SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
SoylentNews
A new bit of ransomware is now attacking Linux-based machines, specifically the folders associated with serving web pages. Called Linux.Encoder.1 the ransomware will encrypt your MySQL, Apache, and home/root folders. The system then asks for a single bitcoin to decrypt the files.
From Dr.Web Antivirus:
Once launched with administrator privileges, the Trojan dubbed Linux.Encoder.1 downloads files containing cybercriminals’ demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files. Subsequently, the RSA key is used to store AES keys which will be employed by the Trojan to encrypt files on the infected computer.
[Ed's Comment: Emphasis mine.]
This discussion has been archived.
No new comments can be posted.
Linux Ransomware is Now Attacking Webmasters
|
Log In/Create an Account
| Top
| 40 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Q: What do you call the money you pay to the government when
you ride into the country on the back of an elephant?
A: A howdah duty.
(Score: 1, Touché) by Anonymous Coward on Sunday November 08 2015, @06:35AM
s/t
(Score: 2) by Whoever on Sunday November 08 2015, @05:31PM
Either:
1. This is BS. It's not a real threat, it's something where the threat is vastly inflated by a "security" company with something to sell you.
2. The intent is to attack via ssh, hoping to find boxes with weak root passwords and no defence against ssh brute-force attacks.
(Score: 5, Interesting) by frojack on Sunday November 08 2015, @06:46AM
Seems like half the story...
How did it get there?
Did they obtain root on the box first?
How did they induce root to launch it? If some human didn't launch it, no one would see the ransom message.
Did they link it to something root is going to run?
Even reading all the linked pages, and the pages linked to those pages, none of that is explained.
No, you are mistaken. I've always had this sig.
(Score: 2) by ticho on Sunday November 08 2015, @09:04AM
From a two days old article at http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users: [securityweek.com]
"It’s unclear at this point how the malware is distributed and installed on victims’ computers, ..."
(Score: 2) by kurenai.tsubasa on Sunday November 08 2015, @09:05PM
Also found a Hungarian forum here [hup.hu].
Anybody speak Hungarian in the house? I ran some of the comments through Google Translate, which proves hilariously inadequate. As as I could tell, most of the discussion is about backup strategies and insecure PHP setups that give world write permission (i.e. 777) to /var/www.
This was my favorite translation fail:
Például, ha "Vér Pistike" root engedélyezett SSH-t használ. De meg is érdemli.
"Értem én, hogy villanyos autó, de mi hajtja?"
becomes
For example, if "Blood Pistike" root using SSH enabled. But it deserves.
"I understand villa certain car, but what is driving?"
So clearly, this exploit only works if bear is driving! [youtube.com] (How can that be?!)
(Score: 2, Informative) by Anonymous Coward on Sunday November 08 2015, @10:47PM
>>> for example, if "Bloody Steve" is using root-enabled ssh, he deserves it.
>>> "I understand, that it's an electric car, but what is propelling it?"
User "trey" says, apparently FreeBSD is also affected.
All other commenters are mostly discussing how this malware might infect your system and how you can prevent it from touching your files.
(Score: 3, Insightful) by Hairyfeet on Sunday November 08 2015, @01:04PM
Considering how often we see servers that haven't been patched in ages I really wouldn't be surprised if they are using the Ghost vulnerability [us-cert.gov] to gain control of the systems.
This is why I've said for years it really doesn't matter if you are running Linux, OSX, or Windows, as its always the same weaknesses that gets a computer compromised. You see social engineering [geekzone.co.nz], systems that go unpatched, its the same tricks used over and over again.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 4, Touché) by fnj on Sunday November 08 2015, @02:53PM
You lose. I use FreeBSD. With no glibc, no GUI, and sure as hell no systemd.
(Score: 2) by Hairyfeet on Sunday November 08 2015, @10:26PM
And if you run FreeDOS without network support I'm sure you will be completely immune to everything, your point? If you want to have your "computer" be nothing more than a blinking cursor like its 1979 Disco Dan that is your choice, most of us don't want our computer evolution to end when Ronnie Raygun became POTUS.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Freeman on Monday November 09 2015, @05:28PM
How do you equate using FreeBSD as an alternative Web Host with using a non-network connected installation of FreeDOS?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Sunday November 08 2015, @10:31PM
People said the EXACT SAME THING about Linux. Then Linux got popular and then got pwned HARD.
I'll agree that BSD is better than Linux and I wish Shuttleworth had sunk his money into BSD and not Linux, but the moment it is profitable to pwn BSD you will see BSD malware. If that ever happens though, BSD will handle it MUCH better than Linux, due to it being able to apply patches without pooping itself.
(Score: 0) by Anonymous Coward on Monday November 09 2015, @02:02AM
Your definition of "pwned HARD" seems to be substantially at variance from mine. My recollection--which could be flawed--is that, while there are theoretical instances in which a linux box could have been hacked, few of these vulnerabilities have actually been exploited in the real world; I seem to recall that many (most? all?) of these instances require either physical access to the machine or the root password. Contrast this with the many instances in which real-world havoc has been wreaked on windows machines causing significant network outages. As I said, my recollection could be flawed. I am curious to see what you will respond with to disabuse me of my ignorance.
(Score: 1, Insightful) by Anonymous Coward on Sunday November 08 2015, @04:17PM
And yet plenty of people still believe Linux is so much harder to pwn than Windows. See: https://soylentnews.org/comments.pl?sid=10359&cid=257122#commentwrap [soylentnews.org]
Linux and Windows are just as easy to pwn by outsiders. The only real difference between Linux and Windows in terms of security is Windows comes prepwned by Microsoft and their partners (Windows 10, Lenovo Superfish etc).
This could of course be a huge issue for many, but others seem to think the impact is acceptable.
(Score: 3, Funny) by jasassin on Sunday November 08 2015, @06:49AM
Running Trojans as root... on the next Jeraldo.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 5, Funny) by Anonymous Coward on Sunday November 08 2015, @07:06AM
"You have to run that with sudo if it doesn't work" -Ubuntu forums
(Score: 3, Funny) by Anonymous Coward on Sunday November 08 2015, @07:23AM
Bitcoin will get a bad rap if this kind of stuff keeps happening.
(Score: 2) by maxwell demon on Sunday November 08 2015, @09:48AM
Do you have a specific rapper in mind?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Funny) by Geotti on Sunday November 08 2015, @10:45AM
Obviously, 50 cent...
(Score: 5, Informative) by Dunbal on Sunday November 08 2015, @11:06AM
They're all bad.
(Score: 3, Interesting) by kurenai.tsubasa on Sunday November 08 2015, @08:44PM
Coinye [wikipedia.org]?
(Score: 2) by Runaway1956 on Sunday November 08 2015, @07:39AM
https://soylentnews.org/comments.pl?sid=10319&threshold=-1&commentsort=0&mode=flat&cid=256068#commentwrap [soylentnews.org]
ICE is having a Pretti Good season.
(Score: 2) by Thexalon on Sunday November 08 2015, @03:10PM
Well, sure it supports Linux. You just have to follow the standard build instructions: Download the tarball, unpack, run ./configure, make, sudo make install.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by VLM on Sunday November 08 2015, @07:28PM
There's a modern moronity out there along the lines of:
wget -O - http://dumbidea.com/install.sh [dumbidea.com] | sudo sh
I mean what could possibly go wrong? For bonus points make sure to use http instead of https. Also make sure to pack the .sh full of bashisms, after all every civilized individual symlinks /bin/sh to /bin/bash, right? And now improved with bundled ASK toolbar!
For a good laugh check out:
http://curlpipesh.tumblr.com/ [tumblr.com]
(Score: 1, Insightful) by Anonymous Coward on Sunday November 08 2015, @07:56AM
Systemd will soon contain this functionality.
What is systemd great at? Giving us useless features that nobody wants or needs, that get in the way of doing a job.
(Score: 5, Insightful) by Geotti on Sunday November 08 2015, @10:48AM
Finally, a new revenue stream for distros: pay us 1btc and we'll send you an image without systemd
(Score: 4, Funny) by maxwell demon on Sunday November 08 2015, @09:40AM
After I read the headline, I already was worried. But the summary cleared it up: It is just attacking the servers.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Subsentient on Sunday November 08 2015, @11:30AM
Fuck you dude. I run servers. :^)
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by hemocyanin on Sunday November 08 2015, @10:21AM
One would hope that a server would have a decent backup system in place making this less profitable for the attackers. Grandmas who have all their grandkids photos unbackedup on one computer are a much juicier target.
(Score: 3, Funny) by DNied on Sunday November 08 2015, @12:25PM
Moral of the story: If grandma is root, you'd better get an account on a different machine.
(Score: 2) by Bot on Monday November 09 2015, @12:13AM
Deduplicating backup tools like attic might even detect something is wrong when a snapshot swells abruptly.
Account abandoned.
(Score: 1, Informative) by Anonymous Coward on Sunday November 08 2015, @10:47AM
that Dr. Web site seems shifty...they don't tell you what the attack vector is, but they do tell you how to buy one of their anti-virus products: http://products.drweb.com/linux/?lng=en [drweb.com]
(Score: 2) by NotSanguine on Sunday November 08 2015, @11:18AM
I saw this amusing bit in TFA:
Since the data is encrypted with an RSA 2048 bit key, I imagine that researchers will be working on that "decryption system" for quite some time.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Sunday November 08 2015, @02:07PM
Which just means, you should keep making backups of all data for basically forever (or until you no longer need that data). Which certainly is a good advice.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Troll) by fnj on Sunday November 08 2015, @02:46PM
Eat shit. I use FreeBSD. And if you did get me I would just restore from backups and look into taking out a contract on your sorry asses. And I'm not stupid. I don't run trojans as root.
(Score: 2) by HiThere on Sunday November 08 2015, @09:29PM
The point about backups is valid. Using BSD, however, won't protect you from something running as root. I can't think of much that would outside of runing a Write Once Read Many memory System. Worms, however, aren't common. The only thing I can think of that uses them are multi-session CDs.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by present_arms on Sunday November 08 2015, @03:14PM
and don't be a plank :) if it's not in the repo, don't install it, ahh life is simple :d
http://trinity.mypclinuxos.com/
(Score: 1) by cpghost on Sunday November 08 2015, @07:47PM
Anyone with the source code of this little bastard? Some repo hosting it? :)
(Not that it isn't trivially easy to write a little shell script to do the job letting the heavy encryption lifting to binaries like openssl for example).
Cordula's Web. http://www.cordula.ws/
(Score: 3, Insightful) by PizzaRollPlinkett on Sunday November 08 2015, @08:38PM
Every few weeks, there's another Linux scare story like this. Exceptionally vague on details, truly alarming in the headline. We hear screaming: LINUX! IS! INSECURE! But when we look, the details are nowhere to be found. The articles are long on scary outcomes, but short on how these phantom problems propogate.
Who is behind these stories?
Do they share a common connection?
Anyone keeping a list of them? I should have, but didn't see the pattern emerging until now.
Is it just clickbait from the tech industry blogs? Any unsubstantiated Linux story gets the screaming-alarm, hair-on-fire treatment while the Windows gaping security hole of the week is boring?
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Sunday November 08 2015, @09:45PM
Welcome to "security researchers" in general, this isn't restricted to Linux, they're vague on details regardless of the platform.
(Score: 2) by darkfeline on Tuesday November 10 2015, @02:25PM
This is kind of pointless. Web servers are much more likely to have backups than individual users, combine that with the fact that this attack wouldn't be very effective if it were timed (servers are pretty much fire and forget, although you might notice Apache throwing an error if you have the logs mailed to you), and web servers aren't (shouldn't) be storing any sensitive or important info in the first place, simply a copy of the necessary HTML/PHP files to serve.
Kind of like holding someone's subway posters for ransom.
Join the SDF Public Access UNIX System today!