SoylentNews is people
SoylentNews
from the baking-our-backdoors-all-the-way dept.
A new Linux backdoor botnet agent is fortunately only half-baked. From the article:
[Russian malware writers] have stitched together a new Linux backdoor. Fortunately for internet hygiene the botnet agent – which packs a variety of powerful features – is faulty and only partially functional.
The backdoor, dubbed Dklkt-1 was designed to be a cross-platform nasty capable of infecting both Windows and Linux machines.
Cyber-criminals planned to equip the program with a large number of functions typical of SOCKS proxy servers, remote shells, file managers, and so on.
However, at the moment, the malware ignores the majority of incoming commands due to programming mistakes.
If successfully planted, the malware tries to register itself in the system as a daemon (system service). Thereafter it uses LZO compression and the Blowfish encryption algorithm to chat to command and control servers. Every packet contains a checksum, so that the recipient could verify data integrity.
Dklkt-1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer, or turning it off. Other commands are either ignored or processed incorrectly.
(Score: 4, Insightful) by xav on Wednesday July 29 2015, @08:07PM
Well, if everything is true, we have a program that can spawn a shell, a Socks proxy, start a DDOS attack and execute any command. Considering this, I would regard the malware as a serious threat and I would not really care if it is half-baked and that a set of commands is ignored. Moreover, if the program really register as a system daemon, which I doubt, then it is running as root... What else can you wish for?
Now, what I'd like to know is how such a malware can land on my Linux machine??? and run as root?
(Score: 2) by maxwell demon on Wednesday July 29 2015, @09:19PM
Running in kernel space? Infecting the BIOS? Infecting HDD firmware? Employing a blue pill mechanism?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @10:21PM
Installing Windows 10.
(Score: 0) by Anonymous Coward on Thursday July 30 2015, @11:13AM
(Score: 3, Interesting) by hemocyanin on Wednesday July 29 2015, @10:47PM
I'd like to know this to -- what is the infection vector.
Secondarily, I'd like to know what file I could search for to see if I'm infected. The dklkt-1 link above goes to some for-pay virus software program which will tell you if this is installed on your system. The materials linked in the TFA contains this:
so it seems reasonable to search for that filename, but who knows -- maybe it renames itself something totally random after a successful install. I guess it would be awful nice if there was more info than "buy our linux AV program" -- even users like me know how to use find and grep to do a brute force file search. I just want to know that I'm looking for the right thing.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @11:24PM
Whenever details are released about Linux malware, the vector is usually (or maybe always) stupid/horrible passwords on a public ssh listener. Amazing how many idiots are "admining" systems.
Not using pubkey? Your fired.
If it were a real exploit, it would have a name, and MS would have sent press releases to all the media by now.
(Score: 0) by Anonymous Coward on Thursday July 30 2015, @02:04AM
Indeed. And when somebody talks about Linux backdoor, you know you're being taken for the ride. Either you're in an alternative reality or talking some wishful thinking NSA hotshot. As in there is no such thing.
Zero bits of usable info, in the summary at least.
(Score: 1) by anubi on Thursday July 30 2015, @03:50AM
And, by running it, you also have a significant probability that this will actually infect your system with it.
Thousands of Windows system users have already found out that software that purports to fix one's system often IS the problem!
Just because you paid for it does not make it legit.
Street cred ( MalwareBytes, for example ) is a lot more trustworthy than some flashy web page from some unknown. Even more risky if it wants a credit card number.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by arslan on Wednesday July 29 2015, @10:51PM
I wish that malwares from uninstall internet explorer from Windows..