Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday January 11 2017, @11:12AM   Printer-friendly
from the tux-was-asking-for-it dept.

In case you penguin botherers were feeling left out, the folks over at iTWire bring us this little fun bit o' news:

Eset says it has found a Linux variant of the KillDisk malware used in the late 2015 attack on the Ukraine electricity system.

Like its Windows counterpart, the Linux version of KillDisk encrypts files, rendering the affected system unbootable. It asks for the same 222 Bitcoin (around US$278,000) ransom, but the encryption key used is neither stored locally or sent to a remote server, so even if the perpetrators are paid they have no way of reversing the process.

Eset says its researchers have found a weakness in the encryption method that makes decryption "possible, albeit difficult." Exactly how decryption can be performed was not disclosed.

It's nice to feel noticed but I could personally do without this particular kind of attention.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by shipofgold on Wednesday January 11 2017, @09:50PM

    by shipofgold (4696) on Wednesday January 11 2017, @09:50PM (#452720)

    On Windows, the big problems seem to be with browser vulnerabilities, and with email attachments. The latter is really only a problem when running Outlook AFAICT, so that's not a problem on Linux, and I really haven't heard of any active browser exploits on Linux though I suppose it's possible.

    I am not sure why people thing that Linux users are immune to malicious Email attachments or other exploits. Sure, the payloads of most of those "here is your invoice" attacks target something in Windows, but IMHO there is nothing sacred about Linux. If SPAM Email attachments with payloads targeted to Linux start getting received by Linux users you will see more infections.

    There are three primary modes of infection on any system:
    --Exploit a vulnerability in a binary that is running on the system. I am sure there are plenty of unpatched shellshock systems out there.
    --get the user to execute a Trojan. Most of the Email attachment and Browser attacks do something in this area...
    --brute force a weak password or social engineer one out of a user.

    I am sure that if the target population is large enough, the bad guys will come.

    I do agree that it would have been nice for the authors of TFA to at least describe any observed transmission technique. In my limited experience with Ransomware on windows, it is many times a trojan that is activated by a browser popup that says something like "You must update your Adobe Acrobat Reader...Download here"

    It is a simple tweak to target Linux users with this type of exploit.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Grishnakh on Wednesday January 11 2017, @10:46PM

    by Grishnakh (2831) on Wednesday January 11 2017, @10:46PM (#452753)

    You're going to have to explain exactly how, in detail.

    I've never seen a way to run a downloaded binary on my Linux systems, without jumping through hoops. Downloading by itself is certainly easy enough. Actually running it? Not so much. You have to get the user to change the permissions to allow execution, then they have to actually run the thing (at the command line or through a file-manager program). Any user clued in enough to understand Unix permissions and know how to change them for executing a foreign file is pretty likely to know better than to run some random crap off the internet.

    So no, I completely disagree that it is a "simple tweak" to target Linux users with this type of exploit. Maybe if someone makes a browser that makes it really easy to auto-run downloaded files, but distros are unlikely to allow such a browser in their builds because of the obvious security problems.

    Now one thing malware writers could do is target vulnerabilities in installed applications, and then get Linux users to download malware files and use the browser's "Open with..." function to open them with the exploited application. But this isn't so easy on Linux, because it's so heterogeneous. There's tons of different ways a trojaned PDF could be opened, for instance: using the browser's own built-in viewer, or with various different FOSS viewers (evince, okular, etc.), or with FoxIt's Linux version. Adobe doesn't even have a Linux version of their reader any more. Or for a trojaned image file, there's all kinds of image-viewing programs out there that may be set up as default, and there's different backend libraries. On top of that, there's a bunch of different distros, all with libraries built by their own maintainers, and they all get regular updates of libraries like that too. It's such a spread-out, un-standardized moving target that malware writers aren't likely to get far with this approach.

    • (Score: 3, Informative) by Scruffy Beard 2 on Thursday January 12 2017, @12:53AM

      by Scruffy Beard 2 (6030) on Thursday January 12 2017, @12:53AM (#452795)

      .desktop files bypass the permission requirements

      How to write a Linux virus in 5 easy steps [geekzone.co.nz]

      • (Score: 0) by Anonymous Coward on Thursday January 12 2017, @11:09AM

        by Anonymous Coward on Thursday January 12 2017, @11:09AM (#452909)

        That would be a hole in Gnome or KDE, not in Linux. No different from a bug in Flash or Adobe Reader.

      • (Score: 2) by Grishnakh on Thursday January 12 2017, @05:52PM

        by Grishnakh (2831) on Thursday January 12 2017, @05:52PM (#452991)

        Sorry, this is lame. I just tried this myself on a Gnome3 system at work. It works, but only sorta.

        First, this article is from 2009. It's 8 years old now. A lot has changed since then. The article doesn't even talk about whether it works on Unity or not, probably because I'm not even sure Unity was around way back then. And they didn't have Gnome3 or KDE5 back then either.

        Anyway, I tried it on Gnome3, and it doesn't work as advertised. The icon part didn't work at all (I verified the path, and changed it to an icon that's actually there, because no one uses OpenOffice.org any more in 2017). And the item showed on on the desktop as filename.ext.desktop, which is a bit of a red flag. It doesn't show up as filename.ext like the common exploit on Windows which takes advantage of Windows defaulting to hiding the extension. They don't do that kind of stupid stuff on Linux, even in dumbed-down Gnome. Finally, yes, I was able to run a shell command this way without changing permissions, however Gnome first brought up a giant warning message telling me that this application launcher is untrusted and that it's unsafe to launch it if you don't know the source of the file. On top of all that, the icon didn't even show up on my desktop until I moved it to my home directory (not ~/Desktop), though that might be a site-specific setting.

        In short, you'd have to be a real idiot to get infected this way. It takes more than just saving a file to get infected on Linux. The similar exploit on Windows is a lot worse: 99.999% of Windows systems are set to hide file extensions by default, so it's easy to make shortcuts that look like some other kind of file (like a JPEG). And worse, Windows happily executes them when double-clicked, without any kind of warning that you're being conned. As I've shown, this simply isn't the case on Linux, even on Gnome3.

        And that's just one DE. How this would behave under a modern version of Cinnamon, MATE, Unity, KDE4, or KDE5 is still unknown. There just isn't that much consistency between Linux systems these days, and different distros also set things up differently.

        • (Score: 1) by Scruffy Beard 2 on Thursday January 12 2017, @11:00PM

          by Scruffy Beard 2 (6030) on Thursday January 12 2017, @11:00PM (#453110)

          Yes, don't know who thought it was a good idea to hide extensions by default.

          I suspect they were trying to copy MacOS, which at the time stored that information in the resource fork of the file, rather than the filename.

          Don't think most modern systems even have a concept of a resource fork.

      • (Score: 2) by urza9814 on Friday January 13 2017, @04:48PM

        by urza9814 (3954) on Friday January 13 2017, @04:48PM (#453359) Journal

        So what happens when it hits a Linux system like mine that doesn't support .desktop files? Oh, right -- nothing.

        Every Linux user is vaccinated -- against different sets of viruses -- merely by having a different base configuration and different software packages installed. Much like regular vaccines, you can get a kind of herd immunity because the virus can't spread as easily. It's also not as worthwhile to create the virus in the first place because the target is smaller.

        And this is why SystemD is going to kill us all...because it seeks to remove that freedom and standardize on one single software package to rule them all. :)

        • (Score: 1) by Scruffy Beard 2 on Friday January 13 2017, @08:54PM

          by Scruffy Beard 2 (6030) on Friday January 13 2017, @08:54PM (#453451)

          I think that was part of the point: if you try to copy MS Windows, you are going to end up copying their mistakes as well.

  • (Score: 0) by Anonymous Coward on Thursday January 12 2017, @07:22PM

    by Anonymous Coward on Thursday January 12 2017, @07:22PM (#453025)

    I am sure that if the target population is large enough, the bad guys will come.

    Are you aware the Linux is the most used kernel on the planet?