Author Topic: [Ars] Powerful, highly stealthy Linux trojan may have infected victims for years  (Read 4885 times)

0 Members and 1 Guest are viewing this topic.

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Quote
...Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways."

Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers under the control of attackers and functions allowing attackers to run commands of their choice and perform remote management.

Even after its discovery, the Linux component remains a mystery. The underlying executable file is written in the C and C++ languages and contains code from previously written libraries, a property that gives the malicious file self-reliance. The code is also stripped of symbol information, making it hard for researchers to reverse engineer or analyze. As a result, Baumgartner said the trojan may have capabilities that have not yet been uncovered.....


Main article here - http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years/

Source article (Kaspersky) here - https://securelist.com/blog/research/67962/the-penquin-turla-2/

Scary stuff...
Not the actual malware itself (it's highly targetted), but the concept is worrying. Especially if Android would ever be in scope of future malware of this nature, due to the lack of access to investigate the device.
« Last Edit: December 10, 2014, 09:26:37 am by chemicalfan »

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18268
  • Karma: 477
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Haven't read the articles yet, but I'm already sceptical.

Source =  an AV company

Info = Vague and unverified/unverifiable.

Here we go again......

I'm betting the attack vector (how they get it on your machine in the first place) is missing or glossed over, as is any info on how it elevates it's own privileges ?

My guess, another FUD piece leveraging the fact that sure malicious Linux code is possible, but ignoring the fact that so far any attempt to spread that malicious software faster than it's spotted and eradicated has failed miserably.

Usual warnings apply .. stick to software from trusted repositories, stay updated, don't log on as root .. and you're as safe as it gets (without the need for AV).

[EDIT]

Quote
It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion.

[snip]

Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. Admins can also build a signature using a tool called YARA that detects the strings "TREX_PID=%u" and "Remote VS is empty !"

Seriously ??

They're trying to convince us Linux system admins are fooled by it just because it doesn't have an "always active connection .. yeah sysadmins never keep an eye on their logs for unknown outgoing connections, that would be far too complex wouldn't it .. duh!!!
« Last Edit: December 10, 2014, 12:10:22 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
I fully agree it's vague and very FUD-like, it's the mention of zero-day exploits, & arbitrary command execution, got me thinking about weak links in the kernel where a process could elevate it's privilege, and the whole Shellshock affair. Like I said, the attacks have been highly targetted, but the theory is still sound. Well, said trojan would still have to get onto the system in the first place, but it could technically be a drive-by on a compromised website. If a malicious file is downloaded, and can escalate it's privileges via a zero-day kernel exploit, that is a worry. But I guess that worry has always been there, albeit hypothetical. Maybe it's more concrete now? Or maybe it's just FUD.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18268
  • Karma: 477
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Sure Linux isn't 100% proof against malicious code (I doubt anything ever will be) but it makes it extremely difficult to spread that code .. targeted attacks are another matter, but then they're usually against a hardened target.

Drive by's are AFAIK unlikely to break out of a modern browser, specially under Linux .. I'll believe them when they show me the attack vector and mechanism, until then it's definitely FUD.

But with zero mention of the attack vector, no clear explanation of the mechanism, it not having been seen "in the wild", and no verifiable example (or any proof) of it actually ever being exploited I'd put money on it being yet another (obviously sponsored) storm in a teacup that if necessary will be quickly patched against and nothing for the average desktop user to panic about ;)
« Last Edit: December 10, 2014, 12:36:54 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Once again, open source to the rescue  :D

And once again, corporations spreading FUD against it >:(

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal