Wirenet-1 - Tux gets a virus...

[glitch]

Hmm... what does every one make of this??

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

[galaxytdm]

How can it install itself without permission?
Sounds like  Dr web is starting in on the anti virus for Linux boat early.
I have often wondered how many of these viruses are
a/ real
b/ created by antivirus companies to create a market.
Maybe the Linux community is growing at a rate that makes it a viable business prospect.

[Mark Greaves (PCNetSpec)]

Nobody said it's impossible to write malicious code for Linux .. what *IS* claimed is that it wouldn't get very far

Firstly they'd have to get this thing into the Linux software distribution channels (repos) .. which they won't.

So it's immediately limited to the few Linux users that install software from outside the repos .. the majority of those users are smart enough not to install or execute something from an untrusted source .. and remember, they'd specifically have to manually execute it .. if it came as say a binary executable, they'd specifically have to mark it as executable, if it came as say a .deb they'd need elevated privileges to install, and it would again be limiting its scope.

That article also says "once executed it copies itself to the users home folder" .. which sound like it runs in userspace, limiting itself to a single account with no way of spreading.

As this in NO WAY has any way to self replicate and jump from one box to another without the user specifically having to be completely stupid .. this CANNOT be considered a virus .. more a malicious program that very few will install, and cannot spread.

I'm immediately suspicious of this claim anyway .. it's the "cross platform" part that has me suspicious .. What kind of executable can be run by a regular user on both OS X and Linux ?

Yes, malicious code is possible on Linux .. But it won't get very far, there are just too many barriers in the way for it to spread .. be careful of software you install that isn't from the repo's, and for the rest Tux has your back

[glitch]

I think someone at Dr Web needs to read that

[Mark Greaves (PCNetSpec)]

I'm with galaxytdm on this .. it's just sensationalism from an AV company with a vested interest in spreading FUD .. nothing more.

[BkS]

The only way I can see this being able to execute is if it's added through a PPA, but even then, there's still so many barriers in place.

Just some daft blog spreading FUD.

[SeZo]

OK, we should never underestimate the power of social engineering (and user stupidity):

Why Linux viruses are unlikely

In order for an e-mail virus to propagate, it must be able to:

    Enter the target machine
    Execute on the target machine
    Propagate itself

Linux makes steps 2 and 3 very difficult.

Social Engineering to Enable Execution

Under Windows, a file is marked as "executable" based on its filename extension (.exe, .com, .scr, etc.) Encoding metadata (like file type) into the file name is a very bad idea and has horrendous security consequences. Encoding metadata in this way allows for the simple-minded social-engineering attacks we see on windows: "Click here for a cool screensaver!!!"

Such an attack under Linux would go like this: "Save this file; open up a shell; enable execute permissions on the file by typing 'chmod a+x filename', and then run it by typing './filename'."

Obviously, the Linux permissions system makes such a social-engineering attack very difficult.

Source (old but still valid):
http://www.desktoplinux.com/articles/AT5785842995.html

[Mark Greaves (PCNetSpec)]

I thought Linux users were anti-social by nature

IMHO, this is nothing to worry about, and I'm loath to give it any credibility by posting this .. but for those of you that are paranoid ..

If you check the DrWeb website .. this malware (if it exists, and that's a big IF) is only supposed to report back to a single IP address .. so if you're worried by this (I'm not) a simple iptables rule that drops all outgoing packets to that IP address would block it anyway:

Code: [Select]

sudo iptables -A OUTPUT -d 212.7.208.65 -j DROP

you can then test the rule with:

Code: [Select]

ping -c 5 212.7.208.65

You should see 5 lines that read:-

ping: sendmsg: Operation not permitted

Now even if you are misguided enough to execute it in the future, it couldn't report home if it wanted to

You can list the iptables rules with:

Code: [Select]

sudo iptables -L

You can remove the above iptables rule at any time with:

Code: [Select]

sudo iptables -D OUTPUT -d 212.7.208.65 -j DROP

Further info .. it creates a file/folder called WIFIADAPT in your Home folder

BackDoor.Wirenet.1

Added to the virus database Dr.Web:    21/08/2012
Inserted    22/08/2012

Trojan backdoor that can run on Linux and MacOS X. Has keylogger functionality, can steal passwords typed by the user in the browser Opera, Firefox, Chrome, Chromium, and passwords from applications such as Thunderbird, SeaMonkey, Pidgin.

When executed, it copies itself to the user's home directory.

    In MacOS: folder% home%/WIFIADAPT.app.app
    In Linux: in ~/WIFIADAPT

Establishes a connection to a remote command center at 212.7.208.65.

Uses a check connections using encryption algorithm Advanced Encryption Standard (AES).

Original source:
http://vms.drweb.com/virus/?i=1957835

There is still no proof that this malware even exists .. a quick search seems to suggest nobody has been able to find a sample of it

[SeZo]

I suppose it is telling:

Anti-virus software from Doctor Web successfully detects and removes the backdoor, so the threat does not pose a serious danger to systems protected by Dr.Web for Mac OS X and Dr.Web for Linux.

Plain and simple FUD
They got the app. for it for: €26 per year for 1 PC
http://news.drweb.com/show/?i=2679&lng=en&c=14

[Mark Greaves (PCNetSpec)]

Precisely my opinion .. and all the other websites that are quoting it are getting their info directly from the DrWeb AV website 

As I said, nobody seems to be able to track down an example of the malware/code  .. and until they do, I'm going to consider it a load of rubbish.

But even if they do, it's no big deal .. and certainly nothing to worry about if you get your software from trusted sources such as the default software repositories


A telling line from the DrWeb site is ..

"It's not clear yet how the Trojan, which was added to the Dr.Web virus database as BackDoor.Wiren et.1, spreads.

http://news.drweb.com/show/?i=2679&lng=en&c=14

Which to me sounds like .. We can't mention a mode of transmission, otherwise the scam would fall apart.

How can they have a fix for something they admit they don't know how it works ?

[Andrew4096]

Perhaps "Dr.Web for Mac OS X" and "Dr.Web for Linux" are the real malware programs.  I would be leery of installing either one of those programs on a Mac OSX  or Linux system.