New Malware Found Lurking In 64-Bit Linux Installs (zdnet.com) 85
syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.
At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.
There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.
At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.
There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.
Detection? (Score:5, Informative)
It'd be nice if they provided some hints as toward detection:
ps aux | grep gvfsd-helper
Seems they named it similarly to a common set of programs.
Re: (Score:1, Redundant)
Why would they want to do that? You won't be as likely to panic and buy their "virus scanner" if you can more easily kill and remove the malware.
BTW, disguising malware as common program names is an OLD trick. I worked at a large hosting provider about a decade ago and I found two to six trojans per day masquerading as things we never installed on our servers, or system utilities running from non-system directories.
Re: (Score:2)
encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities
If it's doing all that, having a few copies of it around on the system can't be that hard. Cut a limb and it grows back.
Re: Detection? (Score:2)
Polymorphic viruses also are *ancient*.
Using full AES and such for that almost feels silly, because back then, that would get the virus caught quickly due to its high resource usage.
I wonder when the first gigabyte-sized malware will emerge...
Re: Detection? (Score:4, Funny)
Re: (Score:2)
Re: (Score:1)
Re: Detection? (Score:4, Insightful)
You don't need them, period.
You think the virus author will just ignore this news?
No. You can probably count the time until he released an updated version that isn't detected by anything mentioned here in hours.
A skilled virus writer usually already has an improved version lying around.
Malware detections software by definition only detects abandonware, and never the malware that the author still actively cares about. It is security theater, and its only job is to keep the malware author on his toes and take out his thrash.
Proper malware prevention is done by fixing bugs and learning from the lessons of those who came before us. Plus behavior-based rule-based acess control as a kind of security unit testing / API firewall.
And there never is a 100% guarantee. Not for Linux either.
That doesn't mean you need any malware "detection" software.
Re: (Score:2)
Never heard of systemd?
Re: (Score:2)
Re:Detection? (Score:5, Informative)
Re: (Score:2, Informative)
pgrep somecrap
Or pgrep or "[something]" (Score:5, Informative)
The pgrep command is specifically for this purpose.
It replaces ps, grep, grep -v and is more reliable.
Alternatively:
ps | grep "[s]omething"
The brackets make it not match itself.
Re: (Score:1)
You must not work in tech. Durrr
Re: (Score:2)
noun - person, place or thing
You are done installing (verb) the software so now it is an install (noun).
Re: (Score:2)
noun - person, place or thing
You are done installing (verb) the software so now it is an install (noun).
Installation. It's an installation.
Re: (Score:2, Flamebait)
Yes it is, when used that way. Language is defined by use and users, pedant.
Re: (Score:2)
Not when it's gender! Language is defined by he HR people who majored in the trendy post-modern politics of victimization known as "Critical Theory", who demand that the "I am a victim, see how powerless I am!" speak from their safe space to demand genderqueer, pan-gender, furry, and elkin.
"The question is,' said Humpty Dumpty, 'which is to be master — that's all."
A child could teach you this.
Re: (Score:2)
oh but that's not English, that's the language family that includes woke-speak and SJW virtue signalling twatish. The name of the branch I think has to do with what they identify as this week.
Re: Install is not an noun. (Score:2)
Re: (Score:3)
It's a contraction of "installations" which has been used in tech for half a century at least. Old telco guys would use the term frequently.
Re: (Score:1)
Re: (Score:2)
Install is not a noun.
It was not in 1975. Are you still using Multics?
Re: (Score:1)
Re: Install is not an noun. (Score:3)
The one and ONLY rule for determining if something is a word:
Is it understood by the reader/listener and writer/speaker to mean the same thing?
If yes, ... then it is a word! Period.
So you can quit your snobist meme parroting now. Your attempt to make yourself look and feel superior... failed.
I'm safe; not worried (Score:5, Funny)
Re: (Score:1)
The BSD fan club again. Do we need to port some old Linux hacks to BSD to prove the point again? You're not more secure. Far from it. BSD doesn't even have mandatory access control. Hardly any advancement from the 1990s.
Re:I'm safe; not worried (Score:5, Funny)
Re: (Score:3)
$0, I have never been hit by one.
Re: (Score:3)
WSL..WSL...WSL...
Told you... (Score:5, Insightful)
...systemd was a virus
Re: (Score:2)
Re: (Score:2)
FreeBSD, of course!
Re: (Score:1)
Re: (Score:1)
Sounds like we need to port some old Linux hacks to BSD again to prove the point BSD is not more secure. I guess it's been about 15 years since we did that last time and proved just how insecure BSD is. Remember that? LOL
Re: (Score:1)
Slackware.
Re: (Score:1)
Gentoo
Re: (Score:2)
Re: Told you... (Score:1)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Is that you, Luke?
Which ones? (Score:2)
There are 100 different versions of Linux. Are they all compromised? If only some, which ones?
Re: (Score:3)
Re:Which ones? (Score:5, Informative)
> Are our systems compromised? How to detect it? All the obvious questions that won't have answers in TFA
What are you on about?
1. Read the blog post. It's quite the fancy malware.
2. Scan your backup server for the known filenames.
3. Compare the hashes if you have any filename matches.
Re:Which ones? (Score:5, Informative)
Anyone can write an executable to do nefarious things, but what is the entry path onto the system? What compromise is used to install it? Who uses that packages and has it misconfigured to allow this executable to be installed? Without this key information, this admittedly excellent analysis of the payload is useless.
Re: Which ones? (Score:2)
I'm gonna tell my grandma she can write software, now. :D
Boy is she gonna be surprised!
Re: (Score:2)
I'm gonna tell my grandma she can write software, now.
I'm pretty sure she make nefarious things (against her will ;)
Re: (Score:2)
That's what the forensics and IR guys figure out next.
Slashdot effect, cam't load blog post. (Score:2)
Could someone please curt-and-paste here at earliest opportunity?
Re: (Score:1)
Good thing they say "64-bit linux" (Score:5, Funny)
64-bit ARM or 64-bit x86 (Score:2)
64bit ARM is pretty popular being Android Phones and more of an issue
32-bit has other advantages (Score:2)
When I migrated my Ubuntu install from A31 to T61 the 32-bit RAM limit ensured Firefox would not hang my machine.
Re: (Score:3)
The 5 people running 32-bit linux
You mean the 5 millions? Running Linux embedded in routers etc...
*Shakes fist* (Score:5, Funny)
Re: (Score:1)
University of Minnesota!!!!
No kidding man. They could end up being blamed for a lot of things.
Linux FUD from the Microsoft ZDNET (Score:5, Interesting)
Any clue how this malware installs onto the Linux systems. Apart from someone downloading it from VirusTotal?
Re: (Score:3)
Re:Linux FUD from the Microsoft ZDNET (Score:4, Insightful)
Re: (Score:2)
The lack of detection here is the real scandal. (Score:3)
So what happens to files submitted to VirusTotal, then? I thought they were made available to AV researchers.
These files were submitted several times over the years. Are you telling me everyone who ever checked it out, failed to find its behavior suspicious?
Or were they told/paid to keep it off the detection list?
Hides in systemd (Score:5, Insightful)
Not a surprise. Systemd is a complex mess that nobody really understands (I strongly suspect that includes its developers) and hence cannot really analyze. "init" is just 53k (Debian), you basically cannot hide anything in there without blowing it up massively.
But systemd? That is an 1.5MB abomination that changes all the time.
Re:Hides in systemd (Score:5, Insightful)
It's also not merely prone to feature creep. It was _designed_ to feature creep, to be the basis of a "stateless Linux" designed not to have the "/etc" or "/var" directories.
Re: (Score:3)
Indeed. An abomination I most decidedly do not want on my servers and desktops. Now, I would have absolutely no issue with it if it stayed in its niche. But the people behind it try to push it everywhere and that is both a very bad idea and completely unacceptable.
Re: (Score:2)
There are thing it does well. Getting system logging able to monitor the boot process was valuable, as was a more robust "keep this daemon and its dependencies alive" system. There have been other candidates for each of those, none of which got the robust corporate support from Red Hat which systemd received.
Re: (Score:2)
It doesn't "hide in sytemd'. It pretends to be a systemd process along with several other processes including a gnome app. And given its sophistication if systemd isnt present it probably pretends to be sysv or something else.
The researchers were simply running a stretch release so thats what it did on stretch, with a single sample size we have no idea what it does on other systems.
Re: (Score:2)
Look at what was uploaded to VT...
i dont know if this will help (Score:5, Informative)
ad the above four lines to your hosts file
Re: (Score:3)
Misleading headline (Score:4, Informative)
...suggests that the backdoor is in a fresh installation, which is highly unlikely. Like most (all?) Linux viruses, the victim must download a script from an unofficial source, enable it to run, and then run it as root. I'm not ready to panic yet.
Re: (Score:3)
curl http://somewhere.com/ [somewhere.com] | sudo bash -
That's way too popular these days...