Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday May 01, @06:51PM   Printer-friendly [Skip to comment(s)]

Stealthy RotaJakiro Backdoor Targeting Linux Systems:

Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor.

Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal.

The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, "the family uses rotate encryption and behaves differently for root/non-root accounts when executing."

The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered.

Each of the four samples found have the same four C2s embedded. These are news(.)thaprior(.)net, blog(.)eduelects.com, cdn(.)mirror-codes(.)net, and status.sublineover.net. All of them were registered in December 2015, suggesting the malware is possibly older than the confirmed three years.

The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers. "At the coding level," say the researchers, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis."

(Emphasis in original retained.)

The above-linked blog entry goes into considerable detail of how the malware functions. It also makes a connection to the previously-found Torii botnet which was exposed by Avast on September 20, 2018


Original Submission

Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Funny) by Anonymous Coward on Saturday May 01, @07:47PM

    by Anonymous Coward on Saturday May 01, @07:47PM (#1145206)

    It's often the case when translating from Chinese that some characters get misinterpreted. This appears to be the case in this posting. The anglicized phrase "RotaJakiro" is made of two sets of Hanzi characters, 系统 and 字母, which can more accurately be translated as "system" and "d".

  • (Score: 5, Insightful) by Anonymous Coward on Saturday May 01, @09:09PM (6 children)

    by Anonymous Coward on Saturday May 01, @09:09PM (#1145221)

    root account
            Depending on the Linux distribution, create the corresponding self-starting script /etc/init/systemd-agent.conf or /lib/systemd/system/sys-temd-agent.service.

    non-root account
            Create autostart script$HOME/.config/au-tostart/gnomehelper.desktop for desktop environment

    After RedHat spent years remaking Linux into opaque windowslike mess, you get windowslike malware exploiting the mess. What else, exactly, were you expecting?

    • (Score: 2, Interesting) by Anonymous Coward on Saturday May 01, @09:30PM (5 children)

      by Anonymous Coward on Saturday May 01, @09:30PM (#1145225)

      Originally called them trolls when they said that open source made vulnerabilities easier to exploit, because “many eyes make all bugs shallow.”

      The problem is there are many more eyes looking for exploits than there are looking for the same flaws.

      • (Score: 5, Insightful) by Runaway1956 on Saturday May 01, @10:23PM (2 children)

        by Runaway1956 (2926) Subscriber Badge on Saturday May 01, @10:23PM (#1145232) Homepage Journal

        That explains why closed source security features on Intel and AMD are being exploited. There are fewer eyes on the code, but more of those eyes are evil.

        --
        "I didn't lose to him!" - The Donald referring to Trippin' Joe
        • (Score: -1, Flamebait) by Anonymous Coward on Sunday May 02, @01:45AM (1 child)

          by Anonymous Coward on Sunday May 02, @01:45AM (#1145256)
          Neither Intel nor AMD is an operating system. Though I know, in your damaged state, making an apples-vs-cars comparison is normal.
          • (Score: 4, Insightful) by Runaway1956 on Sunday May 02, @02:05AM

            by Runaway1956 (2926) Subscriber Badge on Sunday May 02, @02:05AM (#1145262) Homepage Journal

            Their chips run on code. Maybe in your own fogged mental state, you think they just take some silicone, and melt it down in the proper size and dimensions, and they have a CPU, or whatever chip they are looking for. Unfortunately for you, the chips run on coded instructions. It's the instructions that give hackers a backdoor into your machine. Johny Hacker Dude doesn't care whose responsibility the exploit is - if he can find the crack in your defenses, he's gonna make your stuff his stuff.

            --
            "I didn't lose to him!" - The Donald referring to Trippin' Joe
      • (Score: 2, Informative) by Anonymous Coward on Saturday May 01, @10:47PM

        by Anonymous Coward on Saturday May 01, @10:47PM (#1145234)

        because “many eyes make all bugs shallow.”

        The mission of RedHat is about exactly that: make the many eyes not know what they see.

        The eyes looking for exploits can spend as long as need be finding holes in any mess; it is the job that feeds them.
        The generic user wishing to manage his own system, cannot drop everything else and train Mess-Parsing to 80th level.
        ...
        Profit!!!

      • (Score: 3, Interesting) by digitalaudiorock on Sunday May 02, @01:06PM

        by digitalaudiorock (688) on Sunday May 02, @01:06PM (#1145369)

        I've seen systemd referred to as "proprietary open source" which is really pretty accurate. I'd say that for the most part open source code is more secure that closed source code, because "more eyes" and all that. However that all falls apart when it comes to systemd because literally nobody even wants to look at that code except a) LP and the idiots that designed and maintain it, and b) all the black hats scouring it for their stupid mistakes.

  • (Score: 3, Interesting) by jasassin on Saturday May 01, @09:35PM (4 children)

    by jasassin (3566) <jasassin@gmail.com> on Saturday May 01, @09:35PM (#1145227) Journal

    The question even the Chinese don't have an answer for, is how did it get on the system in the first place?

    That is the golden ticket.

    --
    jasassin@gmail.com Key fingerprint = 0644 173D 8EED AB73 C2A6 B363 8A70 579B B6A7 02CA
    • (Score: 3, Funny) by Runaway1956 on Saturday May 01, @10:25PM (3 children)

      by Runaway1956 (2926) Subscriber Badge on Saturday May 01, @10:25PM (#1145233) Homepage Journal

      The evil maid put it there?

      --
      "I didn't lose to him!" - The Donald referring to Trippin' Joe
      • (Score: 3, Funny) by PinkyGigglebrain on Sunday May 02, @12:38AM (2 children)

        by PinkyGigglebrain (4458) on Sunday May 02, @12:38AM (#1145246)

        It was the butler!!

        --
        "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
        • (Score: 2, Funny) by Anonymous Coward on Sunday May 02, @01:38AM

          by Anonymous Coward on Sunday May 02, @01:38AM (#1145255)

          It was the Kernel in the lib64.

        • (Score: 1, Informative) by Anonymous Coward on Sunday May 02, @06:31AM

          by Anonymous Coward on Sunday May 02, @06:31AM (#1145327)

          It was the gardener, just poettering about in the shed..

  • (Score: 5, Touché) by fakefuck39 on Saturday May 01, @11:55PM

    by fakefuck39 (6620) on Saturday May 01, @11:55PM (#1145242)

    My suggestion for the submitters who keep going to hacker news and posting articles seen there two days ago, is to also start copying and pasting the top comments from there. It will get you magic internet points, and you can like, buy a life with those.

    https://news.ycombinator.com/item?id=26981886 [ycombinator.com]

    here, let me start you off on the cut and paste:

    ----------------------------

    squarefoot 2 days ago [–]

    The malware contains some hardcoded domains:
    news.thaprior.net blog.eduelects.com cdn.mirror-codes.net status.sublineover.net
    Just out of curiosity I did a simple search and found no mention of any of those domains, except for status.sublineover.net which is being reported here:
    https://raw.githubusercontent.com/shargon/Fwhibbit/master/To... [githubusercontent.com]
    Which is stored on a 4 years old project by what seems to be a ethical hackers group:
    https://github.com/shargon/Fwhibbit [github.com]
    (possibly related to: https://fwhibbit.es [fwhibbit.es] )
    reply

    lgats 2 days ago [–]
    https://domain.glass/status.sublineover.net [domain.glass] -registered 2015-12-09 -cisco umbrella ranked intermittently since 2020-07
    https://domain.glass/news.thaprior.net [domain.glass] -registered 2015-12-09 -intermittent cisco umbrella ranking since 2021-01-31
    https://domain.glass/cdn.mirror-codes.net [domain.glass] -registered 2015-12-10
    https://domain.glass/blog.eduelects.com [domain.glass] -registered 2015-12-09

    All domains registered with Web4Africa (Pty) Ltd, hosting provided by Deltahost PTR, Kiev, Ukraine

  • (Score: 1, Funny) by Anonymous Coward on Sunday May 02, @02:41AM (3 children)

    by Anonymous Coward on Sunday May 02, @02:41AM (#1145271)

    What the hell is a C2?

    • (Score: 3, Informative) by Anonymous Coward on Sunday May 02, @03:40AM

      by Anonymous Coward on Sunday May 02, @03:40AM (#1145293)

      Command and Control, the machines telling the infected ones what to do.

      And for anyone wondering about foobar(.)com, that is about making parsers not convert text into valid links. For safety, I read somewhere. So surprise it was done for first 3 but not for the last host. Ahh, yes, it mentioned was in the HN replies. FF does not convert foobar.com to link (neither SN unless prefixed by http:// )... maybe Chrome does? Too much "smart" (as in smartass) going on if so.

    • (Score: 0) by Anonymous Coward on Sunday May 02, @05:41PM (1 child)

      by Anonymous Coward on Sunday May 02, @05:41PM (#1145434)

      You know, the birds and the bees? R2 and D2 had a baby...out came C2, obviously!

      • (Score: 0) by Anonymous Coward on Sunday May 02, @05:43PM

        by Anonymous Coward on Sunday May 02, @05:43PM (#1145435)

        Oh, and don't get me started on C3PO, that's some kinky fetish shit...

(1)