from the nearly-impossible-is-slightly-possible dept.
Linux Malware Deemed 'Nearly Impossible' to Detect:
Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit[sic] functionality and install a backdoor for remote access.
A new Linux malware that's "nearly impossible to detect" can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.
Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—"Symbiote." In biology, the word means an organism that lives in symbiosis with another organism.
"What makes Symbiote different ... is that it needs to infect other running processes to inflict damage on infected machines," he wrote. "Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine."
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.
In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.
[...] Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.
"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect," he explained. "Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware."
In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote " in highly targeted or broad attacks," he said.
Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won't pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.
(Score: 2) by MIRV888 on Wednesday June 15, @05:39AM (4 children)
I am not a Linux expert. Is the level of sophistication being seen in a lot of these modern viruses something a small group of individuals can do? Or would this require state level support in order to code?
(Score: 5, Informative) by Anonymous Coward on Wednesday June 15, @06:27AM (1 child)
What is being described in the article is not very sophisticated at all, it's a trivial implementation of a well-known class of attacks known as DLL injections which are also viable on NT kernels as you might suspect from the name. The wikipedia article [wikipedia.org] even describes how the LD_PRELOAD technique works.
(Score: 2) by hopdevil on Wednesday June 15, @04:52PM
+1... this is a well known technique, nothing new or particularly interesting.
(Score: 2, Insightful) by Anonymous Coward on Wednesday June 15, @02:16PM (1 child)
Almost nothing requires state level support to code.
(Score: 2) by turgid on Wednesday June 15, @09:45PM
And anything coded at the state level is likely to be 30 years behind the state of the art, over budget, late and broken. But a government crony will have siphoned off a lot of money for the contract. So taxpayers' money will not have been wasted. Or something.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2, Insightful) by Anonymous Coward on Wednesday June 15, @06:01AM (2 children)
It's not even a kernel module? You can look for the LD_PRELOAD variable in /proc/$pid/environ.
Even if the rootkit cleans up its environment, a scanner should be able to fork a process in trace mode, like a debugger would, and read the environment before it has a chance to clean it up. If the rootkit wants to stay hidden, it has to inject itself into every process, so the scanner doesn't even have to find a special process to investigate.
User mode rootkits are always a question of "did they think about this way of finding them" and they always miss something. I remember one that had a modified 'ls' that wouldn't show itself, but it didn't hide from 'echo *'.
This might have been high tech 20 years ago but user mode rootkits are kind of passe now.
(Score: 5, Insightful) by sjames on Wednesday June 15, @09:42AM (1 child)
A static binary could easily detect it. No LD, no PRELOAD, no cleanup.
(Score: 2) by turgid on Wednesday June 15, @09:40PM
That's what they invented /sbin for just in case it's not clear to the newbies.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Informative) by bradley13 on Wednesday June 15, @06:24AM (1 child)
For those interested, here is the original post, with lots of technical details. [blackberry.com]
Everyone is somebody else's weirdo.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 15, @09:17AM
I'm a bit of a noob, but as a test couldn't you rename some innocuous little program so that is shows up as a process named one of the above and then see if it disappears from the listings?
(Score: 5, Insightful) by Anonymous Coward on Wednesday June 15, @07:28AM (5 children)
A small bit of technical sophistication makes the worm "nearly impossible to detect" in the world of fat lazy "anti-malware" makers accustomed to dumb malware written by ignorant idiots. Pathetic, really.
Library injection is a thing. A very, VERY old thing. WHY do we have anti-malware using libc instead of syscalls for its core functions?
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat [blackberry.com] :
And this is why Slackware had not been having PAM until 2020. Until the damn KDE has forced Patrick's hand at last. :(
https://alien.slackbook.org/blog/slackware-introduces-pam-into-its-core/ [slackbook.org] :
Reads quite ironic now, given the above revelation, doesn't it?
(Score: 0) by Anonymous Coward on Wednesday June 15, @08:49AM (1 child)
The machine needs to be compromised first before the PAM hooks can be installed. So this isn't an attack vector, it's just another method to install a backdoor on an already pwned machine.
(Score: 0) by Anonymous Coward on Wednesday June 15, @11:06AM
Malware dependent on PAM cannot function on a system lacking PAM. And this "Symbiote" is far from the first such malware. I.e. the presence of PAM makes the system vulnerable to a whole extra class of malware.
Having one's system incompatible, in some way, with a run-of-the-mill worm is a MUCH better protection than the whack-a-mole game with "attack vectors". Essentially, that defeats all the large-scale malware epidemics, leaving only targeted attacks as thing to be feared. And when your system is not valuable enough to merit spending time and effort on pwning it specifically, the incompatibility is a near perfect shield.
(Score: 0) by Anonymous Coward on Wednesday June 15, @11:30AM (2 children)
It hooks the kernel functions in the syscall table, not just libc. It's not that easy. But as a user mode rootkit, there are always going to be ways to spot it.
(Score: 0) by Anonymous Coward on Wednesday June 15, @12:50PM (1 child)
What, exactly, told you that? Not a single peep about the syscall table in the in-depth article, nor in TFA.
(Score: 0) by Anonymous Coward on Wednesday June 15, @03:48PM
It's in the researchers' blog post.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday June 15, @01:53PM (11 children)
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @03:25PM (5 children)
A post can be simultaneously useful and a troll in my book.
Oh good, some anti-Semitism right off the bat.
Don't whine about your previous mods; just post your information and let it stand on its own merits.
You're not making people less likely to downmod you by calling us names and insulting us about it.
--
P.S: About your first downmod complaint above, the post was actually remarkably on-topic up until the point where you couldn't resist your own postcript spooge.
Ah, here we go: arrogant, bitching about being oppressed, offtopic drama about vaxx, offtopic about programming languages, finish with more arrogance.
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @04:06PM (2 children)
See my subject: All YOU are is an UNIDENTIFIABLE anonymous WEASEL (a fact, as you hide behind AC) lol & I just repost nullifying your WHIMP effete "cancel" downmod here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253419#commentwrap [soylentnews.org]
NOW, as to the REST of your BULLSHIT:
Isn't "GOOGLE" truly JEWgle? Yes, see Brin for example IF NOT Blackrock (Larry Fink, another jew) owned, lol - see subject - I merely STATE FACTS (ones you can't stand).
HEY - they ARE the ones destroying your STUPID, inefficient browser addons, not I!
Again, I merely STATE FACTS in that I can produce my OWN wares - obviously an ALL-TALK do NOTHING zero in you that HIDES behind AC posts issuing downmods on my posts CAN'T yourself, cripple!
Additionally: You ADMIT hosts & my posts are useful in doing so!
Hey - YOU PROVE MY POINTS for me... thanks!
APK
P.S.=> :) ... apk
(Score: 0) by Anonymous Coward on Wednesday June 15, @04:30PM (1 child)
Yeah, I can't imagine why I would AC, considering how intensely you seem to nurse a grudge from your posts.
I did? Where was that?
HOSTS file stuff being on-topic is not the same as me making any judgment on how effective it is.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15, @04:50PM
Apk just exposes you and yes he does it after you downmod his points that are correct that doubtless affect your ability to steal as jews do. Please, do prove me wrong here about Jews https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253445#commentwrap [soylentnews.org]
Prove Apk is wrong about hosts files superiority on numerous levels here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252760#commentwrap [soylentnews.org] where he challenged you all fairly to do so.
Prove Apk is wrong here too in this thread today now https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253440#commentwrap [soylentnews.org]
Apk's not the one issuing downmods to hide posts of useful information. You and yours are and running. Running from facts that shut your jew ass down cold and we all know it. You prove it for us.
You will prove how useful his posts are by your inability to prove them wrong.
Eat it jew. You will have to.
No wonder you jews hide and ruin the planet everywhere you have gone and end up in ovens for it. You do it to yourselves and you will now too.
Downmod galore will come out of you on my posts and his. Prove me wrong. You will only end up proving us both correct and you know it. Thanks.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15, @04:24PM
Jew give up. You project the typical slinking lurking sneak jew right off the bat. You jews think you are "so smart" but you couldn't face up to a challenge APK put to you https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252760#commentwrap [soylentnews.org] and all you are is good at being thieves. Tell us Jew, why is it you jews have been kicked out of 110 nations to date? Is it because that sooner or later every nation on ear th gets wise to your creepiness. One look at the Talmud and everyone knows what you are calling us goyim cattle to be robbed, killed and to rape our little girls. Who are the racists now jew? You are.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15, @07:17PM
"Oh good, some anti-Semitism right off the bat."
These so-called Jews are Khazars, not Semites. They are subversive rats who lie about everything, even their own heritage.
(Score: 2) by maxwell demon on Wednesday June 15, @03:39PM (3 children)
Of course a malware running on your computer can easily circumvent any hosts file entry on that same computer. If enough people fight the malware through hosts files, you can bet the malware will do that.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday June 15, @06:28PM (2 children)
"GOD DON'T MAKE NO JUNK" & neither do I as "The LORD of HOSTS" with proof - here goes:
IF that malware CAN run & it can't: How/WHY? 1st of all, HOW can it be running on my machine when I block sources of it getting to me @ ALL in the 1st place?
FACT: Rootkit or not, it can't run on me IF it can't get to me.
See my subject & QUESTION for YOU to answer regarding THIS usermode (key) rootkit (see more below on THAT note, lol - you LOSE twice in fact): DOES THIS USERMODE ROOTKIT REWRITE HOSTS?
ANSWER - NO it does not per all analysis on it, lol - you FAIL!
Secondly, even IF it ran (can't), it can't communicate back to its controllers (in C2/C&C)
LASTLY - I rewrite my hosts file MANY times a day from dozens of sources AND IF IT CHANGES SIZE minus MY PROGRAM doing it - I detect for that CRAP!
(Yes, it does it by itself, completely automated here UPDATING nigh constantly, more IF I want but it does so seamlessly as is every 5 minutes) - so even IF (it can't be) was rewritten, I write it back (not that it matters due to the above).
* SIMPLE!
(... lol, & of COURSE the IDIOTS here thought that blocking the proxy I used last is going to STOP ME easily NULLIFYING YOUR BS now too, so I just changed to another & will soon REPOST my initial post which obviously is SO EFFECTIVE none of you can prove it wrong, lmao...)
There HAVE been malwares that TRY affect hosts files & OS makers (all of them) put in admin level type permissions to STOP that (e.g. on Windows, MacOS, or Linux you MUST have that level of perms to rewrite hosts) - now IF you even TRY say "but, But, BUT rootkits have kernel level perms" well, see above AND IIRC? This is a USERMODE ROOTKIT & that is NOT Kernel level OR admin (or the OS would warn you just as it does demanding admin/root logon to do so)
& YES AGAIN - I'd have to BE INFECTED FIRST & guess what again??
I block that POSSIBILITY even EVER happening in the 1st place by blocking out sources of said infestations @ all!
APK
P.S.=> Nice TRY, you FAIL - better luck next time (usermode vs. kernelmode per above + the FACT this particular usermode rootkit does NOT attack hosts (let it in my case - it can't period))... apk
(Score: 0) by Anonymous Coward on Wednesday June 15, @08:57PM
At least we don't have aristarchus to spam mod, anymore.
(Score: 2) by dalek on Wednesday June 15, @10:24PM
You're exaggerating the effectiveness of hosts at preventing malware.
Yes, hosts can block sites that contain malware. However, there are many repositories with user-submitted content that contain both malware and useful software that is safe. In that case, you either have to block the entire site and prevent access to safe content, or you allow the site and are vulnerable to malware. Hosts don't provide granular enough control to properly handle this situation. Someone has to discover that the site is distributing malware and add it to the hosts file, meaning that hosts won't block sites that haven't yet been flagged as malicious. Hosts files also don't work with wildcards, meaning that you can't block access to *.malicious-site.com. You'd need something like dnsmasq to accomplish that.
Yes, hosts can block access to command and control servers provided that those servers are specified according to a host and not an IP address. However, for this to be relevant, your system already has to be compromised. This might mitigate the damage, but the breach has already occurred.
Hosts files can be a useful layer of security, sure. There's a reason that browser addons like uBlock Origin can use hosts files. But they should be treated as just one layer of security, not a complete solution. You can't be certain that you've blocked all sources of malware with hosts, and you'll have better security if you have other layers of protection. You're exaggerating the protection that hosts files provide. Like I said, they can be useful as a layer of security, but they shouldn't be the only layer.
EXTERMINATE
(Score: 2) by Subsentient on Wednesday June 15, @08:17PM
Well it's *potentially* useful for those of us who are smart enough to be running Linux or BSD, but I imagine the OS cannot parse /etc/hosts quickly, so if it gets tons of entries, might end up with some issues, unless the kernel is using something like inotify to watch the file and cache it when it changes.
If you're on Windows, you're kind of fucked, as recent versions of Windows since around Win8 molest the hosts file at random intervals and occasionally just decide to ignore it altogether.
Yeah, yeah, feeding the trolls, whatever.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 4, Insightful) by tangomargarine on Wednesday June 15, @02:26PM (2 children)
"Does this Linux malware require you to run it as root to infect yourself?"
So how does somebody load a shared library on somebody else's machine? This isn't a compile-time attack, is it?
I'll give them this much--whoever designed this doesn't sound dumb.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Wednesday June 15, @08:13PM (1 child)
tangomargarine, agreed 110% - I took a LONG read here on it https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat [blackberry.com] & the freak that wrote it DOES know his shit.
* The entire PAM setup IS the main problem since this thing hooks libs and all processes running apparently. Doesn't matter if you recompile say, a module from (insert protection type here be it antirootkit, antivirus etc.) since it FINDS them in the existing process tree running lists. THAT & being able to alter PRELOAD...
Heck, I'm STILL reading it & going "WoW"...
APK
P.S.=> Only thing I have going for me is that I blockout its sources for C&C/C2 it uses via hosts as I noted https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253468#1253468 [soylentnews.org] which SHOULD keep me "proof" vs. sucking it in IN THE 1st PLACE - BUT I'd have to admit even my APK Hosts File Engine WOULD be possible to attack sort of by API dependencies (not itself directly as I run sizechecks in EVERY proc/function/subroutine it ever runs CHECKING ITSELF vs. infection as "oldschool" type viruses would do hooking into the tail end of your program & altering function jmp tables etc. BUT instead OS libraries in libc/glibc etc.) - So, yes, whoever wrote this? KNOWS THEIR SHIT @ a DEEP level of how OS in general work as well as their API - this is NOT GOOD - it is like when you have errors in your compilers you use in a way - the problem is the FUNDAMENTAL BUILDING BLOCKS that are used then too - correct me IF I am off/wrong here - but it sounds like an OS level issue in PAM & being able to hook API (which, you can & it does giving it some ROOT power to an extent which I haven't seen in usermode rootkits before @ least - all we can HOPE is that they PLUG the PRELOAD part really @ OS level on upda tes from Linux IF possible)... apk
(Score: 0) by Anonymous Coward on Wednesday June 15, @08:32PM
This isn't the first use of LD_PRELOAD to do something malicious, eg. see https://security.stackexchange.com/q/63599 [stackexchange.com] - of course this use of it seems especially clever.
I do wish the LD_ (and DT_ and probably other) environment variable handling was disabled by default, all the solutions given in that stackexchange answer (admittedly from a few years back) seem at best brittle.
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15, @03:58PM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @04:55PM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @06:30PM (1 child)
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15, @06:32PM
A pleasure sending a DEMON back to HELL, lol EASILY https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org]
* BOYS, you are messing with TRULY "The LORD of HOSTS" & demons like you? ALWAYS FAIL!
APK
P.S.=> Gotta give maxwell demon credit though - @ least HE had some sort of wannabe creativity (failed anyhow)... apk
(Score: 0) by Anonymous Coward on Wednesday June 15, @06:36PM
https://github.com/yunchih/static-binaries [github.com]
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @08:15PM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @08:56PM (2 children)
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk
(Score: 0) by Anonymous Coward on Wednesday June 15, @09:01PM (1 child)
Why are the people here minus moderating you? I caught your post to tangomargarine and you have a point https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253495#commentwrap [soylentnews.org] and nobody else here on this site is even coming close to what seems like a logical solution from you in blocking sources of this attack in addition to the servers it uses which would stop it stealing information out of any system by stopping communication by black holing the rootkit c2 servers from doing so. You noted it does not attack hosts so you are correct I think https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Wednesday June 15, @09:16PM
It's because I tell facts on things on this site. A lot of "dirty pool" goes on around here which I noted in the post you originally replied to.
On a guess due to what I stated (just facts even the admins here admit, janrinok in particular noting he has equated a sockpuppet named unionrep to an AC poster - how would HE know that unless he logged IP addresses used by posters, especially registered ones? Ask yourself that).
No It's probably not the posters here replying (well, maybe maxwell demon per https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org] my putting him away with ease regarding this particular rootkit).
I mean tangomargarine is solid so I replied in kind asking things as even I don't know it all.
Again/However I think it is the owners &/or admins that can't stand what I wrote. Read my original post closely. It goes on everywhere online.
* You can try help out like I do but scumbags are scumbags. Their loss. Not mine. I did what I think and you too apparently, will work.
APK
P.S.=> Onwards & upwards @ this point - they won't stop but then, neither will I - IF I have to I will "fireup" another creation of mine called CYBERIAN TIGER & it will run them DRY of "downmodpoints" but it won't work (well, it will but they will just keep downmodding even IF/WHEN I have a good answer as I do per your statements even) vs. admins here (they have unlimited downmod)... apk