once malicious outsider breaks...

Well there are two Linuxes, the Linux run by people who know what they are doing and the "Linux" run by people who want to show others they are "leet". That "Linux" is rushing straight to Windows land, while the Linux I and many others here run has not been remotely cracked because those Linuxes force you to learn

Re: "Yet unknown", is it?

[Immerman]

>Well there are two Linuxes

Three. You forgot the Linux run by people who just want a reliable computer for internet and basic tasks, and are sick of dealing with Windows. They don't know what they're doing, they're not "leet", They just had a friend or relative turn them on to this free software that makes their PC as stable and reliable as a Mac, and probably as fast as it was when it was new. In recent years I think I've actually met more people in that category than I have "competent" Linux users.

Re:

[TeknoHog]

There are 10 Linuxes. The install base is a base, right?

Re:

[Zero__Kelvin]

There is a huge difference between hacking a specific Linux system and writing malware that can hack them in bulk due to the extreme heterogeneity of the Linux install base ... a fact which you would understand if you were anywhere near qualified enough to interject in a way that didn't expose you as the moron you are, as is your wont.

Re:

[Zero__Kelvin]

Learn to shut your ignorant mouth. There is no "standard install". You contradicted yourself already naming 3 platforms, failing to take into account distribution versions, kernel versions, and configuration options.

" Would you care to try again, my incompetent nerd friend?"

I'm well aware of how stupid you are as well as your inability to learn anything new or realize how idiotic you make it clear you are every time you post. I'm not really trying to teach a pig to sing. It's just fun to watch you keep piss

Re:

[Zero__Kelvin]

Great. Show us the successful malware you claim is so easy to create. You'll have no trouble coming up with thousands of examples because your argument totally makes sense, right? What a fucking retard you are.

Re: "Yet unknown", is it?

[Way Smarter Than You]

Hi nerdlong friend! Please cite where I said it was easy. Thanks for playing! Would you care to try again? Did mommy not pet your head?

Re:

[Zero__Kelvin]

I think the funniest thing is that you don't realize you suck at trolling.

Re: "Yet unknown", is it?

[Way Smarter Than You]

If I'm trolling, which I'm not, I must be really good at it because you're so triggered you don't even bother referencing the original thread. You just talk about your obsession with my penis. Ask yermom about that if you really want to know. Oh and yeah you're still wrong.

Re:

[Zero__Kelvin]

You couldn't trigger an alarm running out of the mall with stolen goods. ROTFLMAO

Re: "Yet unknown", is it?

[Way Smarter Than You]

And I quote you here being triggered, "It's just fun to watch you keep pissing on yourself with your tiny impotent dick". You try so hard. Is that really your picture with the bad tie on your profile? You look like the kind of guy who really does still live with his mom. And gets triggered on silly message boards like /. when he gets corrected for his technical incompetence and poor reading comprehension skills.

Re:

[Zero__Kelvin]

Imagine my surprise that you don't understand metaphor. LOL

Re: "Yet unknown", is it?

[Way Smarter Than You]

lol, soooo cute, you're like the teacher's pet glowing with pride in English class who gets a wedgy after class! And all this because you couldn't read or understand my original post and got called out on your inability to read. You're the type I come here for. I love nerds.

Re:

[Zero__Kelvin]

Yeah ... I figured your playground behaviour was routed in your frustration knowing you'll never be able to get with the real men.

Re: "Yet unknown", is it?

[Way Smarter Than You]

Oh come on, at last google for some insults. Tiny dick? Real men? You're not even trying. Oh wait... you -are- trying! Love you, nerd!!

Re:

[Zero__Kelvin]

I don't have to try. You do all the work yourself already.

Re: "Yet unknown", is it?

[Way Smarter Than You]

This is a pattern with incompetent ocd nerds like you. Say dumb thing. Get called dumb. Deny. Get proven dumb. Get triggered. Get called out on being triggered. Deny. Try to be snarky. Fail. Keep trying. Keep failing. Repeat last two steps endlessly smugly delusional that ocd nerd is somehow "winning" something. And no one but ocd nerd cared. I am amused, however. It is the internet. You can not win. But I can laugh. At you. A lot.

Re:

[Zero__Kelvin]

You clearly learned your skills from Trump. Accuse everyone else of all the stupidity you exhibit and mistakenly believe anyone else but you believes your own bullshit. LOL.

Re: "Yet unknown", is it?

[Way Smarter Than You]

You clearly have no idea what my politics are although I've posted them several times despite your false claims to know who I am. Instead, apparently being a Trump hater, you have decided I must be pro-Trump and therefore an idiot. You're so useless. Not only an incompetent ocd nerd but a useless stupid brainwashed ocd nerd. Say hi to yermom for me. And the. You all caps lol at your own idiocy. Gnite, nerd. I'll catch up with whatever new nerdness you post during my night hours. I look forward to m

Re:

[Zero__Kelvin]

I never said anything about politics dipshit. How fucking stupid are you? Your IQ has to be a record low.

Re: "Yet unknown", is it?

[Way Smarter Than You]

Oh, I simply must know before I go to bed. That tie, those glasses, that male pattern baldness haircut, when did they move your desk to the basement? Did they take your stapler? How's the pencil sharpening project going?

Re:

[Zero__Kelvin]

Obsessed much? You think I would use my own picture? Yep ... you is one stupid motherfucker.

Re: "Yet unknown", is it?

[Way Smarter Than You]

Lol, I love waking up to quality humor! You mention Trump but uh "not in a political way" and that -is- your picture, confirmed! Hi mom! You're so far out on the crazy triggered spectrum I almost feel bad for you. Almost. But then I remember how hilariously you take yourself so seriously, how proud you are to have been teacher's pet in grade school, and your pencil sharpener. And I laugh. At you.

Re:

[Zero__Kelvin]

OK Chumlee ... keep trying to convince people you aren't a triggered obsessed little bitch whose Slashdot username doesn't increase in irony every time you post! LOL

Re: "Yet unknown", is it?

[Way Smarter Than You]

What people? You think anyone else is reading this? Putting LOL in all caps (twice now) doesn't score you points. Nor does calling me triggered when you've been triggered since I first pointed out while everyone was still reading this how incompetent and stupid you are. You're what, some low level closet dwelling IT nerd who lusts for the front desk girl? Was Code Monkey written about you? What was your diagnosis? I saw you're going all Spectrum Boy on other people on the Tesla truck thread. You jus

Re:

[Zero__Kelvin]

LOL

Re: "Yet unknown", is it?

[Way Smarter Than You]

Poor spectrum boy. Nice pic.

Re:

[Zero__Kelvin]

You went from dogshit stupid to dogshit stupid and boring. Nice job!

Re: "Yet unknown", is it?

[Way Smarter Than You]

I went from publicly calling out your incompetence which you have yet to dispute to determining you're an ocd spectrum triggered nerdling. Rock on! You voting for Trump again?

Re:

[guruevi]

Even Windows has more than 3 platforms these days between various flavors (Home, Pro, Enterprise, European, Education, Server, DataCenter), various chipsets (x86, x86-64 and ARM) and various supported versions (7, 2012, 2016, 10, 2018) yet malware infects all of them at once all the time.

If you can find a bug in the Linux kernel, you can infect multiple platforms. If you find a bug in one of the software or libraries (Apache, MySQL, Cassandra, OpenSSL, OpenSSH...), you can infect multiple platforms.

Re:

[Zero__Kelvin]

You can't compare Windows and Linux. Windows is a proprietary OS based on code that has always been proprietary and the development model is antiquated. They also have only the people who can't develop quality code working for them. All the real talent works on quality code and would never touch the pile of dogshit that is Windows.

Chipsets have nothing to do with it since all Windows platforms that matter run x86, and the Linux kernel has over a 1000 config options at build time for each given kernel ver

Re: "Yet unknown", is it?

[link-error]

Or, just hack systemd.

Re:

[DaveV1.0]

Why are you making an assumption about what they mean? Unless you wrote the code, you don't know how it gets on Linux machines.

Re:

[Zero__Kelvin]

You must have missed the part where the fact that nobody knows how it gets on Linux machines [wordpress.com], or even if it gets on Linux machines, is the whole point.

Copies my comment, gets +2...

[BAReFO0t]

Juust great.

Re:

[ufgrat]

Has anyone actually *seen* this malware on a linux system outside the security blogger's lab?

Re:

[gweihir]

Indeed. No attack capabilities against Linux. Pure FUD.

Knock, knock, let me in...?

[mspohr]

So, how does it get into a Linux system? TFA doesn't know.

Re:

[gweihir]

This one does not get into Linux. It may at some time have been part of a root-kit for Linux, but it cannot attack Linux systems. TFA says it only has attack-capabilities against Windows.

Adblock Plus

[Brain-Fu]

The windows version is deployed by ads. That would suggest that those running ad blockers are safe, or at least safer.

I think of examples like these every time I hit a site that tires to guilt me into turning off Adblock. They act as if I am some kind of greedy freeloader, but their spin on the situation neglects to consider the fact that they are asking me to put myself in danger. The answer is "no."

Adblock Plus will allow non-dangerous ads through. If the industry would be content with safe ads, there wouldn't be any issue at all. But they insist on obnoxious ads that require far too much functionality to be safe. And this recklessness gives rise to attacks like these. This is *the* reason that I don't feel any guilt about keeping ads blocked.

Re:Adblock Plus

[sjames]

This exactly! I notice on the various beg screens they try to guilt me into disabling ad blocking to help them pay for the site, but nowhere in there is any indication that they give the ads even a cursory screening for malware. That would be because they don't do such a screening and are unwilling to take any level of responsibility for the ads they are begging me to allow. They might as well beg me to please leave my car unlocked in un-guarded public parking with the sign disclaiming any responsibility for theft.

Notably, if they would just serve the ads from their own site, they would display, but that would make them responsible for any problems, so they won't do that.

Also, their shitty business model is not your prob

[BAReFO0t]

If they have an actually valuable service, they can demand money upfront.

If they don't then there is no justification to give them my actually valuable money or time and brain power.

If they merely give me copies of some information, that they worked for once, to create, then in return, they too will have to accept mere copies of what I worked for once, to create.
(How about a nice $100 bill, put on the color copier, with a large "SPECIMEN" stamp added as DRM? They can also have copies of that song I made, at

Re:Adblock Plus

[JustAnotherOldGuy]

The windows version is deployed by ads. That would suggest that those running ad blockers are safe, or at least safer.

This is really the main reason I run Adblock and Noscript- it's not the ads themselves (which are annoying) but the potentially malicious payloads that they'recapable of delivering.

I don't understand why more people don't run ad blockers and stuff like Noscript.

I mean, given the choice, why in the world would I give a million different bits of code (ads) the chance to run on my computer when I can avoid it? What possible benefit is there for me to allow ads to run?

Re:

[ChrisMaple]

Noscript can be a nuisance. On some sites I've had to reload a page 4 or more times, each time enabling more sites, just to get basic functionality or all relevant images. I'm willing to do it, but it's easy to understand why many people wouldn't.

Re:

[JustAnotherOldGuy]

Noscript can be a nuisance. On some sites I've had to reload a page 4 or more times, each time enabling more sites, just to get basic functionality or all relevant images.

I agree 100%, it can be a pain to "turn on" one site after another until the page loads, but it's worth it to me. It's kind of depressing to see how so many sites are dependent on gobs of remotely-loaded shit from who knows where.

I used Noscript and Adblock on Win7 for a decade without getting infected (as far as I know), and I'm still using them now after switching to Linux. They're two critical plugins in my opinion.

uBlock Origin though ...

[BAReFO0t]

Adblock Plus became a no-go, ever since they selectively let ads through when they were paid for it.

uBlock has a horribly obfuscated interface though. #ThanksMozilla!

Re:

[Megane]

You can turn off the ABP whitelist. In fact, I turn off all their lists and only use my own rules, which include entire sites or sub-paths, and also .js files. I'm also not just blocking ads, I block auto-play video whenever I can, and sometimes even those stupid "share" links. If an ad does slip through, I stop what I'm doing, go to the blockable items list, and block anything obviously suspicious.

What do you mean "unknown"?

[BAReFO0t]

Did you have a look at the dropper in the debugger/disassembler, or didn't you?

If you did, the point where it starts to act like "I'm in" should be clearly visible. I'm assuming, given your job, you can handle obfuscation techniques?

Or is it written in only MOV instructions? ;)

Re:What do you mean "unknown"?

[sjames]

Apparently they didn't find a dropper for Linux in the exploit kit, just some string remnants that indicate that the RAT itself targeted Linux at some point.

Re:

[Anonymous Coward]

There is no reason for a dropper and the malware being dropped to be the same executable.
This is actually what we mean by "dropper", a program that "drop" a second different program.
Since the remote execution tool was found, the dropper that put it there was done with its one task in life, and no longer needed to remain on the system.

In fact remaining on the system can be a bad thing from the malware point of view. That would leave traces behind that will lead to an infection vector, which tends to prompt

Well, I implied they found the dropper...

[BAReFO0t]

... given that they declared its capabilities.

In my book, they may very well not have a dropper at all, and just wish they had one. Or use a different pre-existing one. Or the coder is some kind of admin for others and puts it on there by hand, to bootstrap his botnet.
Fact is: We don't know.
So declaring what it can do in the headlines, is silly and unprofessional.

Linux has security holes like any other program.

[engineer37]

Any sufficiently complex program has security vulnerabilities, and Linux is no exception. Even the best designs have unforeseen bugs and problems.

Re:

[fbobraga]

from https://linux.slashdot.org/com... [slashdot.org] :

So, how does it get into a Linux system? TFA doesn't know.

The "Linux" in title seems just FUD...

Re:

[gweihir]

You may have missed that this "Linux malware" is not capable of attacking Linux....

Breaking News! Linux Attack vector discovered.

[140Mandak262Jamuna]

The attack vector in linux for this malware is based on the Open Source honor system.

It is simply an email with a tar file attachment. The email says, "You have been infected with an Open Source virus. Please untar the attachment and execute the binary. And forward this email to all in your .mailrc. Thank you"

Re:Breaking News! Linux Attack vector discovered.

[williamyf]

The attack vector in linux for this malware is based on the Open Source honor system.

It is simply an email with a tar file attachment. The email says, "You have been infected with an Open Source virus. Please untar the attachment and execute the binary. And forward this email to all in your .mailrc. Thank you"

That's not the OpenSource Honor system Virus. Is a very old virus called:

The Polish Virus, for USoA-sians.
El Virus Gallego, para nosotros en LatAm.
El Virus de Lepe, para los Españoles.
Le Virus Belge, pour les Fran'cophones.
The Austrian Virus, for the Gramn Speakers.
or
the Burgenl"ander Virus, for those in austria...

Re:

[menkhaura]

Also called the Portuguese Virus (Virus portugues) for Brazilians, and the Brazilian Virus for those in Portugal.

Re:

[hawk]

The honor virus predates coining the term "OpenSource".

The earliest version I saw didn't even have the tarball. It simply stated that it was an honor based virus, and that you were obligated to delete some number of random files and send it to some number more people.

Re:

[140Mandak262Jamuna]

Are boomers allowed to say, "OK Boomer"? (Asking for a friend )

Re:

[hawk]

what now, snowflake? :)

firefox

[Ruede]

apparmor alerted me about unusual input/mice access from firefox...

Shall we unpack the party horns?

[BAReFO0t]

AppArmor did something useful?!
Mark the calendar! Let's celebrate this unique event!

Easy way to keep Linux clean

[Sex Tourist]

This is why I never run "do-release-upgrade" when a new version of Linux comes out. I make backups of /etc and /root, burn a DVD, boot it, and install onto a freshly formatted root partition. My /home partition survives but all my executables are on the root partition and must by rebuilt from source code after each upgrade.

I guess you wanted to say:

[BAReFO0t]

"Do you want fries with that?"

Re:

[Antique Geekmeister]

When confronted with such upgrades, I tend to make a complete backup image of _everything_. I used to switch the jumpers to "read-only" on the backup drive, but those are not available with most modern hard drives or USB drives.

You can simply unplug the drive.

[BAReFO0t]

It will be some time before the first software-controlled telekinesis in a computer virus emerges.

(Which is technically not impossible, as long as you have any directable EM radiation source with enough energy. Even if you have to alter the matter in the wrong direction to give you a source in the right direction.)

Re:

[ufgrat]

Well, that certainly won't protect you from a vulnerability in a system daemon that allows root access via an exploit.

Tell me, do you reformat your system every time a security update comes out?

Sounds like ...

[fahrbot-bot]

New Linux/Windows Malware Allows Arbitrary Execution of Shell Commands

... when I let my niece use my computer. Not sure which one of us is the malware...

which anti-malware

[mnt_grrrl]

from the article: the Linux malicious binary is detected by only one of the anti-malware scanning engines on VirusTotal at the time this article was published Does anyone know what anti-malware this is?

Linux? You don't say....

[gweihir]

The article says that this malware has attack vectors only for windows. It does say that there are some file-paths in it that indicate it may run on Linux as well, but if it cannot get in, how is that relevant?

So, no, this is Windows malware, not Linux malware at this time.