Never-before-seen Linux malware is “far more advanced than typical”
- Thread starter JournalBot
- Start date
While interesting, this looks remarkably like a Navy advisory. "Stand by to stand by!"
It's great that the article delineates what it can do.
But are there any hints on HOW it infects systems? Knowing that can at least offer come measure of preparation for when it does go fully functional in the wild. An ounce of prevention, and all that...
It's great that the article delineates what it can do.
But are there any hints on HOW it infects systems? Knowing that can at least offer come measure of preparation for when it does go fully functional in the wild. An ounce of prevention, and all that...
Upvote
143
(146
/
-3)
You mean the source links that provided all the same information as was given in the article, and no further details on the infection methods either?
Of course, I guess I can't blame Dan for not including information that wasn't given in the sources either.
Upvote
111
(116
/
-5)
If the framework isn't getting installed in the wild -- you did RTFA, right? -- how can anyone say how it infects systems? So no, there are no such hints.
Also, the source links ARE in the article. Secondfloor, you read it before posting, yes? (https://meincmagazine.com/civis/members/secondfloor.558213/)
Upvote
-3
(36
/
-39)
Generally speaking, malware has two components. The first component is the compromise that gets the software in the door. That's what you're asking about. The second component is the payload - the software that actually infects the machine and does whatever nasty things the threat actor wants it to do.
The malware being discussed here is the payload. It's useless in itself without a way to get it onto the target host, and it won't have the compromise mechanism attached - that usually gets attached as part of the campaign to infect hosts, because compromises come and go as they're found and patched.
Upvote
147
(147
/
0)
Which is a good reminder that the biggest security vulnerability has always been the people using the system. Particularly the 'management' types who are arrogantly ignorant and easy marks for even the simplest of social-engineering attacks. Why go through all the trouble of finding a software- or hardware-level vulnerability, when you can just dupe the CEO into giving away their system access?
Any sysadmins care to chime in here??
Upvote
44
(49
/
-5)
If this is targeting cloud applications using Linux, the only "user" perse is the applications running on the containers or hypervisors, which in turn get "used" by the developers and security people configuring them and deploying them. Maybe a Linux sysadmin if they're lazy enough to use the instance irresponsibly.
So in order to run in the operating system, they'd need an entry point in said software running on those containers or hypervisors for said cloud apps.
Upvote
28
(28
/
0)
Upvote
11
(12
/
-1)
At first I was concerned that this was malware targeting Linux desktops, which would mean that my first indication would be a bunch of error messages that I do not have the correct packages for the malware to function.
Upvote
20
(26
/
-6)
With the rise in popularity of Linux it starts to get close to the attention Windows is getting. So the light veil of "Linux doesn't get malware" is getting lifted. Linux is seeing an influx of fresh, inexperienced users. That's a fat target. The incentives from this segment just overdrives the development of such frameworks that will subsequently hit enterprise deployments to.
Last edited:
Upvote
27
(33
/
-6)
The article says
I've uh... my colleague... has running in far too many containers in prod , uh I mean, isolated test environments.
And, as usual, I'll happily say to anyone who's ever said, "Linux can't get viruses": nyah, nyah, nyah!
Yeah... that's a good reminder to remove all that debug logging
And, as usual, I'll happily say to anyone who's ever said, "Linux can't get viruses": nyah, nyah, nyah!
Upvote
24
(27
/
-3)
As a Linux fan, while I could have done without the "nyah"'s, your point on Linux also being able to get malware is well taken
Upvote
21
(22
/
-1)
The usual vector would be an exposed end point. The typical Linux cloud has an exposed reverse proxy, with the HTTP, application, and user stores and database behind additional firewalls. A failure to audit and patch (or a zero day, shudder). is how the attacker gets in. Most organizations (pretty much all in my sphere) fail miserably on auditing.
Upvote
17
(17
/
0)
In my company, “management” ( CEO, VP, CFO, etc) have only user level access to company equipment or systems.
Upvote
25
(25
/
0)
Im not seeing any influx of fresh inexperienced users in Linux. Im seeing a waning interest in sysops and devops as Ai and more automated tech are filling more of those roles and the experienced admins are trying to hold onto their existing jobs.
Many of the YouTube channels that I used to follow for sysop tips, etc are no longer making new content.
Upvote
4
(7
/
-3)
What exactly is "a series of clusters of Linux malware" in this context?
Does it mean uploads of the same malware from several sources? That would in fact be a cause of concern.
If one assumes the authors would not upload the code themselves, this would also contradict the "has not been seen in the wild" ...
Upvote
14
(15
/
-1)
Inexperienced in Linux. Also you not seeing it doesn't tell you it's not happening, just means you were just looking the other way. When Windows 10 reached end of mainstream support a good chunk of users started trying their luck and experimenting with Linux. There's a small movement now in that direction, and with Valve as a huge supporter, the gaming market is starting to see some signs of a shift.
So yes, people are starting to move to Linux for their day to day PC needs. Not a lot but enough to start painting a target. Attackers go after easy targets.
Upvote
16
(18
/
-2)
While this was my first answer too, we're also a more mature operation. For those smaller or startup companies, CEO's, CFO's, etc are often over provisioned because they were the ones that started the processes to begin with. As they mature, those permissions get peeled back and placed on responsible parties.
But yes, perfect world <3
Upvote
10
(10
/
0)
Does anyone understand how this would have been contributed to Virus Total?
If it hasn’t been deployed yet then how would someone have binaries to contribute?
The only idea I can come up with is another hacker getting access to what the Chinese group was working on and sharing it to spoil their efforts proactively.
Or someone has someone else on the inside to do this.
If it hasn’t been deployed yet then how would someone have binaries to contribute?
The only idea I can come up with is another hacker getting access to what the Chinese group was working on and sharing it to spoil their efforts proactively.
Or someone has someone else on the inside to do this.
Upvote
15
(15
/
0)
Thanks for this @dangoodin . Yet another thing to keep in mind while setting up those Linux instances on AWS or GCP. Now need to be doubly careful about setting up/configuring Fail2Ban for example. The capabilities of this “library” are quite “interesting.”
Upvote
1
(1
/
0)
So, 2 things. First, if it's not infecting things in the wild, how did it end up on VirusTotal? I very much doubt the developers would have uploaded it themselves, so it probably was uploaded by someone who got infected, suggesting it is being installed in the wild.
Secondly, TFA says
which suggests the framework includes at least some mechanism for infecting non-infected systems (even if only from inside an already compromised network). I can't be the only one curious to know what that mechanism is.
Upvote
13
(13
/
0)
It will use whatever exploit plug-in is available. As far we know this malware doesn't rely on a specific attack vector. It looks like a Malware-as-service management with reconnaissance, attack, exploit, implementation and persistence framework.
Upvote
2
(2
/
0)
Also for the moment, I think servers/companies are a more worthwhile target for the effort on Linux malware than the average home user for most attacks.
If market shares change, that will change. The malware people want the most bang for their buck on the time/effort though.
Upvote
9
(9
/
0)
Now if they have root already you are screwed but....
Don't make Dan Walsh cry!
https://stopdisablingselinux.com/
Code:
setenforce 1Don't make Dan Walsh cry!
https://stopdisablingselinux.com/
Upvote
1
(2
/
-1)
I get what you are saying in terms of 'management' types, but that is an awful broad brush to be using to describe what you feel are the most at-risk employees in a company. As someone who is a manager (in IT) and works with a lot of managers (across IT and the business), they range the same gambit that all other employees and people run. We have really good managers at the middle and upper levels that I know would not fall for spear phishing attacks, and we have senior system admins that I am very sure would fall for the most obvious of phishing attempts. Just because you have had bad experiences with managers in the past, doesn't mean all are the same.
Upvote
3
(4
/
-1)
Senior Systems Engineer here.
If this payload is able to run root privileges (which is what's needed to run anything of importance, including most of the actions in this malware), you've got bigger fish to fry. This looks to be targeted more towards developer machines than actual servers though, which is always the more easily compromised target, humans.
Upvote
2
(2
/
0)
Upvote
-6
(0
/
-6)
VividVerism
Ars Tribunus Angusticlavius
- Add bookmark
- Featured
- #33
Something malware developers sometimes like to do is to obfuscate their code and then submit their own malware to VirusTotal to test the obfuscation. If any scanners detect their malware as such despite the obfuscation, they iterate and try again until the scan comes back clean.
Which leads to the obvious implication:
This isn't even its final form!
Upvote
18
(19
/
-1)
Enterprise deployments are also far better secured. But it's the same for Windows. Windows Servers are way better hardened and secured than the average desktop. But the (hundreds of) millions of desktops of average Joes supercharged the hunt for exploits. That quantity has a quality in itself.
Upvote
1
(1
/
0)
I think you misspelled "proper" as "typical". Typical is "whatever template the provider has", which may or may not be proper.
ETA: Do you even KNOW how inconvenient it is when the Tata contractors cannot directly remote into the database servers? Gosh.
Upvote
4
(4
/
0)
Similar personal response in reading the linked article. Looked like an ad in many ways.
Also, a really enormous amount of what seems strange to find in some overlooked malware list somewhere. (think that was what they were implying) Appeared more like the software panel control interface, stuff you'd find back at their location of operations, rather than anything that would be found in the wild on an actual target system. Maybe it got pulled from something somebody was trying to sell online?
Has the entire dashboard, with all the various configuration choices, planning, strategy features. Just looked like a huge amount of extra stuff for what's supposed to be a relatively small, subtle, hidden, infiltrator malware.
Upvote
0
(0
/
0)
Which is generally good advice, right up until you have to install software that doesn't know or care about selinux, and the result is that you either setenforce 0, or you go through the fucking tedious process of reverse engineering the software to figure out exactly what selinux settings it needs in order to work correctly.
At which point, yes, the right thing to do is to launch a tactical LART at whoever wrote the software, rather than disabling selinux, but sometimes you're under time pressure to just Make The Damn Thing Work.
(I could also be conflating this with trying to get a Tomcat application launched using systemd and bumping head on into systemd trying to limit its rights to just what it's supposed to need and getting it Very Wrong, with the result that I ended up throwing up my hands and just using the "traditional" rc.d script to launch it rather than trying to figure out exactly what it needed to have access to. I have way too many scars from this shit.)
Note: Yes, I do understand that the proper target of this rant is the software in question, and not selinux itself.
Upvote
3
(3
/
0)
Lots of malware gets uploaded to VirusTotal by the creators, to test which engines detect their wares. As in, all the time. Frequently, the people announcing their discovery of new malware omit the detail that they only found it on VT and didn't find evidence of it spreading in the wild. That's why I asked and added that detail to my story.
Bottom line: there is 0 evidence this thing is getting installed in the wild. 0. If you want to argue otherwise, you're going to need to provide more support.
Edit: typo fix
Last edited:
Upvote
10
(10
/
0)