from the nearly-impossible-is-slightly-possible dept.
Linux Malware Deemed 'Nearly Impossible' to Detect:
Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit[sic] functionality and install a backdoor for remote access.
A new Linux malware that's "nearly impossible to detect" can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.
Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—"Symbiote." In biology, the word means an organism that lives in symbiosis with another organism.
"What makes Symbiote different ... is that it needs to infect other running processes to inflict damage on infected machines," he wrote. "Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine."
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.
In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.
[...] Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.
"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect," he explained. "Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware."
In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote " in highly targeted or broad attacks," he said.
Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won't pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.
(Score: 2) by MIRV888 on Wednesday June 15 2022, @05:39AM (4 children)
I am not a Linux expert. Is the level of sophistication being seen in a lot of these modern viruses something a small group of individuals can do? Or would this require state level support in order to code?
(Score: 5, Informative) by Anonymous Coward on Wednesday June 15 2022, @06:27AM (1 child)
What is being described in the article is not very sophisticated at all, it's a trivial implementation of a well-known class of attacks known as DLL injections which are also viable on NT kernels as you might suspect from the name. The wikipedia article [wikipedia.org] even describes how the LD_PRELOAD technique works.
(Score: 2) by hopdevil on Wednesday June 15 2022, @04:52PM
+1... this is a well known technique, nothing new or particularly interesting.
(Score: 2, Insightful) by Anonymous Coward on Wednesday June 15 2022, @02:16PM (1 child)
Almost nothing requires state level support to code.
(Score: 2) by turgid on Wednesday June 15 2022, @09:45PM
And anything coded at the state level is likely to be 30 years behind the state of the art, over budget, late and broken. But a government crony will have siphoned off a lot of money for the contract. So taxpayers' money will not have been wasted. Or something.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Interesting) by Anonymous Coward on Wednesday June 15 2022, @06:01AM (4 children)
It's not even a kernel module? You can look for the LD_PRELOAD variable in /proc/$pid/environ.
Even if the rootkit cleans up its environment, a scanner should be able to fork a process in trace mode, like a debugger would, and read the environment before it has a chance to clean it up. If the rootkit wants to stay hidden, it has to inject itself into every process, so the scanner doesn't even have to find a special process to investigate.
User mode rootkits are always a question of "did they think about this way of finding them" and they always miss something. I remember one that had a modified 'ls' that wouldn't show itself, but it didn't hide from 'echo *'.
This might have been high tech 20 years ago but user mode rootkits are kind of passe now.
(Score: 5, Insightful) by sjames on Wednesday June 15 2022, @09:42AM (3 children)
A static binary could easily detect it. No LD, no PRELOAD, no cleanup.
(Score: 3, Informative) by turgid on Wednesday June 15 2022, @09:40PM (2 children)
That's what they invented /sbin for just in case it's not clear to the newbies.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 1, Informative) by Anonymous Coward on Thursday June 16 2022, @02:56PM
Thank you!
I actually never reflected over the different reason for /sbin. (no sarcasm)
(Score: 1, Informative) by Anonymous Coward on Saturday June 18 2022, @04:11AM
sbin is System BINaries. It does not stand for Static BINaries. There was nothing preventing your system binaries from being dynamically linked as long as they also depended on libraries in the /lib directory.
(Score: 4, Informative) by bradley13 on Wednesday June 15 2022, @06:24AM (1 child)
For those interested, here is the original post, with lots of technical details. [blackberry.com]
Everyone is somebody else's weirdo.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 15 2022, @09:17AM
I'm a bit of a noob, but as a test couldn't you rename some innocuous little program so that is shows up as a process named one of the above and then see if it disappears from the listings?
(Score: 5, Insightful) by Anonymous Coward on Wednesday June 15 2022, @07:28AM (8 children)
A small bit of technical sophistication makes the worm "nearly impossible to detect" in the world of fat lazy "anti-malware" makers accustomed to dumb malware written by ignorant idiots. Pathetic, really.
Library injection is a thing. A very, VERY old thing. WHY do we have anti-malware using libc instead of syscalls for its core functions?
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat [blackberry.com] :
And this is why Slackware had not been having PAM until 2020. Until the damn KDE has forced Patrick's hand at last. :(
https://alien.slackbook.org/blog/slackware-introduces-pam-into-its-core/ [slackbook.org] :
Reads quite ironic now, given the above revelation, doesn't it?
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @08:49AM (3 children)
The machine needs to be compromised first before the PAM hooks can be installed. So this isn't an attack vector, it's just another method to install a backdoor on an already pwned machine.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 15 2022, @11:06AM (2 children)
Malware dependent on PAM cannot function on a system lacking PAM. And this "Symbiote" is far from the first such malware. I.e. the presence of PAM makes the system vulnerable to a whole extra class of malware.
Having one's system incompatible, in some way, with a run-of-the-mill worm is a MUCH better protection than the whack-a-mole game with "attack vectors". Essentially, that defeats all the large-scale malware epidemics, leaving only targeted attacks as thing to be feared. And when your system is not valuable enough to merit spending time and effort on pwning it specifically, the incompatibility is a near perfect shield.
(Score: 0) by Anonymous Coward on Thursday June 16 2022, @08:50PM (1 child)
Systems that don't use PAM use SomethingElse to authenticate users. Is SomethingElse more secure? Is it somehow not vulnerable to this exact same attack? (if its accessed through a library it is vulnerable...)
It does require the malware to be adapted to your system, but it requires everything else wanting to use PAM to be adapted to your system as well.
(Score: 0) by Anonymous Coward on Thursday June 16 2022, @09:52PM
Throwing away the desktop stuff (KDE) as unneeded on a server, and compiling the everything else PAM-less, is not complicated, the pre-2020 Slackware is the proof of that.
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @11:30AM (3 children)
It hooks the kernel functions in the syscall table, not just libc. It's not that easy. But as a user mode rootkit, there are always going to be ways to spot it.
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @12:50PM (2 children)
What, exactly, told you that? Not a single peep about the syscall table in the in-depth article, nor in TFA.
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @03:48PM (1 child)
It's in the researchers' blog post.
(Score: 0) by Anonymous Coward on Thursday June 16 2022, @10:36AM
Once again: where?
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @01:53PM (22 children)
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @03:25PM (6 children)
A post can be simultaneously useful and a troll in my book.
Oh good, some anti-Semitism right off the bat.
Don't whine about your previous mods; just post your information and let it stand on its own merits.
You're not making people less likely to downmod you by calling us names and insulting us about it.
--
P.S: About your first downmod complaint above, the post was actually remarkably on-topic up until the point where you couldn't resist your own postcript spooge.
Ah, here we go: arrogant, bitching about being oppressed, offtopic drama about vaxx, offtopic about programming languages, finish with more arrogance.
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @04:06PM (2 children)
See my subject: All YOU are is an UNIDENTIFIABLE anonymous WEASEL (a fact, as you hide behind AC) lol & I just repost nullifying your WHIMP effete "cancel" downmod here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253419#commentwrap [soylentnews.org]
NOW, as to the REST of your BULLSHIT:
Isn't "GOOGLE" truly JEWgle? Yes, see Brin for example IF NOT Blackrock (Larry Fink, another jew) owned, lol - see subject - I merely STATE FACTS (ones you can't stand).
HEY - they ARE the ones destroying your STUPID, inefficient browser addons, not I!
Again, I merely STATE FACTS in that I can produce my OWN wares - obviously an ALL-TALK do NOTHING zero in you that HIDES behind AC posts issuing downmods on my posts CAN'T yourself, cripple!
Additionally: You ADMIT hosts & my posts are useful in doing so!
Hey - YOU PROVE MY POINTS for me... thanks!
APK
P.S.=> :) ... apk
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @04:30PM (1 child)
Yeah, I can't imagine why I would AC, considering how intensely you seem to nurse a grudge from your posts.
I did? Where was that?
HOSTS file stuff being on-topic is not the same as me making any judgment on how effective it is.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @04:50PM
Apk just exposes you and yes he does it after you downmod his points that are correct that doubtless affect your ability to steal as jews do. Please, do prove me wrong here about Jews https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253445#commentwrap [soylentnews.org]
Prove Apk is wrong about hosts files superiority on numerous levels here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252760#commentwrap [soylentnews.org] where he challenged you all fairly to do so.
Prove Apk is wrong here too in this thread today now https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253440#commentwrap [soylentnews.org]
Apk's not the one issuing downmods to hide posts of useful information. You and yours are and running. Running from facts that shut your jew ass down cold and we all know it. You prove it for us.
You will prove how useful his posts are by your inability to prove them wrong.
Eat it jew. You will have to.
No wonder you jews hide and ruin the planet everywhere you have gone and end up in ovens for it. You do it to yourselves and you will now too.
Downmod galore will come out of you on my posts and his. Prove me wrong. You will only end up proving us both correct and you know it. Thanks.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @04:24PM
Jew give up. You project the typical slinking lurking sneak jew right off the bat. You jews think you are "so smart" but you couldn't face up to a challenge APK put to you https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252760#commentwrap [soylentnews.org] and all you are is good at being thieves. Tell us Jew, why is it you jews have been kicked out of 110 nations to date? Is it because that sooner or later every nation on ear th gets wise to your creepiness. One look at the Talmud and everyone knows what you are calling us goyim cattle to be robbed, killed and to rape our little girls. Who are the racists now jew? You are.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @07:17PM (1 child)
"Oh good, some anti-Semitism right off the bat."
These so-called Jews are Khazars, not Semites. They are subversive rats who lie about everything, even their own heritage.
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @10:30PM
So your response to me calling you a racist is "I'm not being racist against *that* group, I'm being racist against *this* group"
(Score: 2) by maxwell demon on Wednesday June 15 2022, @03:39PM (10 children)
Of course a malware running on your computer can easily circumvent any hosts file entry on that same computer. If enough people fight the malware through hosts files, you can bet the malware will do that.
The Tao of math: The numbers you can count are not the real numbers.
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @06:28PM (9 children)
"GOD DON'T MAKE NO JUNK" & neither do I as "The LORD of HOSTS" with proof - here goes:
IF that malware CAN run & it can't: How/WHY? 1st of all, HOW can it be running on my machine when I block sources of it getting to me @ ALL in the 1st place?
FACT: Rootkit or not, it can't run on me IF it can't get to me.
See my subject & QUESTION for YOU to answer regarding THIS usermode (key) rootkit (see more below on THAT note, lol - you LOSE twice in fact): DOES THIS USERMODE ROOTKIT REWRITE HOSTS?
ANSWER - NO it does not per all analysis on it, lol - you FAIL!
Secondly, even IF it ran (can't), it can't communicate back to its controllers (in C2/C&C)
LASTLY - I rewrite my hosts file MANY times a day from dozens of sources AND IF IT CHANGES SIZE minus MY PROGRAM doing it - I detect for that CRAP!
(Yes, it does it by itself, completely automated here UPDATING nigh constantly, more IF I want but it does so seamlessly as is every 5 minutes) - so even IF (it can't be) was rewritten, I write it back (not that it matters due to the above).
* SIMPLE!
(... lol, & of COURSE the IDIOTS here thought that blocking the proxy I used last is going to STOP ME easily NULLIFYING YOUR BS now too, so I just changed to another & will soon REPOST my initial post which obviously is SO EFFECTIVE none of you can prove it wrong, lmao...)
There HAVE been malwares that TRY affect hosts files & OS makers (all of them) put in admin level type permissions to STOP that (e.g. on Windows, MacOS, or Linux you MUST have that level of perms to rewrite hosts) - now IF you even TRY say "but, But, BUT rootkits have kernel level perms" well, see above AND IIRC? This is a USERMODE ROOTKIT & that is NOT Kernel level OR admin (or the OS would warn you just as it does demanding admin/root logon to do so)
& YES AGAIN - I'd have to BE INFECTED FIRST & guess what again??
I block that POSSIBILITY even EVER happening in the 1st place by blocking out sources of said infestations @ all!
APK
P.S.=> Nice TRY, you FAIL - better luck next time (usermode vs. kernelmode per above + the FACT this particular usermode rootkit does NOT attack hosts (let it in my case - it can't period))... apk
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @08:57PM
At least we don't have aristarchus to spam mod, anymore.
(Score: 2) by dalek on Wednesday June 15 2022, @10:24PM (7 children)
You're exaggerating the effectiveness of hosts at preventing malware.
Yes, hosts can block sites that contain malware. However, there are many repositories with user-submitted content that contain both malware and useful software that is safe. In that case, you either have to block the entire site and prevent access to safe content, or you allow the site and are vulnerable to malware. Hosts don't provide granular enough control to properly handle this situation. Someone has to discover that the site is distributing malware and add it to the hosts file, meaning that hosts won't block sites that haven't yet been flagged as malicious. Hosts files also don't work with wildcards, meaning that you can't block access to *.malicious-site.com. You'd need something like dnsmasq to accomplish that.
Yes, hosts can block access to command and control servers provided that those servers are specified according to a host and not an IP address. However, for this to be relevant, your system already has to be compromised. This might mitigate the damage, but the breach has already occurred.
Hosts files can be a useful layer of security, sure. There's a reason that browser addons like uBlock Origin can use hosts files. But they should be treated as just one layer of security, not a complete solution. You can't be certain that you've blocked all sources of malware with hosts, and you'll have better security if you have other layers of protection. You're exaggerating the protection that hosts files provide. Like I said, they can be useful as a layer of security, but they shouldn't be the only layer.
THIS ACCOUNT IS PERMANENTLY CLOSED
(Score: -1, Spam) by Anonymous Coward on Thursday June 16 2022, @12:10AM (4 children)
WTF? Are you STUPID (yes) - what did I do but provide what to BLOCK outta this rootkit from real sources that looked @ it - EXACTLY what to block stupid. Have you? No.
More TYPICAL jew do NOTHING leech lurking & SKULKING (see my ps below dumbo dalek exterminated on THAT note, lol - yes, I am LMAO @ U, zero do nothing JEW swine).
You've done BETTER/MORE juden?
Answer that JUDEN!
Per your NO MIND do nothing of note (ever, & I have while YOU were in diapers & should have been SHOT TO DEATH before you could pull the bs you are now JEW). I have, long ago.
BY THE WAY per your JEW bullshit Chaim ANYTIME you want to see 1,000's of literal articles I have bookmarked to the contrary of how "hosts don't work" per YOU no-mind DO NOTHING zero you & yours are leeches on society?
ASK!
I'll do 1 of my FAVORITE things to do in making YOU "EAT YOUR WORDS" (& to YOU in particular you NOT MAN punk, see my ps below, ah the memories, lol...)
Ask & "ye shall receive" YAHOOTI SWINE! I will let everyone see just what you are - a FAKE NAME fuck slinking lurking JUDEN - which I bet you are.
* Fact is, YOU haven't done SHIT - ever... lol! See subject - answer my question JEW! I have, see the list I put out from those studying it stupid JEW! Eat your words... loL!
JEW!
Scumbag somes OUTTA THE SHADOWS not posting on the main forums for how long now? Only in journals - OK juden, here comes below (you have EXTERMINATED youself, dalek JEW - not I).
Bottom-line: I didn't do THIS to you SLINKY jew - you did (not that you care - you KNOW you & yours are THIEVING nobodies kicked from 110 nations since the beginning of recorded history & don't try say "I am no JEW" or I'll simply quote your BOOK OF SATAN the Talmud & show all the "rules" of devils you & yours use PUBLICLY - then, you have NO "outs" do you? LOL!)
APK
P.S.=> LMAO - & then, ESPECIALLY regarding YOU you STINKING jew? Here 'tis (regarding COVID & genetics you NO-MIND sheeple) & WHO tells it HOW it is & what works against it?? I do, not YOU jew, lol - hilarious & FACT https://soylentnews.org/comments.pl?noupdate=1&sid=46034&page=1&cid=1197563#commentwrap [soylentnews.org] +5 & ALL which despite your downmods (& lack of ANYTHING worthwhile like the TYPICAL JEW useless LEECHES you are) there tis - nothing you can DO about it, lol & I am LMAO @ YOU in particular, SLINKING slimy JEW - ALL of what I wrote is coming out as FACT vs. your JUDEN SWINE Bullshit - & THIS is what gets YOU & YOURS "exterminated" thru ALL TIME Jew DALEK (how ironic, lmao)... apk
(Score: 4, Informative) by dalek on Thursday June 16 2022, @01:59AM (3 children)
I actually modded one of your posts [soylentnews.org] up. And now, here you are reduced to posting drivel like this and showing that you're still obsessed with me. I'll address the one part of your comment that's actually remotely on-topic:
On many current Linux systems, using /etc/hosts to block sites is woefully inefficient without some modifications. Many current Linux systems will have a single entry in /etc/resolv.conf, which is 127.0.0.53. Those systems use systemd-resolved for resolving domain names, which is very inefficient at parsing large hosts files [askubuntu.com]. Although I agree that systemd is the real problem here and that dnsmasq should be used in place of systemd-resolved, this requires a bit more work for users to properly configure their systems.
If you're going to block domains linked to this malware from being resolved, you really want to block things like *.dev21.bancodobrasil.dev and *.x3206.caixa.cx. As I noted previously, you can't use wildcards in /etc/hosts. You need a better solution.
Let's also consider how this malware exfiltrates credentials that have been captured:
Those two domains I mentioned above are used for exfiltrating credentials, and DNS is an integral part of this process. As I understand it, the malware resolves the domains of one or more servers used to receive credentials. As I noted previously, you'll need wildcards to block subdomains that are used for receiving stolen credentials. You'll want to make sure that whatever domain in *.dev21.bancodobrasil.dev or *.x3206.caixa.cx that's being used for this purpose never gets resolved. Because you can't use wildcards in /etc/hosts, you'll want to install dnsmasq, make sure the nameserver is 127.0.0.1 in /etc/resolv.conf (so the local dnsmasq is used), and block the domains with configuration files in /etc/dnsmasq.d/ or lines in /etc/dnsmasq.conf. Using /etc/hosts for this purpose is inadequate.
As for using hosts or dnsmasq.conf to prevent being infected with this malware, that only protects you from hosts that are known to be malicious. If you don't know that the host is malicious, and therefore aren't blocking it already, your solution is useless. As for blocking the exfiltration of credentials, you can block that if you're resolving domains with dnsmasq or even systemd-resolved. If you are using dnsmasq and wanted to block the two domains I mentioned, you could add address=/dev21.bancodobrasil.dev/127.0.0.1 and address=/x3206.caixa.cx/127.0.0.1 to your dnsmasq.conf. Again, you can't block wildcards with /etc/hosts, meaning that your solution is inadequate.
One other problem with using /etc/hosts to block being infected with this malware is that the distribution vector seems unclear. If you don't know what hosts are being used to distribute this, if any, you can't block it with your solution. You can mitigate the damage, but as I noted, /etc/hosts is inadequate for this purpose.
Like I said, /etc/hosts can be a useful tool for security, but you greatly exaggerate its usefulness and give users a false sense of security.
THIS ACCOUNT IS PERMANENTLY CLOSED
(Score: -1, Troll) by Anonymous Coward on Friday June 17 2022, @03:53AM
Did I say hosts do wildcards? No I did NOT here OR ever anywhere, Jew so don't try to put words in my mouth I never said OR try "make me look bad" because you did that vs. ME on COVID in a HUGE blunder I quoted out of your mistakes here https://soylentnews.org/comments.pl?noupdate=1&sid=46034&page=1&cid=1197563#commentwrap [soylentnews.org]
(QUESTION (not that YOU as a LYING JEW would answer honestly, your own TALMUD & KALNIDRA prove that) you are a jew aren't you? I see you don't DENY it, good enough for me). So tell us, are you a JEW?? I am curious.
Did I list the exfiltrators as wildcarded in my lists I put out from https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat [blackberry.com]
?
No again. I only lisetd their base domains (with good reason below).
I was only showing that hosts ARE USEFUL (which you admit) & yes, they ARE USEFUL HERE TOO (per those lists from the blackberry research link above, period, so cut your crap you do NOTHING zero that's never done anything of worth in software EVER (prove otherwise, I can)).
HOWEVER, per the lists given, I did cover the C2 servers this uses in it IN THEIR ENTIRETY (except for wildcarded ones but I still block their base domains anyway in hosts - can't hurt to do so - once a subdomain is compromised? You can BET the base parent domain & system are too).
For the last wildcarded ones, I covered those in my firewlall AND router (mine allows wildcards), & my router also closes off the ports this malware uses too.
FACT: I never said hosts are a "cure-all" here OR anywhere - I only said WHAT YOU ADMIT YOURSELF (hosts are valuable for security) - no 1 single thing is a cure-all (though I know of 1,000's of cases I keep bookmarked where hosts DO work as a cureall in "what you can't touch can't hurt you")
ADDITIONALLY: I don't use a systemd based system for Linux. I use PCLinuxOS (no systemd). I did use it for 2 yrs. on KUbuntu but felt it was useless to me personally/of no benefit vs. costs of using it...
On a guess on systemd's inefficiency with hosts? I've SEEN THAT before!
Just like how Microsoft F'd up in their dnscache client in fact!
My guess, like MS making the SAME mistake long ago?
Systemd is using a non-redimmable array OR fixed length list (this I know & confronted MS on listing problems it had with large hosts files, a DECADE++ ago, but it was never fixed). It can't flush/age out FAST enough & reload it fast enough BECAUSE of that.
Besides - Linux minus systemd does FINE using it - ANY DISKCACHE will handle caching hosts in its entirety (it's just a file like any other for caching) & IT DOES on Linux AND YES, on Windows when you turn off the BUGGY (& more bugs than I noted above, I have lists if you would like to see them) dnscache.
I also asked WHY hosts files were never given wildcard ability.
I asked since hosts files do NOT demand added layering drivers like firewalls do (that means more complexity & yes, overheads of many kinds). Same vs. DNS systems (like dnsmasq which has had MANY bugs popup in it over time - would you ilke a list of some?? Ask).
In any event - a firewall can cover wildcards. You neglected to mention that.
YOUR SOLUTION? It's not YOURS @ all in dnsmasq (which YOU did not create)?
dnsmasq has a HISTORY of bugginess! That has backfired on PiHole's too that use that buggy ware. You're offering a buggy ware as a SOLID solution? LMAO! No thanks.
APK
P.S.=> LASTLY - OBSESSED with YOU? You're a DO-NOTHING little CREEP - I don't POPUP in YOUR BULLSHIT POSTS BUT YOU DO MINE CONSTANTLY & like I SHOT YOU TO PIECES ON COVID since you shot yourself ("what does this have to do with genetics" LMAO @ U for that one when it had EVERYTHING TO DO WITH IT) - you don't teach me anything. You don't have the skills OR EDUCATION to DO so nor the history to prove it in ANYTHING you've EVER DONE, which is CLEARLY, zero/nothing.
PROVE OTHERWISE (but then again, you can't LURK AROUND/STALK ME with your FAKENAME then can you WHEN I WOULD KNOW WHO YOU ARE, which I don't hide about myself BUT YOU DO)... apk
(Score: -1, Spam) by Anonymous Coward on Monday June 20 2022, @10:50PM
Guess what? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct... & YES, hosts work vs. this threat too stupid!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @05:55PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Monday June 20 2022, @10:54PM
Guess what? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct... & YES, hosts work vs. this threat too stupid!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @05:52PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: 2) by Subsentient on Wednesday June 15 2022, @08:17PM (3 children)
Well it's *potentially* useful for those of us who are smart enough to be running Linux or BSD, but I imagine the OS cannot parse /etc/hosts quickly, so if it gets tons of entries, might end up with some issues, unless the kernel is using something like inotify to watch the file and cache it when it changes.
If you're on Windows, you're kind of fucked, as recent versions of Windows since around Win8 molest the hosts file at random intervals and occasionally just decide to ignore it altogether.
Yeah, yeah, feeding the trolls, whatever.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 3, Informative) by dalek on Thursday June 16 2022, @03:45AM (2 children)
I originally misread the documentation on how this malware works and got things slightly wrong in my previous post [soylentnews.org] on this topic. After reading the description of the malware again, I now understand what's going on.
In this case, blocking DNS queries by the malware is very useful. However, /etc/hosts is absolutely not the way to do this, and is actually incapable of doing the job.
The malware uses DNS tunneling to exfiltrate data from a system. In this case, that would be login credentials. Basically, it looks for the nameserver in /etc/resolv.conf and queries that server. If you're using dnsmasq, it should be 127.0.0.1. If you're unfortunately using systemd-resolved, it's 127.0.0.53. If no nameserver is listed, it uses 8.8.8.8, which is operated by Google. However, both dnsmasq and systemd-resolved do use /etc/hosts. The malware submits a DNS type A query in the form of %PACKET_NUMBER%.%MACHINE_ID%.%HEX_ENC_PAYLOAD%.%DOMAIN_NAME% where %DOMAIN_NAME% is either dev21.bancodobrasil.dev or x3206.caixa.cx. If you want to stop data from being exfiltrated, you need to block *.dev21.bancodobrasil.dev and *.x3206.caixa.cx. The hostname it attempts to look up contains information, and the nameservers for those domains record the queries.
The malware won't bypass /etc/hosts as long as your queries are handled by dnsmasq or systemd-resolver. Here's the problem: /etc/hosts cannot contain wildcards. You need that to block all of the queries that are used to exfiltrate data. The solution is to use dnsmasq.conf and block the entire domains there. Unlike with /etc/hosts, dnsmasq.conf does allow you to block entire subdomains, as I discussed in my other comment. The essence of my comment is correct, but I didn't quite read correctly how the DNS tunneling was done the first time.
Blocking DNS queries is particularly useful in this case, but APK's solution isn't the way to go. Suspicious DNS queries are also one of the telltale signs that could be used to detect this malware.
THIS ACCOUNT IS PERMANENTLY CLOSED
(Score: -1, Spam) by Anonymous Coward on Monday June 20 2022, @10:52PM
Guess what? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct... & YES, hosts work vs. this threat too stupid!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @05:50PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: 4, Insightful) by tangomargarine on Wednesday June 15 2022, @02:26PM (6 children)
"Does this Linux malware require you to run it as root to infect yourself?"
So how does somebody load a shared library on somebody else's machine? This isn't a compile-time attack, is it?
I'll give them this much--whoever designed this doesn't sound dumb.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2, Interesting) by Anonymous Coward on Wednesday June 15 2022, @08:13PM (2 children)
tangomargarine, agreed 110% - I took a LONG read here on it https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat [blackberry.com] & the freak that wrote it DOES know his shit.
* The entire PAM setup IS the main problem since this thing hooks libs and all processes running apparently. Doesn't matter if you recompile say, a module from (insert protection type here be it antirootkit, antivirus etc.) since it FINDS them in the existing process tree running lists. THAT & being able to alter PRELOAD...
Heck, I'm STILL reading it & going "WoW"...
APK
P.S.=> Only thing I have going for me is that I blockout its sources for C&C/C2 it uses via hosts as I noted https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253468#1253468 [soylentnews.org] which SHOULD keep me "proof" vs. sucking it in IN THE 1st PLACE - BUT I'd have to admit even my APK Hosts File Engine WOULD be possible to attack sort of by API dependencies (not itself directly as I run sizechecks in EVERY proc/function/subroutine it ever runs CHECKING ITSELF vs. infection as "oldschool" type viruses would do hooking into the tail end of your program & altering function jmp tables etc. BUT instead OS libraries in libc/glibc etc.) - So, yes, whoever wrote this? KNOWS THEIR SHIT @ a DEEP level of how OS in general work as well as their API - this is NOT GOOD - it is like when you have errors in your compilers you use in a way - the problem is the FUNDAMENTAL BUILDING BLOCKS that are used then too - correct me IF I am off/wrong here - but it sounds like an OS level issue in PAM & being able to hook API (which, you can & it does giving it some ROOT power to an extent which I haven't seen in usermode rootkits before @ least - all we can HOPE is that they PLUG the PRELOAD part really @ OS level on upda tes from Linux IF possible)... apk
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @08:32PM (1 child)
This isn't the first use of LD_PRELOAD to do something malicious, eg. see https://security.stackexchange.com/q/63599 [stackexchange.com] - of course this use of it seems especially clever.
I do wish the LD_ (and DT_ and probably other) environment variable handling was disabled by default, all the solutions given in that stackexchange answer (admittedly from a few years back) seem at best brittle.
(Score: 0) by Anonymous Coward on Thursday June 16 2022, @10:49AM
Compile your own program interpreter, with those disabled by default. Use it where you fear those kinds of attacks.
(Score: 2) by arslan on Wednesday June 15 2022, @10:51PM (2 children)
NFS shares?
(Score: 2) by tangomargarine on Wednesday June 15 2022, @11:03PM (1 child)
Sorry, what is this in response to? How you'd get the library onto their machine?
But then how do you get it added to the Windows equivalent of PATH or whatever so that it gets executed?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Informative) by arslan on Wednesday June 15 2022, @11:12PM
Sorry just noticed I quoted a paste for another chat - C&P fail on my end!
Reading the blog, the malware relies on existing attacks using LD_PRELOAD for initial infection - so its not inventing anything special there; ditto for initial delivery - its not inventing anything new and rely on whatevers out there already. There's plenty of avenues to get a file onto a machine, sneak it into some open source libraries, nfs shares, usual email phishing, etc.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @03:58PM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @04:55PM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @06:30PM (1 child)
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @06:32PM
A pleasure sending a DEMON back to HELL, lol EASILY https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org]
* BOYS, you are messing with TRULY "The LORD of HOSTS" & demons like you? ALWAYS FAIL!
APK
P.S.=> Gotta give maxwell demon credit though - @ least HE had some sort of wannabe creativity (failed anyhow)... apk
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @06:36PM
https://github.com/yunchih/static-binaries [github.com]
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @08:15PM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @08:56PM (4 children)
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @09:01PM (3 children)
Why are the people here minus moderating you? I caught your post to tangomargarine and you have a point https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253495#commentwrap [soylentnews.org] and nobody else here on this site is even coming close to what seems like a logical solution from you in blocking sources of this attack in addition to the servers it uses which would stop it stealing information out of any system by stopping communication by black holing the rootkit c2 servers from doing so. You noted it does not attack hosts so you are correct I think https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org]
(Score: 0, Spam) by Anonymous Coward on Wednesday June 15 2022, @09:16PM (2 children)
It's because I tell facts on things on this site. A lot of "dirty pool" goes on around here which I noted in the post you originally replied to.
On a guess due to what I stated (just facts even the admins here admit, janrinok in particular noting he has equated a sockpuppet named unionrep to an AC poster - how would HE know that unless he logged IP addresses used by posters, especially registered ones? Ask yourself that).
No It's probably not the posters here replying (well, maybe maxwell demon per https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org] my putting him away with ease regarding this particular rootkit).
I mean tangomargarine is solid so I replied in kind asking things as even I don't know it all.
Again/However I think it is the owners &/or admins that can't stand what I wrote. Read my original post closely. It goes on everywhere online.
* You can try help out like I do but scumbags are scumbags. Their loss. Not mine. I did what I think and you too apparently, will work.
APK
P.S.=> Onwards & upwards @ this point - they won't stop but then, neither will I - IF I have to I will "fireup" another creation of mine called CYBERIAN TIGER & it will run them DRY of "downmodpoints" but it won't work (well, it will but they will just keep downmodding even IF/WHEN I have a good answer as I do per your statements even) vs. admins here (they have unlimited downmod)... apk
(Score: 3, Informative) by janrinok on Thursday June 16 2022, @04:58AM
You are not very bright are you? It is how the internet works. We have to know the return IP address so that we can respond to your browser. But we don't store them. We store hashes of IP addresses. We have to store them because that is how we reconstruct pages showing the comments and moderations for all of our stories going back to 2014. Every story, comment, moderation, every password has a hash. (you wouldn't want us to know your password or to store them in clear in the database would you?). It is how databases work. We could use table index numbers, hashes, the IP addresses themselves (which the very early slashdot code did!) or random strings - but they would still link data items together in relationships.
Now it used to be that one could use a rainbow table to convert IP hashes back to IPs - have you tried doing that with IPv6? It would take billions of years to even create such a table assuming that you had enough computing power and storage space for the results./p>
My internet provider's network is all IPv6 nowadays. How come your host file doesn't use them? How do you block IPv6 addresses? Ah, your solution was not even good a decade or so back but now it is almost a museum piece. Have you made sure that it can cope with stone tablets or cave drawings as well? It must be great living in a technologically advanced nation.
Going back to 2015, where NCommander wrote:
(Score: 1, Insightful) by Anonymous Coward on Friday June 17 2022, @05:41PM
It is because of your NEED to inject racism into every post along with your spammy self promotion stuff. Get fucked you hate filled bigot.
(Score: 0) by Anonymous Coward on Wednesday June 15 2022, @11:43PM
so .. this will allow to right-click on youtube videos in firefox to downlo...err... liberate them from local RAM to local HDD then? or push "PrtScr" key when watching netflix to get a local copy?
(Score: -1, Spam) by Anonymous Coward on Thursday June 16 2022, @12:16AM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @04:36PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
Exfiltration isn't possible without orders either.
Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @04:42PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
Exfiltration isn't possible without orders either.
Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @07:02PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: 0) by Anonymous Coward on Tuesday June 21 2022, @07:13PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk