Slash Boxes

SoylentNews is people

posted by cmn32480 on Friday August 12 2016, @04:12AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Russian security outfit Dr. Web says it's found new malware for Linux.

The firms[sic] says the “Linux.Lady.1” trojan does the following three things:

  • Collect information about an infected computer and transfer it to the command and control server.
  • Download and launch a cryptocurrency mining utility.
  • Attack other computers of the network in order to install its own copy on them.

The good news is that while the Trojan targets Linux systems, it doesn't rely on a Linux flaw to run. The problem is instead between the ears of those who run Redis without requiring a password for connections. If that's you, know that the trojan will use Redis to make a connection and start downloading the parts of itself that do real damage.

Once it worms its way in the trojan phones home to its command and control server and sends information including the flavour of Linux installed, number of CPUs on the infected machine and the number of running processes. The Register imagines that information means whoever runs the malware can make a decent guess at whether it is worth getting down to some mining, as there's little point working with an ancient CPU that's already maxed out.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Touché) by jbernardo on Friday August 12 2016, @04:49AM

    by jbernardo (300) on Friday August 12 2016, @04:49AM (#386901)

    According to the original article, the Trojan will install /etc/systemd/system/ntp.service , so probably it will only run on systemd and not on plain Linux. Another reason to stay away from systemd? :)

    Starting Score:    1  point
    Moderation   +1  
       Offtopic=1, Touché=2, Total=3
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Informative) by Scruffy Beard 2 on Friday August 12 2016, @05:26AM

    by Scruffy Beard 2 (6030) on Friday August 12 2016, @05:26AM (#386906)

    looks like it overwrites /usr/sbin/ntp first.

    So if you are using an NTP binary in that location, you are still at risk.

  • (Score: 2) by frojack on Friday August 12 2016, @05:28AM

    by frojack (1554) on Friday August 12 2016, @05:28AM (#386907) Journal

    The problem is thats at this point in time systemd IS plain Linux.

    On the other hand I've neverl laid eyes on Redid.

    No, you are mistaken. I've always had this sig.
    • (Score: 2) by Azuma Hazuki on Friday August 12 2016, @05:52AM

      by Azuma Hazuki (5086) on Friday August 12 2016, @05:52AM (#386916) Journal

      XenOrchestra, a web-based frontend to XenServer, requires a Redis instance to connect to. I've used it, though there's something incredibly dirty and buzzword-y greasy-feeling about the whole thing...node.js, Redis, web-based...yuck.

      I am "that girl" your mother warned you about...
    • (Score: 2) by HiThere on Friday August 12 2016, @05:54PM

      by HiThere (866) Subscriber Badge on Friday August 12 2016, @05:54PM (#387101) Journal

      Redis is a fairly common database. But if the first step is to overwrite /usr/sbin/ntp, as stated above, then it must have some privilege escalation method...and that sounds like a flaw in Linux...and that it would be systemd is the kind of flaw that people were predicting last year. The assertion was that code that was too complex was being adopted without sufficient testing. I find that quite convincing, even though I've only run into one major problem with it that I haven't yet been able to work around.

      My problem with it is that it doesn't recognize multi-boot systems in different partitions. And I find this extremely bad. Technically I suppose this is due to changes in grub2 or the installer or some such, but it appears to have shown up simultaneous with systemd, so I believe there's a strong connection (on weak evidence).

      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.