[Ars] Powerful, highly stealthy Linux trojan may have infected victims for years

[chemicalfan]

...Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways."

Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers under the control of attackers and functions allowing attackers to run commands of their choice and perform remote management.

Even after its discovery, the Linux component remains a mystery. The underlying executable file is written in the C and C++ languages and contains code from previously written libraries, a property that gives the malicious file self-reliance. The code is also stripped of symbol information, making it hard for researchers to reverse engineer or analyze. As a result, Baumgartner said the trojan may have capabilities that have not yet been uncovered.....

Main article here - http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years/

Source article (Kaspersky) here - https://securelist.com/blog/research/67962/the-penquin-turla-2/

Scary stuff...
Not the actual malware itself (it's highly targetted), but the concept is worrying. Especially if Android would ever be in scope of future malware of this nature, due to the lack of access to investigate the device.

[Mark Greaves (PCNetSpec)]

Haven't read the articles yet, but I'm already sceptical.

Source =  an AV company

Info = Vague and unverified/unverifiable.

Here we go again......

I'm betting the attack vector (how they get it on your machine in the first place) is missing or glossed over, as is any info on how it elevates it's own privileges ?

My guess, another FUD piece leveraging the fact that sure malicious Linux code is possible, but ignoring the fact that so far any attempt to spread that malicious software faster than it's spotted and eradicated has failed miserably.

Usual warnings apply .. stick to software from trusted repositories, stay updated, don't log on as root .. and you're as safe as it gets (without the need for AV).

[EDIT]

It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion.

[snip]

Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. Admins can also build a signature using a tool called YARA that detects the strings "TREX_PID=%u" and "Remote VS is empty !"

Seriously ??

They're trying to convince us Linux system admins are fooled by it just because it doesn't have an "always active connection .. yeah sysadmins never keep an eye on their logs for unknown outgoing connections, that would be far too complex wouldn't it .. duh!!!

[chemicalfan]

I fully agree it's vague and very FUD-like, it's the mention of zero-day exploits, & arbitrary command execution, got me thinking about weak links in the kernel where a process could elevate it's privilege, and the whole Shellshock affair. Like I said, the attacks have been highly targetted, but the theory is still sound. Well, said trojan would still have to get onto the system in the first place, but it could technically be a drive-by on a compromised website. If a malicious file is downloaded, and can escalate it's privileges via a zero-day kernel exploit, that is a worry. But I guess that worry has always been there, albeit hypothetical. Maybe it's more concrete now? Or maybe it's just FUD.

[Mark Greaves (PCNetSpec)]

Sure Linux isn't 100% proof against malicious code (I doubt anything ever will be) but it makes it extremely difficult to spread that code .. targeted attacks are another matter, but then they're usually against a hardened target.

Drive by's are AFAIK unlikely to break out of a modern browser, specially under Linux .. I'll believe them when they show me the attack vector and mechanism, until then it's definitely FUD.

But with zero mention of the attack vector, no clear explanation of the mechanism, it not having been seen "in the wild", and no verifiable example (or any proof) of it actually ever being exploited I'd put money on it being yet another (obviously sponsored) storm in a teacup that if necessary will be quickly patched against and nothing for the average desktop user to panic about

[chemicalfan]

Once again, open source to the rescue 

And once again, corporations spreading FUD against it