Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday August 12 2016, @04:12AM   Printer-friendly [Skip to comment(s)]

Arthur T Knackerbracket has found the following story:

Russian security outfit Dr. Web says it's found new malware for Linux.

The firms[sic] says the “Linux.Lady.1” trojan does the following three things:

  • Collect information about an infected computer and transfer it to the command and control server.
  • Download and launch a cryptocurrency mining utility.
  • Attack other computers of the network in order to install its own copy on them.

The good news is that while the Trojan targets Linux systems, it doesn't rely on a Linux flaw to run. The problem is instead between the ears of those who run Redis without requiring a password for connections. If that's you, know that the trojan will use Redis to make a connection and start downloading the parts of itself that do real damage.

Once it worms its way in the trojan phones home to its command and control server and sends information including the flavour of Linux installed, number of CPUs on the infected machine and the number of running processes. The Register imagines that information means whoever runs the malware can make a decent guess at whether it is worth getting down to some mining, as there's little point working with an ancient CPU that's already maxed out.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Informative) by Anonymous Coward on Friday August 12 2016, @04:18AM

    by Anonymous Coward on Friday August 12 2016, @04:18AM (#386895)

    I consider adware, nagware, and crippleware to be "malware".
    It's a mostly-useless term.

    Russian security outfit

    I have a real good idea where this is headed.

    worms its way...

    As Anonymous Coward mentions in the 2nd of the comments at El Reg, [theregister.co.uk]

    it requires killing off safe defaults

    ...with Pascal Monett having said before him

    WHAT? There are Linux admins who have actually configured the oh-so-vaunted Linux server to accept external comms without authentication? Count my gast flabbered. Must be ex-Windows admins.

    trojan

    This is a lot like the stupid shit that Hairyfeeet keeps linking to that has "virus" in the title and is about something that isn't a virus at all.

    .
    In addition, I already have El Reg contributors Darren Pauli and John Leyden on my Don't Bother With These Idiots list.
    It looks like Simon Sharwood is next.

    -- OriginalOwner_ [soylentnews.org]

    • (Score: 2, Informative) by Anonymous Coward on Friday August 12 2016, @07:11AM

      by Anonymous Coward on Friday August 12 2016, @07:11AM (#386923)

      Exactly. Malware is a general term covering everything from viruses to software with ads and DRM. Nobody said that couldn't happen on Linux.

      Some categories of malware are harder on Linux, but not all.

      Trojans: Mostly easy. For people who ONLY install from the distro repository, it's hard, but anyone who installs software from random websites, or adds non-official repositories to their package manager is at risk here.

      Viruses: Hard as long as people don't run as root, because the files a virus would infect are read only. The old trick with copying the files to a hidden directory would still work, but only affect that user.

      Email viruses: Hard, Linux email software doesn't run attachments, and doing so manually normally requires setting permissions first. Though one of the big distros (RH or Ubuntu) did at one time ship a default setup that had Wine as the default "open with" for Windows email viruses, allowing that distro to run Windows email viruses, but not Linux email viruses.

      Worms: The original Morris Internet Worm attacked Unix machines. Nuff' said.

      Ad-infested software: As easy as a Trojan, sometimes easier, as some distro maintainers would care more about the functionality than about the ads.

      DRM: Apart from being logically impossible, nobody prevents movie studios from requiring this. If you have Firefox EME or the Chrome equivalence, you already have DRM.

      Exploits: Somewhat hard. Security holes are found all the time, but closed within hours, unlike the months it takes to fix commercial software. But only hard as long as the system is kept up to date.

      Root kits: Cannot be prevented, as by definition these only come into play once you have full access to the system (some root kits do include one or more of the other categories). Could theoretically be prevented on a perfectly locked down system (think Playstation), but then you can forget about the user being in control.

  • (Score: 3, Touché) by jbernardo on Friday August 12 2016, @04:49AM

    by jbernardo (300) on Friday August 12 2016, @04:49AM (#386901)

    According to the original article, the Trojan will install /etc/systemd/system/ntp.service , so probably it will only run on systemd and not on plain Linux. Another reason to stay away from systemd? :)

    • (Score: 3, Informative) by Scruffy Beard 2 on Friday August 12 2016, @05:26AM

      by Scruffy Beard 2 (6030) on Friday August 12 2016, @05:26AM (#386906)

      looks like it overwrites /usr/sbin/ntp first.

      So if you are using an NTP binary in that location, you are still at risk.

    • (Score: 2) by frojack on Friday August 12 2016, @05:28AM

      by frojack (1554) Subscriber Badge on Friday August 12 2016, @05:28AM (#386907) Journal

      The problem is thats at this point in time systemd IS plain Linux.

      On the other hand I've neverl laid eyes on Redid.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by Azuma Hazuki on Friday August 12 2016, @05:52AM

        by Azuma Hazuki (5086) Subscriber Badge on Friday August 12 2016, @05:52AM (#386916) Journal

        XenOrchestra, a web-based frontend to XenServer, requires a Redis instance to connect to. I've used it, though there's something incredibly dirty and buzzword-y greasy-feeling about the whole thing...node.js, Redis, web-based...yuck.

        --
        I am "that girl" your mother warned you about...
      • (Score: 2) by HiThere on Friday August 12 2016, @05:54PM

        by HiThere (866) on Friday August 12 2016, @05:54PM (#387101) Journal

        Redis is a fairly common database. But if the first step is to overwrite /usr/sbin/ntp, as stated above, then it must have some privilege escalation method...and that sounds like a flaw in Linux...and that it would be systemd is the kind of flaw that people were predicting last year. The assertion was that code that was too complex was being adopted without sufficient testing. I find that quite convincing, even though I've only run into one major problem with it that I haven't yet been able to work around.

        My problem with it is that it doesn't recognize multi-boot systems in different partitions. And I find this extremely bad. Technically I suppose this is due to changes in grub2 or the installer or some such, but it appears to have shown up simultaneous with systemd, so I believe there's a strong connection (on weak evidence).

        --
        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
  • (Score: 1) by butthurt on Friday August 12 2016, @05:30AM

    by butthurt (6141) on Friday August 12 2016, @05:30AM (#386908) Journal

    Of the 15 stories now on the main page, [archive.is] this one and another 5 are from The Register:

    - Cisco Gives Cable Industry Tech for 10Gbps Uploads on DOCSIS
    - $200,000 for a Serious iOS Bug? We'll Give You $500,000
    - Appeals Court Rules the FCC Cannot Override State Laws Banning Municipal ISPs
    - Toshiba Envisions a 100 TB QLC SSD in the "Near Future"
    - Thailand Plans to Track All SIM Cards Sold in the Country

    • (Score: 2) by c0lo on Friday August 12 2016, @05:46AM

      by c0lo (156) on Friday August 12 2016, @05:46AM (#386913) Journal

      And 4 of these 5 were collected by Arthur T Knackerbracket.
      Need I translate what you need to do to see diversity on S/N submission list?
      (if you answered "shut Arthur T Knackerbracket down" you are allowed to try again)

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
      • (Score: 2) by butthurt on Friday August 12 2016, @07:42AM

        by butthurt (6141) on Friday August 12 2016, @07:42AM (#386926) Journal

        Thanks for answering. I hadn't even realised that Arthur T Knackerbracket is a bot. It submitted 5 of those 6 stories. Short of shutting down the bots, surely their operation can be adjusted. I'm largely ignorant of how they work; in particular I don't know how to direct them. Glancing very briefly at the FAQ, the Github repository, and the wiki, I don't see any mention of them. I see that that bot posted, or was used to post, a story from SecurityWeek ("Flaw in Facebook Copyright Tool Earns Expert $4,000"). From that I infer that it can scrape stories from other sites besides The Register. Should I submit a bug report to say it's going to The Register more often than I'd like to see? Write a filter to make it compatible with more sites? Or simply continue manually submitting stories?

        • (Score: 2) by c0lo on Friday August 12 2016, @08:09AM

          by c0lo (156) on Friday August 12 2016, @08:09AM (#386936) Journal

          Or simply continue manually submitting stories?

          Bingo.

          I guess Arthur is switched on only when the queue doesn't have enough by manual submission, but I don't know for sure.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0
          • (Score: 2) by butthurt on Friday August 12 2016, @08:56AM

            by butthurt (6141) on Friday August 12 2016, @08:56AM (#386942) Journal

            Excluding spam, it looks as though 15 of the pending submissions in the current queue [archive.is] were manually submitted, whilst 4 were scraped by Arthur T Knackerbracket. Among the 10 approved submissions, 7 were scraped by Arthur T Knackerbracket. It leaves me with an impression that the editors are approving stories from that bot more readily than those submitted by humans.

            • (Score: 2) by c0lo on Friday August 12 2016, @09:37AM

              by c0lo (156) on Friday August 12 2016, @09:37AM (#386946) Journal

              Excluding spam, it looks as though 15 of the pending submissions in the current queue were manually submitted, whilst 4 were scraped by Arthur T Knackerbracket.

              Quality and potential interest (subjective, I know) also matter.

              Those 15 pending submissions:
              - 3 a book/movie/tv reviews - a topic mainly for the weekend
              - 2 spams - those "Thank you for sharing"
              - 1 on which the author marked it as for weekend (the phone-home vibrator story)
              - 1 badly formatted submission apparently about a movie (Hook reunion - I don't know what hook is, but I'm not in the mood to click on 20+ links to learn it)
              - 1 not a story but poll suggestion

              4 by Arthur

              15-(3+2+1+1+1)-4=3

              --
              https://www.youtube.com/watch?v=aoFiw2jMy-0
              • (Score: 0) by Anonymous Coward on Friday August 12 2016, @03:57PM

                by Anonymous Coward on Friday August 12 2016, @03:57PM (#387065)

                I'm not in the mood to click on 20+ links

                Before your post, my curiosity had gotten the better of me and I had looked at that submission.
                It mentions Robin Williams and the concurrent anniversary of his death.
                The term "The Lost Boys" is also significant within the post.

                Yes, it is link soup for those who don't recognize the shibboleth.
                (Not being a movie guy for many years now, I was surprised that I did.)
                The post refers to a live-action retelling of J.M. Barrie's "Peter Pan" and his nemesis, the pirate Captain Hook who had a hand bitten off by a crocodile.
                (Disney did an animated version in the 1950s.)

                -- OriginalOwner_ [soylentnews.org]

            • (Score: 4, Informative) by n1 on Friday August 12 2016, @12:00PM

              by n1 (993) on Friday August 12 2016, @12:00PM (#386976) Journal

              Glad you brought this up, have a few thoughts on this myself.

              Firstly i'd be happy if we stopped using The Register's stupid 'hey buddy, we're cool too' headlines. Other than that, multiple el reg stories is a coincidence but does perhaps illustrate how good they are at drawing interest and clicks with their way of framing stories, being a tech tabloid isn't a bad thing for them.

              Beyond that, there are times when we do approve stories by Arthur quicker than normal submissions, this is a decision made in the moment that could be for many reasons.

              1) The stories that Arthur submits has already been filtered by an editor so they're usually worth running. As you can see still in the queue, my manual submissions as an editor don't get any special treatment.
              2) Sometimes it's because it's quicker to deal with a general interest story found by Arthur than it is to try and make the dregs of the submissions queue into something worthwhile. This can be seen as lazy, but it's also a practical solution to keeping the content rolling at a reasonable level of quality.
              3) Personally, I try to keep a mix of subjects/topics. I don't like running several Arthur stories in a row, but if it creates a broader spectrum of topics and potential discussions, it's worth it.
              4) What you're seeing in the queue now is not necessarily what was there when the stories were chosen. Yesterday the last time i checked, we were down to a small number of low quality submissions (plus my awesome ones that no one wants to touch), The rest was Arthur, they're a lot of the ones that got picked up. The run of stories you're seeing now was cmn putting through a bunch literally moments before he went on vacation. I'd not be surprised to learn it was rushed... The rest of editorial was asleep or at work.

              Every time you see Arthur, myself, takyon, martyb and even the IRC bots MrPlow and exec... We're often submitting these stories because either in our opinion, or in reality of a near empty queue, we don't have enough stories to run. Give us submissions to work with so we don't have to resort to internally generated submissions. There are stories every day that we miss, even when we're running lots. It's so easy to submit a story, but it's still too much work for most. Sometimes I wonder if people forget how the site works in regards to submissions.

              Arthur came through necessity, there have been and continue to be periods on the site where 5-10 submissions a day of varying quality was all we'd get... still happens.... Arthur can be a crutch, but i don't think it's actually been a detriment to the quality of the site. Even so, we should be playing closer attention to the variety of sources when pushing through stories generated this way. I certainly don't want to give El Reg any more credit or attention than it deserves.

              • (Score: 0) by Anonymous Coward on Friday August 12 2016, @12:56PM

                by Anonymous Coward on Friday August 12 2016, @12:56PM (#386987)

                Can you scrape BBC news? That's where I get most stories from for submission to Soylent.

                • (Score: 1, Touché) by Anonymous Coward on Friday August 12 2016, @05:10PM

                  by Anonymous Coward on Friday August 12 2016, @05:10PM (#387092)

                  The Register often has a story before anyone else.

                  scrape BBC

                  Roy Schestowitz and his band of smart helpers over at TechRights regularly bust BBC for being a blatantly M$-friendly and FOSS-hostile environment.
                  ...as well as GCHQ-|NSA-friendly.

                  IMO, BBC is only useful for tech news if you like your stuff biased toward the closed-source/proprietary sector and only useful for security news if you like that biased in favor of oppressive Imperialist regimes (USA/UK/AU).

                  -- OriginalOwner_ [soylentnews.org]

                • (Score: 2) by janrinok on Saturday August 13 2016, @06:01PM

                  by janrinok (52) Subscriber Badge on Saturday August 13 2016, @06:01PM (#387567) Journal

                  We do scrape BBC RSS feeds. For example: " rel="url2html-23139">https://soylentnews.org/article.pl?sid=16/08/11/135225

                  Now, finding a BBC story that is current, unbiased, and accurate is slightly can be more difficult.

                  Sorry about the formatting on the link - that is something it has only recently started doing, and it is the first time that I have noted it...

            • (Score: 3, Informative) by janrinok on Saturday August 13 2016, @05:45PM

              by janrinok (52) Subscriber Badge on Saturday August 13 2016, @05:45PM (#387560) Journal

              As the writer of 'Arthur', allow me to make some comments:

              When the site first began we would receive over 30 submissions every day from which we tried to produce a day's output. If the queue went below 20 we would change into a slower release schedule to try to get by until the subs picked up again. Of course, not all stories are suitable for publication and there are a fair number of dupes which we, as editors, have to filter out. Over time the submission rate fell and if we asked the community to rise to the challenge. The main obstruction that members claimed was the problem was finding suitable stories for submission. Somebody on the team started monitoring the RSS feeds from various well known sources including the tech sites, news channels and security groups. These are available to anyone (https://logs.sylnt.us/%23rss-bot/index.html) to provide them with a link to brand new stories as soon as they are released. They are/were used for a while but the community seems not to look at them very often.

              As an editor, it is quite disheartening to discover that the submission queue is filled with more stories of racial inequality, police brutality, shootings or political electioneering which, while important, we have discussed so many times in the past. This is especially so when there are literally hundreds of new stories each weekday to be found on the RSS feeds. So I wrote a bot that downloads each of the stories from the feeds and dumps them, with a little bit of processing and formatting, onto my hard drive. I am trying to produce a fully automated system, but it is not quite there yet. So I go through the processed stories manually, decide which are most suitable for our site, tidy them up (and modify the bot to cope with whatever I find automatically next time!), and then submit them - just as anyone else can do. They hit the sub queue with no preference or favour other than they have already be partly processed and are more likely to be topics of interest to our community. But not all of Arthur's submissions are used - they get rejected just as often as those stories submitted by anyone else (88% accepted at the time of writing).

              If you look at the RSS feeds for any given day, you will clearly see that TheRegister is only one of dozens of feeds that we monitor. The fact is, even if you dislike their writing style, they do get interesting stories out in fairly quick time.

              If the community don't want to see submissions from Arthur T Knackerbracket the solution is in their own hands. Find current stories that can inform the community and generate new and original discussion and submit them!. Avoid those topics that we have discussed 'ad nauseum' unless they bring something new to the discussion. The emphasis should be on science and technology but we can discuss anything that is of interest to the majority of the community.

              • (Score: 0) by Anonymous Coward on Thursday August 18 2016, @12:48PM

                by Anonymous Coward on Thursday August 18 2016, @12:48PM (#389563)

                Thanks for helping keep the site alive.

                I typically only submit when the queue is drying up, but I've also noticed that it has been happening more often in recent times.

  • (Score: -1, Flamebait) by Anonymous Coward on Friday August 12 2016, @05:35AM

    by Anonymous Coward on Friday August 12 2016, @05:35AM (#386909)

    but then their e-boner over BSD goes soft because BSD then becomes popular.

    so then they try PLAN 9 OS and discover they are masters of the universe after all!

    shit, you mean after all of these YEARS, Plan 9 OS was right in front of our fuckin' noses?

    that is some freaky shit.

    so they continue with PLAN 9 OS and enjoy their perma boners and wet slits and never
    ever have to worry about being uncool again.

    Plan 9, when you need a friend.

    • (Score: 1, Funny) by Anonymous Coward on Friday August 12 2016, @07:26AM

      by Anonymous Coward on Friday August 12 2016, @07:26AM (#386924)

      Eventually they'll all migrate to HURD. You'll see!!

  • (Score: 1, Informative) by Anonymous Coward on Friday August 12 2016, @06:20AM

    by Anonymous Coward on Friday August 12 2016, @06:20AM (#386922)

    The summary says said Trojan requires a poorly configured redis in order to do full damage. How does it even get on the machine in the first place to take advantage of this misconfigured redis?

    • (Score: 0) by Anonymous Coward on Friday August 12 2016, @08:24AM

      by Anonymous Coward on Friday August 12 2016, @08:24AM (#386939)

      Redis is a caching system that can be used to make the cache available to multiple servers so it allows connections from outside sources. The "poorly configured" part is not requiring a password on outside connections (which is always a bad idea for any software).

  • (Score: 0) by Anonymous Coward on Friday August 12 2016, @09:32AM

    by Anonymous Coward on Friday August 12 2016, @09:32AM (#386944)

    Name an open computing platform that is immune to trojans. Protip: it's impossible.

    • (Score: 2, Touché) by Anonymous Coward on Friday August 12 2016, @11:23AM

      by Anonymous Coward on Friday August 12 2016, @11:23AM (#386970)

      Name a closed one that's immune to trojans, then.

  • (Score: 5, Insightful) by PizzaRollPlinkett on Friday August 12 2016, @11:22AM

    by PizzaRollPlinkett (4512) on Friday August 12 2016, @11:22AM (#386968)

    This flaw is in software that happens to run on Linux (that I've never heard of) which is poorly secured, but nothing stops the technology press from running wall-to-wall LINUX!!! MALWARE!!! scare headlines. Reminds me of all the scare headlines for poorly configured PHP bulletin board packages that run on Linux. It's like no one has found any real security issues, so they have to resort to using stuff like this to generate Linux headlines.

    --
    (E-mail me if you want a pizza roll!)
    • (Score: 0) by Anonymous Coward on Friday August 12 2016, @01:33PM

      by Anonymous Coward on Friday August 12 2016, @01:33PM (#387003)

      yes, it's pitiful, but in fairness, this makes me realize how much the same thing has been done to windows, though MS deserves all the BS they get. The writers that want to smear GNU+Linux know that people who don't know anything but brands won't know the difference. they know all they have to do is get headlines out there that sound negative that have the brand name in there and ignorant people will say, "see, leenoox has viruses too! so, i might well stay on windows"

      • (Score: 1, Interesting) by Anonymous Coward on Friday August 12 2016, @04:31PM

        by Anonymous Coward on Friday August 12 2016, @04:31PM (#387079)

        Disagree.
        When a Windoze-only app has a vulnerability being actively exploited, I don't tend to see the name of the OS in the title of the article; I see the name of the app.

        The reason for the presence of a significant number of items in the Patch Tuesday list is because of stupid choices[1] made by the payware OS vendor in the design of their product.

        2 such examples that spring immediately to mind are font rendering in Ring 0 and M$Orifice macro execution in Ring 0. [googleusercontent.com] (orig) [wikipedia.org]

        Programs that run in Ring 0 can do anything with the system

        ...so, you NEVER expose the most privileged layer to user-supplied input--unless you're a MICROS~1 executive who is specifying an OS[1].

        [1] This is what you get with a company run by salesmen and not technologists.

        -- OriginalOwner_ [soylentnews.org]