Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Linux Rootkit Emerges

timothy posted about 2 years ago | from the horses-getting-nervous dept.

Security 172

Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."

cancel ×

172 comments

Sorry! There are no comments related to the filter you selected.

There's a new secure OS called... (-1, Troll)

Anonymous Coward | about 2 years ago | (#42043779)

There's a new secure OS called Windows 8 - maybe it's time you nerds started upgrading to it!

Re:There's a new secure OS called... (0)

somersault (912633) | about 2 years ago | (#42043821)

Moderately funny, but this is about servers. A more apt joke would be about Windows Server 2008 or 2012.

Re:There's a new secure OS called... (3, Funny)

Anonymous Coward | about 2 years ago | (#42046013)

A more apt joke would be about Windows Server 2008 or 2012.

An even more apt joke would be something like:

# apt-get install windows-server-2008
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package windows-server-2008

But that doesn't seem to work.

Re:There's a new secure OS called... (4, Funny)

Sulphur (1548251) | about 2 years ago | (#42043961)

There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!

This is the year of the Linux rootkit.

Re:There's a new secure OS called... (2)

DickBreath (207180) | about 2 years ago | (#42044381)

> This is the year of the Linux rootkit.

. . . on the desktop?

Or on hundreds of millions of Android phones. Or supercomputers. Or TiVos or other DVRs. Or routers, printers, and countless other devices. OMG the world is going to end in 2012!!!

Better to switch to a safe proprietary OS that has never had a security problem.

Re:There's a new secure OS called... (1)

Anonymous Coward | about 2 years ago | (#42044975)

Better to switch to a safe proprietary OS that has never had a security problem.

Menuet64? [wikipedia.org]

Re:There's a new secure OS called... (2, Informative)

slashmydots (2189826) | about 2 years ago | (#42044589)

There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!

This is the year of the Linux rootkit.

Why? Linux has been around 85% of all web servers in the world for a loooooong time. You don't target the 15% windows servers to get stuff done.

Slashdot years of FUD at an end (-1)

Anonymous Coward | about 2 years ago | (#42046147)

Linux gets used by the majority since they're smallfry and cash strapped since Linux = free. You now see the price of not being able to hide by security by obscurity/lack of widespread usage/majority of marketshare in a particular role. That price? Getting attacked. Just as Windows has been for decades since it has maintained such a majority of usership/marketshare on PC desktops and Servers combined, and it surely isn't the % you quote. On desktops it is a 90% in favor of Windows, and in the Fortune 100/500 it's nearer to 50/50. Oh the glorious years of FUD and complete bullshit lies by the Penguins on slashdot comes to a close in 2012 but they still keep trying to spread the FUD!

Shurely Mr Micro$hill (0)

Anonymous Coward | about 2 years ago | (#42047299)

..all you say must be true.

But here is some good advice for your Evil Lord Ballmer:

1.) Don't always use the old Redmond Propaganda Memes. You are too easy to identify and blasted back into your rathole.

2.) Find an ACTUAL Exploit, instead of coming up with this irrelevant crap. You know, something like "virus hiding in icon on USB stick an pwning the box upon insertion of stick." Something like these hundreds of Windows kernel-level exploits.

Re:Shurely Mr Micro$hill (0)

Anonymous Coward | about 2 years ago | (#42047493)

Nix Nuke Week in progress (lmao) http://linux.slashdot.org/comments.pl?sid=3263519&cid=42046945 [slashdot.org] with android linux exploits occurring almost daily too.

Re:There's a new secure OS called... (0)

Anonymous Coward | about 2 years ago | (#42046371)

More like 11% and heading downhill fast. Even MS doesn't want you to use server 2012 for just websites.

Re:There's a new secure OS called... (0, Offtopic)

Anonymous Coward | about 2 years ago | (#42043963)

http://joshwieder.blogspot.com/2012/09/windows-8-rootkit-discovered-in-wild.html

Sure (-1)

Anonymous Coward | about 2 years ago | (#42045339)

Your boss first funds some smearing of FreeBSD and Linux and now he pays you for your great suggestions. Nice.

Been a week of FLAMING RUIN for Nix (0)

Anonymous Coward | about 2 years ago | (#42046945)

This rootkit on Linux and the security breach @ FreeBSD http://it.slashdot.org/story/12/11/19/1649254/two-freebsd-project-servers-hacked [slashdot.org]

Don't forget the daily Android Linux exploits too (0)

Anonymous Coward | about 2 years ago | (#42047543)

They happen all the time since Android's a Linux. Security by Obscurity no more Penguins.

Re:There's a new secure OS called... (0)

Anonymous Coward | about 2 years ago | (#42047033)

The next Patch Tuesday will be coming sooner than we all think. I can't wait! I'll see you there.[/sarcasm]

Re:There's a new secure OS called... (0)

Anonymous Coward | about 2 years ago | (#42047457)

Next new Android Linux exploit'll be sooner than that.

Security through obscurity FAIL (-1, Troll)

Anonymous Coward | about 2 years ago | (#42043853)

The harsh light of daylight shines on the Linux security model, and the time of preaching from a pedestal about security due to the fact nobody really uses this OS except hobbyists and niche markets comes shockingly into view. Fact is, all operating systems are insecure, and while it's nice that Linux has gained a reputation as a secure alternative to Windows, the fact of the matter is that no one has really given a shit until now enough to really poke a hole in it. Trust me, the weaknesses are there, and be exploited they shall.

Re:Security through obscurity FAIL (4, Informative)

Gaygirlie (1657131) | about 2 years ago | (#42043951)

Yada-yada-blabber-blabber.

nobody really uses this OS except hobbyists and niche markets

Yeah, what with Microsoft, Amazon, Google, Valve and so on. Oh, pssh, they're irrelevant; they count as nobodies, right?

Re:Security through obscurity FAIL (2)

0123456 (636235) | about 2 years ago | (#42043973)

Since you're so knowledgeable, maybe you could explain to us which 'weakness' this rootkit is exploiting to get itself installed?

Re:Security through obscurity FAIL (4, Informative)

Penguinisto (415985) | about 2 years ago | (#42044309)

Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.

According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report [seclists.org]

TFA gives some details [crowdstrike.com] , however:

The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.

The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.

...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.

Re:Security through obscurity FAIL (2)

mlts (1038732) | about 2 years ago | (#42044957)

The rootkit is half the battle as TFA says... what gets me really wondering is the exploit they used to get unfettered root access, especially if SELinux is enabled and enforcing.

The best short term defense against this? A monolithic kernel that has all modules compiled in, and has module loading disabled. Of course, this loses a lot of functionality.

Long term, maybe the best defense would be to take the TE (trustchk) system from AIX (which can be configured to not run any binaries that are not in a signed database), have signed kernel modules, and use a TPM + LUKS to ensure that if there is tampering, the boot process stops because there is no key to mount the root filesystem. Yes, TPM is a double-edged sword, but it does do well in guarding against these types of attacks.

Quick fix (5, Interesting)

AliasMarlowe (1042386) | about 2 years ago | (#42045813)

The best short term defense against this?

Just put
exit 0
at the end of your /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.

Re:Security through obscurity FAIL (2)

micheas (231635) | about 2 years ago | (#42046067)

Debian does not have SELinux enabled by default. So that is one barrier that frequently they won't have to cross in getting root access.

Debian might also have been targeted for its large market share and not having security extension installed by default. Considering the wide range of uses that Debian is put to it seems like maybe they should create a "public server" install profile that includes things like SELinux enabled and checkrootkit and other routine auditing tools installed.

Re:Security through obscurity FAIL (1)

mlts (1038732) | about 2 years ago | (#42046375)

IMHO, this is one thing they really need to look into fixing to keep up with what threats are out there.

It doesn't matter if they use SELinux or AppArmor. Just use something to limit the context things run in so even if something like Apache gets compromised, even with a way to UID 0, the mischief they can do is limited, be it to a directory or filesystem, or to only a segment of process space.

One thing I like is how sandboxie works on Windows -- a sandboxed program would have a list of executables (either explicitly specified, or via directory wildcards) that it can run, and this would include what context the process would run under (be it SUID root, user, or another user). Attempts to run anything else under a different context would be blocked. That way, if the apache binary tried to run the /bin/passwd command, it would be blocked.

Re:Security through obscurity FAIL (2)

K. S. Kyosuke (729550) | about 2 years ago | (#42045417)

Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.

How does "first glance" tell you that? And are you talking about code written in the PHP language or about the PHP implementation? And even if you break into a PHP implementation remotely, how do you make the kernel load the module, assuming the administrator isn't an outright idiot and the PHP process isn't running as root?

It Could Entirely Be Redmond Propaganda (1)

Anonymous Coward | about 2 years ago | (#42045443)

1.) Pseudonymous source "stacktrace"

2.) Noone explains which weakness is being "exploited"

I call bullshit on this until they show the code which actually own the Linux kernel. If you could trace this whole thing, I am quite positive it leads to the checkbook of a Mr Ballmer, resident of Redmon, WA, USA.

Re:It Could Entirely Be Redmond Propaganda (-1)

Anonymous Coward | about 2 years ago | (#42045907)

You're a retard.

Re:It Could Entirely Be Redmond Propaganda (1)

Dishevel (1105119) | about 2 years ago | (#42045923)

Who is Noone and how well does he explain the weakness being exploited.?
Damn that guy gets around.

Re:Security through obscurity FAIL (0)

Hal_Porter (817932) | about 2 years ago | (#42044033)

If you want security you need a Unix with a Strong Leader like Theo De Raadt. He may be a bastard, but he makes the trains run on time.

Re:Security through obscurity FAIL (0)

Anonymous Coward | about 2 years ago | (#42044255)

If you want security you need a Unix with a Strong Leader like Theo De Raadt. He may be a bastard, but he makes the trains run on time.

Theo De Raadt was neutered?

Re:Security through obscurity FAIL (2)

Penguinisto (415985) | about 2 years ago | (#42044341)

He may be a bastard, but he makes the trains run on time.

...try and submit some shit code onto Linus' lap for kernel inclusion... I dare you. ;)

Re:Security through obscurity FAIL (0)

Anonymous Coward | about 2 years ago | (#42044871)

Here you go [gnu.org]

Drepper's crap is why I don't use Linux.

Re:Security through obscurity FAIL (1)

TheRaven64 (641858) | about 2 years ago | (#42045171)

To be fair to Linux, glibc is not in the Linux kernel. That's why it's important to say GNU/Linux: because Drepper deserves the blame at least as much as Linus. Android, for example, is Linux and uses a FreeBSD libc derivative instead of glibc.

Care To Elaborate ? (0)

Anonymous Coward | about 2 years ago | (#42047573)

Or are you just another Redmond FUD-$hill ?

Re:Security through obscurity FAIL (1)

V!NCENT (1105021) | about 2 years ago | (#42046795)

How about MAC (Mandatory Acces Control)?

Hello SELinux... (Fedora)

Re:Security through obscurity FAIL (0)

Anonymous Coward | about 2 years ago | (#42044053)

You really need to try harder.

Re:Security through obscurity FAIL (0)

Anonymous Coward | about 2 years ago | (#42045883)

Well said: A well-placed truth has /. Linux FUD spreaders quaking in rage!

Re:Security through obscurity FAIL (1)

mcgrew (92797) | about 2 years ago | (#42046839)

...while it's nice that Linux has gained a reputation as a secure alternative to Windows, the fact of the matter is that no one has really given a shit until now enough to really poke a hole in it.

Frothing at the mouth, Mr. Ballmer? Linux isn't a "a secure alternative to Windows for most folks using it, it runs on everything from wristwatches to the most powerful supercomputers in the world. Most web servers are running Linux. If Linux were easy to exploit, you'd have heard of a LOT of exploits.

Re:Security through obscurity FAIL (1)

Belial6 (794905) | about 2 years ago | (#42047349)

I would think that TVs would be the ideal target. Sure, the processing power is low, but nobody even considers watching for malware on TVs. I wouldn't be surprised to find out that the computer running Linux inside my TV never turns off. Of that is the case, a malware writer the targeted TVs would have 100k - millions of low power but always on and never protected computers to run there malware on.

Of course that would only be if Linux were easy to exploit.

Oh Yeah, Crap-Meme #7 (0)

Anonymous Coward | about 2 years ago | (#42047399)

"All Operating Systems Are As Crappily Insecure As Windows".

Except that this "rootkit" has to be run with root privileges to be a threat. Message to Redmond: Unix systems are not browsing as administrative user, unlike the historical norm of WINDOWS.

No big deal? (1)

YodasEvilTwin (2014446) | about 2 years ago | (#42043893)

it does not appear to be the work of high-level programmer or be meant for use in targeted attacks

So basically it's installed by some jerkoff contractor with root access, and it's not something involving a hole in the server security?

Re:No big deal? (0)

Gadget_Guy (627405) | about 2 years ago | (#42044249)

Well, they are suspecting a Russian based attacker, so unless you contract out to Russian jerks then I fear that your supposition is unsupported and is most likely based on wishful thinking. The code was not well hidden, and they didn't strip the symbols in the executable file - hence the programmer still has a lot to learn.

Brace yourselves... (-1)

Anonymous Coward | about 2 years ago | (#42043901)

... The APK copy-paste spam is coming...

Re:Brace yourselves... (-1)

Anonymous Coward | about 2 years ago | (#42045073)

Maybe you want it to come, so you can post some snarky reply. Also after the MyCleanPC spams, a couple of people started to miss them in a similar fashion.

Re:Brace yourselves... (0)

Anonymous Coward | about 2 years ago | (#42045933)

you have such courage to post as ac instead of your registered luser name.

Re:Brace yourselves... (0)

Anonymous Coward | about 2 years ago | (#42046071)

Hahahaha. Awww, poor little ac troll got down moderated to -1.

Infection method? (5, Insightful)

Gaygirlie (1657131) | about 2 years ago | (#42043915)

How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

Re:Infection method? (2, Informative)

hawguy (1600213) | about 2 years ago | (#42044075)

How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

I don't think it's self-replicating or installing itself by some vulnerability, I believe it would have to be installed maliciously (perhaps by an employee, or maybe by someone using an unrelated root exploit), or as a Trojan Horse - many people are happy to blindly install unsigned packages on their system, running the installation as root.

Back in the day, I used to make at least a cursory inspection of the Makefile and sometimes would even look over the source code associated with distributed packages. But now I just install the package without even paying attention to what files are being installed. I am a little careful about where I download my packages from, and almost always installed signed packages by a trusted distributor, but I do install packages from unknown developers from time to time.

Re:Infection method? (2)

hobarrera (2008506) | about 2 years ago | (#42044251)

Indeed. All it says is thay you're redirected to an iframe. How it breaks out of the browser's sandbox and then obtains root priviledges isn't mentioned either. I'm quite interested in how they achieved this too, since it would mean that there's a huge priviledge escalation in linux that nobody noticed.

Re:Infection method? (0)

Anonymous Coward | about 2 years ago | (#42044357)

Maybe it depends on stupid users clicking OK on a download dialogue and then running a compiled ELF binary, which installs a "free virus scanner" or "64 bit Ubuntu 12.10 Optimizer" app. ...by the way, YOU JUST WON A FREE IPOD!!!1one

Re:Infection method? (0)

Anonymous Coward | about 2 years ago | (#42046583)

Bah! Wake me up when I win something with Android on it.

Re:Infection method? (3, Informative)

tyleroar (614054) | about 2 years ago | (#42044685)

I think you are confused as to what this is doing. How the malware initially got loaded onto the *NIX box is not discussed in the write-up. The malware does not break out of the browser's sandbox and obtain root privileges. The malware is used to add/change the file being served by the web server. There is no mention of what file the malware was being used to serve up...it could be used just to transparently serve up ads or could be used to serve up some client-side exploits.

Re:Infection method? (1)

squiggleslash (241428) | about 2 years ago | (#42045723)

To be honest, other than constantly using the word "rootkit", I don't see any references to getting root via this "kit". And the link (this one: https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012 [threatpost.com] ) looks like it was written by a computer program pulling random sentences from a malware description and turning it into an article.

I'm going to wait for the dup, hopefully it'll link to an Ars Technica article or something else relatively reputable.

Re:Infection method? (0)

Anonymous Coward | about 2 years ago | (#42044253)

Seems to be a kernel module for Debian squeeze.

Re:Infection method? (1)

Gaygirlie (1657131) | about 2 years ago | (#42044575)

That does not explain how it gets installed.

Re:Infection method? (1)

ThatsNotPudding (1045640) | about 2 years ago | (#42044439)

How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

It's something new in the Defense of The Dark Arts: Security Thru Obscurity!

Re:Infection method? (2)

sl4shd0rk (755837) | about 2 years ago | (#42044615)

Looks like an infected kernel module so one of the below:
    1) server was cracked, and module compiled
    2) compromised kernel mod in distro

more likely #1 but probably too early to tell. Grepping kernel sources for some of the text in the module_init binary may be fun:
http://seclists.org/fulldisclosure/2012/Nov/94 [seclists.org]

Why Only 64-bit (2)

medv4380 (1604309) | about 2 years ago | (#42043925)

Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.

Re:Why Only 64-bit (1)

Sulphur (1548251) | about 2 years ago | (#42044107)

Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.

Did it work on 32-bit?

Re:Why Only 64-bit (4, Informative)

hobarrera (2008506) | about 2 years ago | (#42044233)

amd64 is the name of the architecture you normally call "64bits" or "x86_64" every day, and is an extension of "i686".
The name is so merely because amd came up with it.

Intel's modern microprocessors are amd64 as well (they just call it a different name).

Re:Why Only 64-bit (1)

medv4380 (1604309) | about 2 years ago | (#42046537)

Except Intel didn't implement AMD64 correctly 100%. You can read the US-CERT [cert.org] for yourself if you want. For that all you had to do was run a couple of commands and your code could be escalated to kernel level privileges, but only on Intel 64bit. It would be bad to assume that what works on one as an exploit would work the same way on the other. My concern is about this being a flaw in the CPU similar to what happened with Intel 64bit.

Re:Why Only 64-bit (3, Interesting)

quintus_horatius (1119995) | about 2 years ago | (#42044355)

FTFA (emphasis added):

"To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to," Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
"The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored."

Re:Why Only 64-bit (1)

medv4380 (1604309) | about 2 years ago | (#42046333)

I read that already, but "By pure chance the jump still works, because amd64 is a little endian architecture" which makes me think this is an exploit of the CPU, and not an exploit of the OS. From what that says it overwrites the start of the function that it's targeting with a relative jump of 32 bits of 1 byte. It then calculates a 64 bit address of 8 bytes I assume this is the address of some Root Level command. It then copies the 8 bytes after the 1 byte rel32 byte and an additional 11 bytes of junk. Then some magic happens with the little endian arch and it only reads 4 bytes of the 8 when it does the relative jump. So was the exploit that the OS let the malware overwrite the functions start. Was it that the OS let the malware calculate the 64bit address to no ware. Or was the exploit that the CPU ignored the 4 bytes of the 8 bytes resulting in it going to a completely different part of memory? If it's the CPU's fault then this exact trick would work on Windows. If it's the OS fault then this wouldn't work this way in Windows.

Re:Why Only 64-bit (0)

Anonymous Coward | about 2 years ago | (#42044361)

It was found only by one person in one computer as a kernel module. This computer is certainly 64-bit, probably amd64.

Re:Why Only 64-bit (1)

mlts (1038732) | about 2 years ago | (#42044985)

If I were a betting person, I'd say the reason why it was built for 64 bit architectures is because most servers use more than 4GB of RAM, which is the limit for 32 bit operating systems. I could be completely wrong on all counts though.

Re:Why Only 64-bit (1)

fearlezz (594718) | about 2 years ago | (#42045993)

I'm not so sure about that. The kernel module uploaded to the full discosure list happened to be a amd64 module targetting debian kernel 2.6.32-5. But when it's not php, most malware I've seen was distributed as source code, compiled at the target machine to match the targets specifications.

where's patch?? (1)

Faisal Rehman (2424374) | about 2 years ago | (#42043981)

If patch is made, kindly share asap.

Re:where's patch?? (0)

Anonymous Coward | about 2 years ago | (#42045419)

I made a patch for it that I'd be happy to share. Go to www.downloadthisbadwareandrunit.com. There are several links on the left hand side. Any of them should protect you from the rootkit. I promise I won't steal your information.

Re:where's patch?? (0)

Archenoth (2592069) | about 2 years ago | (#42045931)

2012

Year of the Linux rootkit.

They Year Of (0)

Anonymous Coward | about 2 years ago | (#42047163)

..new Baseless Smear Tactics by a Scared Mr Ballmer.

Re:where's patch?? (1)

Anonymous Coward | about 2 years ago | (#42045867)

there is nothing to patch, idiot

Rootkit emerged (3, Funny)

Anonymous Coward | about 2 years ago | (#42044393)

Must be specifically targeted at Gentoo then.

Infection Method - Well it's not... (5, Informative)

Kagato (116051) | about 2 years ago | (#42044409)

If you dig into the articles to some of the raw analysis you'll discover two things.

1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.

2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."

Re:Infection Method - Well it's not... (2)

Gaygirlie (1657131) | about 2 years ago | (#42044649)

1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.

That's what I thought, too, but it should be researched more carefully. If the malware in question was injected in the first place via PHP, WordPress or something similar then that makes this much, much less of an important issue. However, if the malware did indeed use one or another exploit in the kernel or the default GNU userland, well, THAT would be truly news-worthy and should raise some serious flags.

Re:Infection Method - Well it's not... (0)

Anonymous Coward | about 2 years ago | (#42045209)

You clearly didn't read TFA. (The one with the black background.)

It doesn't contain any form of exploit at all. It is a program that has to be executed as root. If you are root, you already can do everything. (Like write to /dev/mem.) No need for exploits.

It isn't even a rootkit. Because "rootkit" implies getting root access from a non-root state.

Re:Infection Method - Well it's not... (1)

Gaygirlie (1657131) | about 2 years ago | (#42047679)

You clearly didn't read TFA. (The one with the black background.)

It doesn't contain any form of exploit at all. It is a program that has to be executed as root. If you are root, you already can do everything. (Like write to /dev/mem.) No need for exploits.

It isn't even a rootkit. Because "rootkit" implies getting root access from a non-root state.

You're assuming things. I did obviously read TFA. The thing is that the kernel module and its files could be a PART of a rootkit, not that the module itself contains any exploit code. That's why I used the wording "malware in question was injected," ie. the actual infection was done by another entity -- we just do not yet know whether or not it was done by a human person or computer code.

It's About Time (-1)

Anonymous Coward | about 2 years ago | (#42044733)

Linux rootkit?

Yes! It's about time some of the big manufacturers got interested in Linux. Way to go Sony.

This seems superfluous... (0)

Anonymous Coward | about 2 years ago | (#42044759)

The rootkit is designed specifically for 64-bit Linux systems

If it's meant to attack websites, it's aimed at web servers. Do actual production web servers that receive non-trivial levels of traffic and haven't been migrated to 64-bit hardware still exist?

This is not a rootkit! It's a joke! (0)

Anonymous Coward | about 2 years ago | (#42045131)

He didn't mention any form of infection. Apparently it is just an application you manually have to start as root, which then hooks itself into the system like a rootkit.

Without infection mechanism, it's not a rootkit. Let alone dangerous.

This is a case of PEBKAC. If somebody has root access, it doesn't matter if he installs some lame rootkit. He already has full access! It's already too late!

Kids these days...

Re:This is not a rootkit! It's a joke! (2)

maxwell demon (590494) | about 2 years ago | (#42045719)

Wrong. A rootkit is code which maliciously takes over certain functionality at root level. How it got installed doesn't matter for its classification as rootkit. Of course most rootkits get installed by some virus, worm or trojan, but a rootkit which some cracker installed by hand is still a rootkit.

conditionbrownpants ?? (1)

Janek Kozicki (722688) | about 2 years ago | (#42045225)

Ok, why this story is tagged with conditionbrownpants? Anybody cares to explain?

(and no, it's not because of my post, because I'm asking after this tag appeared)

Linus Torvalds' anus erupts in blood! (-1)

Anonymous Coward | about 2 years ago | (#42045967)

LMAO, from the shock that all the years of /. fud are at an end!

Re:Linus Torvalds' anus erupts in blood! (0)

Anonymous Coward | about 2 years ago | (#42046451)

Get him a diaper at least. Sounds like he needs one.

Sound like Linus T. got 'rooted' (0)

Anonymous Coward | about 2 years ago | (#42047025)

A natural reaction to a large 'root' going up into that area of his torso.

How safe is Linux web-browsing in general? (0)

Anonymous Coward | about 2 years ago | (#42045975)

Just out of curiosity:

As a Linux user, in general, how safe is my web-browsing experience from attackers installing the code of their choice on my system?

I run a GNU/Linux 64-bit system that was released in 2012. I use the latest Firefox with common media plugins, running as an ordinary unprivileged user. Assume that I have an average level of awareness of Internet security issues (which is to say: not much, but I am smart enough not to execute random files).

Re:How safe is Linux web-browsing in general? (0)

Anonymous Coward | about 2 years ago | (#42046467)

Are you kidding. As long as you don't run java (which is different from javascript), the odds are about nil. But don't trust anything you might manually want to download. It will have local privileges if it executes and might damage your local files and/or settings.

Re:How safe is Linux web-browsing in general? (0)

Anonymous Coward | about 2 years ago | (#42047345)

Are you kidding.

So what exactly do you mean: "are you kidding"?

Does that mean that I'm supposed to assume that just because Linux has had a good track record of browsing security in the past that it will always continue be secure in the future?

Am I supposed to stop asking that question because it's somehow silly to keep wondering if my system is still secure?

Tell me -- what exactly was wrong with my asking that question?

And given your flippant, careless attitude about security vigilance, why should I believe your answer?

Re:How safe is Linux web-browsing in general? (3, Informative)

Gaygirlie (1657131) | about 2 years ago | (#42047831)

There aren't any known, widespread Linux-based viruses or malware, and the few ones that do exist target server software, Java and/or Flash. And even if you found malware that still made its way in your computer via e.g. a vulnerability in the browser's Javascript - implementation that malware would still have to get root privileges in order to properly hide its existence -- there aren't any known, widespread security holes either in the Linux-kernel or the GNU userland, so if you keep your system up-to-date the chances are very, very slim the code would be able to get root privileges.

That is to say that if you e.g. used Firefox without Java and with the Flashblock add-on there'd be more-or-less no chances of you getting anything. Don't get scared by articles like this one because, well, this one doesn't spread via the web browser in the first place -- it was likely installed on the system by hand by someone who got access to it because of poor website implementation.

Very Safe (0)

Anonymous Coward | about 2 years ago | (#42047101)

This "rootkit" fails to demonstrate an actual exploit in a browser and/or the Linux kernel. It's 100% Propaganda.

If you want have even more security, use an AppArmor to limit the access rights of your browser. It has no business in reading your OpenOffice files, for example.

Linux rootkit (0)

Anonymous Coward | about 2 years ago | (#42046971)

Rootkit for Liunux: requires that rc.local have no "exit 0" at the end of the script and a very specific kernel. Darn, my kernel is different *and* I have "exit 0" at the end of /etc/rc.local. The only good part about noting this exploit and rc.local is that when I looked at rc.local I noticed that I don't update my CPU writeable control store currently (and that's something I normally do). Thanks for the notice. I downloaded the latest firmware from Intel, and I've once again got it loading in rc.local (before the exit 0 line). Yay!

Redmond PSYOP (0)

Anonymous Coward | about 2 years ago | (#42047057)

The recent "incidents" on xBSD and Linux are short on substance (kernel-level exploits) and long on irrelevant "meat" to impress those who don't know the subject.

It's Propaganda Campaign by Redmond and their "partners" in the Virus Scanner "Protection Business" to scare people away from Free Operating Systems. You bet they have the money to hire shady people to steal an SSH key and you as we see here, they have the money to program pointless "viruses" to be installed while running as root.

This is a clear sign that the Sleazebags in Washington State are Scared To Hell. They know that they can't win on technical or economical merits, so they try Mud-Lobbing.

No more hiding by security-by-obscurity (0)

Anonymous Coward | about 2 years ago | (#42047825)

4 NIX users (BSD hacked, Linux rootkit, Android exploits galore daily) http://linux.slashdot.org/comments.pl?sid=3263519&cid=42047493 [slashdot.org] so your FUD charade? It's over.

Rootkit loads into memory? (1)

dgharmon (2564621) | about 2 years ago | (#42047369)

"The rootkit is designed specifically for 64-bit Linux systems .. The new Linux rootkit is loaded into memory and once there"

How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?

Re:Rootkit loads into memory? (2)

Gaygirlie (1657131) | about 2 years ago | (#42047849)

"The rootkit is designed specifically for 64-bit Linux systems .. The new Linux rootkit is loaded into memory and once there"

How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?

Yes, it does. It contains no exploits whatsoever.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?