SoylentNews is people
SoylentNews
from the check-your-servers-boys(and-gals) dept.
Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam, researchers said Wednesday. The malware likely infected many more machines during the five years it's known to have existed.
Most of the machines infected by the so-called Mumblehard malware are believed to run websites, according to the 23-page report [PDF] issued by researchers from antivirus provider Eset. During the seven months that they monitored one of its command and control channels, 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks. The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that Eset discovered 14 months ago.
The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that's arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.
(Score: 5, Insightful) by PizzaRollPlinkett on Saturday May 02 2015, @10:21AM
So the Linux kernel and the FreeBSD kernel have a remote exploit that lets people takeover their servers? Or is this yet another bug in a CMS that runs on Linux? This is why I don't really like Ars Technica. They're playing up "Linux and FreeBSD" as if this was a flaw in the architecture of both OSes. But if you dig down through the article, you find it's some CMS that runs on Linux and FreeBSD that isn't secure. These CMS bugs are so common I don't pay attention to them any longer. The headline is way out of proportion to the problem, trying to make it sound like all Linux and FreeBSD servers are exploitable. I guess "Another CMS Bug" isn't click bait enough for Ars? Anyhow, at least they didn't split this article over 10 pages like they sometimes do.
(E-mail me if you want a pizza roll!)
(Score: 4, Informative) by HiThere on Saturday May 02 2015, @06:24PM
If you had read the above comments you would have known that it was distributed via a pirate version of commercial software. And the vector was intentionally installed.
This isn't a system vulnerability, unless you count "social engineering" as a part of the system.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by PizzaRollPlinkett on Saturday May 02 2015, @06:56PM
I was trying to be ironic. I was trying to point out the headline led you to one conclusion - some sort of major new remote-exploit vulnerability in the Linux and FreeBSD kernel or something - whereas the article talked about a CMS exploit of some sort with the usual vague details that don't tell you much about it. The exploit here has nothing to do with Linux or FreeBSD itself, but relies on third-party CMS software which I pointed out is almost a byword for a buggy mess. (I think PHP's reputation as a bad language comes from the poorly-written CMSes coded in it as much as anything else.) Ars isn't much, but they usually don't do clickbait at this level. I yawn at yet another CMS exploit, or installing cracked software from an unreliable source. But the problem is that the headline suggests a man-bites-dog Linux/FreeBSD kernel story, when if you fall for the clickbait you get a dog-bites-man story.
(E-mail me if you want a pizza roll!)
(Score: 2) by choose another one on Saturday May 02 2015, @08:07PM
Linux is just getting the same treatment as Windows, see e.g.
"It's 2015 and Your Windows Server Can Still be Pwned by a JPEG" - http://soylentnews.org/article.pl?sid=15/04/21/1116238 [soylentnews.org]
This is why I really don't like _gewg_. They're playing up "Windoze" as if this was a flaw in the architecture of the OS. But if you dig down through the article, you find it's some CMS that isn't secure.
The real news is that for at least 5yrs Linux has been a target architecture for malware in the Windows. This is because Linux has become common in the server space and therefore:
a) it is a target just like Windows
b) it has clueless admins just like Windows (because it has been made easy to use)
c) it gets compromised in just the same way as Windows (see above)
Welcome to mainstream.
(Score: 2, Informative) by Anonymous Coward on Saturday May 02 2015, @08:41PM
Example 1
You PURPOSELY acquire software from an untrustworthy source.
You PURPOSELY install that software.
You PURPOSELY give that software executable permissions.
You PURPOSELY run that software (which, it turns out, contains something you didn't expect).
That is -NOT- AN "INFECTION".
That is you PURPOSELY installing something that is a trojan.
That's you being an irresponsible admin.
...and "malware" has too broad a definition to be a useful word:
Adware is malware in my book; pre-installed shovelware is malware.
.
Example 2
You visit a website that contains a jpg and your browser downloads that "image".
The jpg contains executable malware.
Your OS automatically runs the executable (because the extension of the file already told your OS it was just an image and your OS doesn't check with -you- about whether things should be given executable status).
...and the other 2 examples of Windoze pwnage in recent months were fonts being automatically rendered in Ring 0 and office macros being automatically executed in Ring 0.
Yes, it absolutely -is- about the OS architecture.
-- gewg_
(Score: 2) by PizzaRollPlinkett on Sunday May 03 2015, @10:10AM
Not gewg's fault, don't shoot messenger, it's all on Ars.
(E-mail me if you want a pizza roll!)
(Score: 2) by choose another one on Monday May 04 2015, @09:15AM
gewg submitted the other story I linked to, which had an inaccurate summary exactly like the parent post suggested - sounds like a kernel vuln, is in fact a CMS issue.