SoylentNews is people
SoylentNews
Researchers say they've discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.
HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer's post went live, the VirusTotal malware service indicated Hidden Wasp wasn't detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.
Some of the evidence analyzed—including code showing that the computers it infects are already compromised by the same attackers—indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It's not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies.
[...] Since Wednesday's post went live, AV detection rates have grown, but at the time Ars published this article, the rates still remained low. Depending on the file being analyzed, the rates ranged from two to 13, out of 59 AV engines tracked.
[...] Wednesday's post lists indicators of compromise that people can use to tell if their computers have been infected. One telltale sign: "ld.so" files that don't contain the string "/etc/ld.so.preload." This is the result of the HiddenWasp trojan trying to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.
(Score: 4, Informative) by MostCynical on Saturday June 01 2019, @12:16AM (6 children)
Apart from "not being windows"?
turns out, lots of people are making AV for linux:
https://www.tecmint.com/best-antivirus-programs-for-linux/ [tecmint.com]
https://www.makeuseof.com/tag/free-linux-antivirus-programs/ [makeuseof.com]
https://www.ubuntupit.com/best-linux-antivirus-top-10-reviewed-compared/ [ubuntupit.com]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Saturday June 01 2019, @12:30AM (5 children)
Targets corporate market cuz it makes the management feel "better".
The single fact that most Linux users use user accounts rather than root account makes it much more difficult to infect linux machines.
(Score: 3, Informative) by MostCynical on Saturday June 01 2019, @01:00AM (3 children)
Non-IT CXO: "Why don't we have anti-virus protection on our systems? We've always had anti-virus. What if we get infected?! We need something!"
IT department: installs something on manager's computer, or possibly network. It exists to ensure Manager sees a budget line item.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Insightful) by canopic jug on Saturday June 01 2019, @05:26AM (2 children)
Non-IT CXO: "Why don't we have anti-virus protection on our systems? We've always had anti-virus. What if we get infected?! We need something!"
The requirement that sytems must have anti-virus was and perhaps still is just there to inhibit the use of GNU/Linux and any of the BSDs. The five-page forms that they have as prerequisite to adding machines to the network have dozens of questions designed to make it impossible to answer "correctly" if any system other than broken old M$ Windows is used. The top of that list is, "which AV is installed?"
As there are few if any actual IT staff remaining since more than a decade ago, they've nearly all been replaced by M$ resellers embedded on the payroll. So they're using the company's or institutions own money while working 100% for M$.
The article is a bunch of garbage since it neither mentions the method by which the malware gets in nor points out that the systems it infects must be already compromised in the first place in order to get this malware. Dan is not one of their better authors in that way, that's his style. Ars could only have gone lower by having Peter write the article instead. IIRC, Peter is even a "former" microsofter.
Money is not free speech. Elections should not be auctions.
(Score: 0, Flamebait) by aristarchus on Saturday June 01 2019, @05:46AM
So the one sign of a decomposing non-natural (Hi, khallow!) monopoly is that there is a pervasive expectation that real operating systems are prone to the same deleterious design flaws as one created by teenagers on the basis of a pilfered CP/M disk booting system? That is just stupid! Does it involve people with MBAs? From Wharton Business School?
(Score: 1) by ramsy on Saturday June 01 2019, @09:45PM
Is GNU/Linux making news for Hidden Wasp redirecting “/etc/ld.so.preload.” in “ld.so” files, which don't exist on Redhat/RPM Linux?
https://arstechnica.com/information-technology/2019/05/advanced-linux-backdoor-found-in-the-wild-escaped-av-detection/ [arstechnica.com]
Or, because performance hits from fixes in GNU/Linux Intel-specific pathways (Meltdown/Specter/ZombieLoad/MDS/etc.) are less apparent on AMD hardware via RPM/Linux?
https://threatpost.com/intel-zombieload-side-channel-attack-10-takeaways/144771/ [threatpost.com]
Is RPM/Linux less targeted by malware exploiting critical-mass Hardware & Software, or perhaps a more secure Linux?
(Score: 0) by Anonymous Coward on Saturday June 01 2019, @03:00PM
What modern malware is after is stuff you can get from userspace though. When you can get a deeper foothold you take it, but that's not the primary goal when infecting non-business systems (passwords, ccn etc is - and all of that can be glanced from userspace).