Author Topic: Wirenet-1 - Tux gets a virus...  (Read 3976 times)

0 Members and 1 Guest are viewing this topic.

Offline glitch

  • digital jedi
  • Sr. Member
  • ****
  • Posts: 251
  • Karma: 12
  • Gender: Male
  • age of the geek!
    • View Profile
    • Awards
Wirenet-1 - Tux gets a virus...
« on: August 30, 2012, 08:27:41 am »
Hmm... what does every one make of this??

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/
//glitch

END OF LINE_

@g1i7ch

Offline galaxytdm

  • Ubuntu 11.04
  • Sr. Member
  • ****
  • Posts: 278
  • Karma: 5
  • Gender: Male
  • Something Something dark side
    • View Profile
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #1 on: August 30, 2012, 10:26:14 am »
How can it install itself without permission?
Sounds like  Dr web is starting in on the anti virus for Linux boat early.
I have often wondered how many of these viruses are
a/ real
b/ created by antivirus companies to create a market.
Maybe the Linux community is growing at a rate that makes it a viable business prospect.
If you need help ask a professional, then act upon their advice.
Anything less and you're just wasting peoples time.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 347
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #2 on: August 30, 2012, 10:58:06 am »
Nobody said it's impossible to write malicious code for Linux .. what *IS* claimed is that it wouldn't get very far :)

Firstly they'd have to get this thing into the Linux software distribution channels (repos) .. which they won't.

So it's immediately limited to the few Linux users that install software from outside the repos .. the majority of those users are smart enough not to install or execute something from an untrusted source .. and remember, they'd specifically have to manually execute it .. if it came as say a binary executable, they'd specifically have to mark it as executable, if it came as say a .deb they'd need elevated privileges to install, and it would again be limiting its scope.

That article also says "once executed it copies itself to the users home folder" .. which sound like it runs in userspace, limiting itself to a single account with no way of spreading.

As this in NO WAY has any way to self replicate and jump from one box to another without the user specifically having to be completely stupid .. this CANNOT be considered a virus .. more a malicious program that very few will install, and cannot spread.

I'm immediately suspicious of this claim anyway .. it's the "cross platform" part that has me suspicious .. What kind of executable can be run by a regular user on both OS X and Linux ?

Yes, malicious code is possible on Linux .. But it won't get very far, there are just too many barriers in the way for it to spread .. be careful of software you install that isn't from the repo's, and for the rest Tux has your back :)
« Last Edit: August 30, 2012, 11:10:27 am by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline glitch

  • digital jedi
  • Sr. Member
  • ****
  • Posts: 251
  • Karma: 12
  • Gender: Male
  • age of the geek!
    • View Profile
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #3 on: August 30, 2012, 11:02:06 am »
I think someone at Dr Web needs to read that :P
//glitch

END OF LINE_

@g1i7ch

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 347
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #4 on: August 30, 2012, 11:22:27 am »
I'm with galaxytdm on this .. it's just sensationalism from an AV company with a vested interest in spreading FUD .. nothing more.
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline BkS

  • BkS Media Founder
  • Hero Member
  • *****
  • Posts: 1662
  • Karma: 49
  • Gender: Male
  • sudo service reality-check start
    • View Profile
    • BkS Media
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #5 on: August 30, 2012, 01:10:50 pm »
The only way I can see this being able to execute is if it's added through a PPA, but even then, there's still so many barriers in place.

Just some daft blog spreading FUD.
If you try to look through Windows, you can see what the person is doing.
If you try to look through a Penguin, it WILL bite you.

Offline SeZo

  • Hero Member
  • *****
  • Posts: 1524
  • Karma: 120
  • Gender: Male
    • View Profile
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #6 on: August 30, 2012, 01:29:11 pm »
OK, we should never underestimate the power of social engineering (and user stupidity):
Quote
Why Linux viruses are unlikely

In order for an e-mail virus to propagate, it must be able to:

    Enter the target machine
    Execute on the target machine
    Propagate itself

Linux makes steps 2 and 3 very difficult.

Social Engineering to Enable Execution

Under Windows, a file is marked as "executable" based on its filename extension (.exe, .com, .scr, etc.) Encoding metadata (like file type) into the file name is a very bad idea and has horrendous security consequences. Encoding metadata in this way allows for the simple-minded social-engineering attacks we see on windows: "Click here for a cool screensaver!!!"

Such an attack under Linux would go like this: "Save this file; open up a shell; enable execute permissions on the file by typing 'chmod a+x filename', and then run it by typing './filename'."

Obviously, the Linux permissions system makes such a social-engineering attack very difficult.

Source (old but still valid):
http://www.desktoplinux.com/articles/AT5785842995.html

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 347
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #7 on: August 30, 2012, 05:12:41 pm »
I thought Linux users were anti-social by nature ;)

IMHO, this is nothing to worry about, and I'm loath to give it any credibility by posting this .. but for those of you that are paranoid ..

If you check the DrWeb website .. this malware (if it exists, and that's a big IF) is only supposed to report back to a single IP address .. so if you're worried by this (I'm not) a simple iptables rule that drops all outgoing packets to that IP address would block it anyway:
Code: [Select]
sudo iptables -A OUTPUT -d 212.7.208.65 -j DROP

you can then test the rule with:
Code: [Select]
ping -c 5 212.7.208.65

You should see 5 lines that read:-
Quote
ping: sendmsg: Operation not permitted


Now even if you are misguided enough to execute it in the future, it couldn't report home if it wanted to :)

You can list the iptables rules with:
Code: [Select]
sudo iptables -L

You can remove the above iptables rule at any time with:
Code: [Select]
sudo iptables -D OUTPUT -d 212.7.208.65 -j DROP



Further info .. it creates a file/folder called WIFIADAPT in your Home folder

Quote from: DrWeb (through Google translate)
BackDoor.Wirenet.1

Added to the virus database Dr.Web:    21/08/2012
Inserted    22/08/2012

Trojan backdoor that can run on Linux and MacOS X. Has keylogger functionality, can steal passwords typed by the user in the browser Opera, Firefox, Chrome, Chromium, and passwords from applications such as Thunderbird, SeaMonkey, Pidgin.

When executed, it copies itself to the user's home directory.

    In MacOS: folder% home%/WIFIADAPT.app.app
    In Linux: in ~/WIFIADAPT

Establishes a connection to a remote command center at 212.7.208.65.

Uses a check connections using encryption algorithm Advanced Encryption Standard (AES).


Original source:
http://vms.drweb.com/virus/?i=1957835

There is still no proof that this malware even exists .. a quick search seems to suggest nobody has been able to find a sample of it ???
« Last Edit: August 30, 2012, 05:15:19 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline SeZo

  • Hero Member
  • *****
  • Posts: 1524
  • Karma: 120
  • Gender: Male
    • View Profile
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #8 on: August 30, 2012, 05:33:48 pm »
I suppose it is telling:
Quote
Anti-virus software from Doctor Web successfully detects and removes the backdoor, so the threat does not pose a serious danger to systems protected by Dr.Web for Mac OS X and Dr.Web for Linux.

Plain and simple FUD
They got the app. for it for: 26 per year for 1 PC ::)
http://news.drweb.com/show/?i=2679&lng=en&c=14
« Last Edit: August 30, 2012, 05:43:28 pm by SeZo »

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 347
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #9 on: August 30, 2012, 05:44:04 pm »
Precisely my opinion .. and all the other websites that are quoting it are getting their info directly from the DrWeb AV website  ::)

As I said, nobody seems to be able to track down an example of the malware/code  :o .. and until they do, I'm going to consider it a load of rubbish.

But even if they do, it's no big deal .. and certainly nothing to worry about if you get your software from trusted sources such as the default software repositories :)



A telling line from the DrWeb site is ..

Quote
"It's not clear yet how the Trojan, which was added to the Dr.Web virus database as BackDoor.Wirenet.1, spreads.

http://news.drweb.com/show/?i=2679&lng=en&c=14

Which to me sounds like .. We can't mention a mode of transmission, otherwise the scam would fall apart.

How can they have a fix for something they admit they don't know how it works ?
« Last Edit: September 26, 2012, 09:18:50 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline Andrew4096

  • Jr. Member
  • **
  • Posts: 1
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: Wirenet-1 - Tux gets a virus...
« Reply #10 on: September 26, 2012, 07:10:42 pm »
Perhaps "Dr.Web for Mac OS X" and "Dr.Web for Linux" are the real malware programs.  I would be leery of installing either one of those programs on a Mac OSX  or Linux system.

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal