SoylentNews is people
SoylentNews
from the nearly-impossible-is-slightly-possible dept.
Linux Malware Deemed 'Nearly Impossible' to Detect:
Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit[sic] functionality and install a backdoor for remote access.
A new Linux malware that's "nearly impossible to detect" can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.
Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—"Symbiote." In biology, the word means an organism that lives in symbiosis with another organism.
"What makes Symbiote different ... is that it needs to infect other running processes to inflict damage on infected machines," he wrote. "Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine."
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.
In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.
[...] Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.
"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect," he explained. "Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware."
In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote " in highly targeted or broad attacks," he said.
Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won't pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.
(Score: -1, Spam) by Anonymous Coward on Wednesday June 15 2022, @06:28PM (9 children)
"GOD DON'T MAKE NO JUNK" & neither do I as "The LORD of HOSTS" with proof - here goes:
IF that malware CAN run & it can't: How/WHY? 1st of all, HOW can it be running on my machine when I block sources of it getting to me @ ALL in the 1st place?
FACT: Rootkit or not, it can't run on me IF it can't get to me.
See my subject & QUESTION for YOU to answer regarding THIS usermode (key) rootkit (see more below on THAT note, lol - you LOSE twice in fact): DOES THIS USERMODE ROOTKIT REWRITE HOSTS?
ANSWER - NO it does not per all analysis on it, lol - you FAIL!
Secondly, even IF it ran (can't), it can't communicate back to its controllers (in C2/C&C)
LASTLY - I rewrite my hosts file MANY times a day from dozens of sources AND IF IT CHANGES SIZE minus MY PROGRAM doing it - I detect for that CRAP!
(Yes, it does it by itself, completely automated here UPDATING nigh constantly, more IF I want but it does so seamlessly as is every 5 minutes) - so even IF (it can't be) was rewritten, I write it back (not that it matters due to the above).
* SIMPLE!
(... lol, & of COURSE the IDIOTS here thought that blocking the proxy I used last is going to STOP ME easily NULLIFYING YOUR BS now too, so I just changed to another & will soon REPOST my initial post which obviously is SO EFFECTIVE none of you can prove it wrong, lmao...)
There HAVE been malwares that TRY affect hosts files & OS makers (all of them) put in admin level type permissions to STOP that (e.g. on Windows, MacOS, or Linux you MUST have that level of perms to rewrite hosts) - now IF you even TRY say "but, But, BUT rootkits have kernel level perms" well, see above AND IIRC? This is a USERMODE ROOTKIT & that is NOT Kernel level OR admin (or the OS would warn you just as it does demanding admin/root logon to do so)
& YES AGAIN - I'd have to BE INFECTED FIRST & guess what again??
I block that POSSIBILITY even EVER happening in the 1st place by blocking out sources of said infestations @ all!
APK
P.S.=> Nice TRY, you FAIL - better luck next time (usermode vs. kernelmode per above + the FACT this particular usermode rootkit does NOT attack hosts (let it in my case - it can't period))... apk
(Score: -1, Troll) by Anonymous Coward on Wednesday June 15 2022, @08:57PM
At least we don't have aristarchus to spam mod, anymore.
(Score: 2) by dalek on Wednesday June 15 2022, @10:24PM (7 children)
You're exaggerating the effectiveness of hosts at preventing malware.
Yes, hosts can block sites that contain malware. However, there are many repositories with user-submitted content that contain both malware and useful software that is safe. In that case, you either have to block the entire site and prevent access to safe content, or you allow the site and are vulnerable to malware. Hosts don't provide granular enough control to properly handle this situation. Someone has to discover that the site is distributing malware and add it to the hosts file, meaning that hosts won't block sites that haven't yet been flagged as malicious. Hosts files also don't work with wildcards, meaning that you can't block access to *.malicious-site.com. You'd need something like dnsmasq to accomplish that.
Yes, hosts can block access to command and control servers provided that those servers are specified according to a host and not an IP address. However, for this to be relevant, your system already has to be compromised. This might mitigate the damage, but the breach has already occurred.
Hosts files can be a useful layer of security, sure. There's a reason that browser addons like uBlock Origin can use hosts files. But they should be treated as just one layer of security, not a complete solution. You can't be certain that you've blocked all sources of malware with hosts, and you'll have better security if you have other layers of protection. You're exaggerating the protection that hosts files provide. Like I said, they can be useful as a layer of security, but they shouldn't be the only layer.
THIS ACCOUNT IS PERMANENTLY CLOSED
(Score: -1, Spam) by Anonymous Coward on Thursday June 16 2022, @12:10AM (4 children)
WTF? Are you STUPID (yes) - what did I do but provide what to BLOCK outta this rootkit from real sources that looked @ it - EXACTLY what to block stupid. Have you? No.
More TYPICAL jew do NOTHING leech lurking & SKULKING (see my ps below dumbo dalek exterminated on THAT note, lol - yes, I am LMAO @ U, zero do nothing JEW swine).
You've done BETTER/MORE juden?
Answer that JUDEN!
Per your NO MIND do nothing of note (ever, & I have while YOU were in diapers & should have been SHOT TO DEATH before you could pull the bs you are now JEW). I have, long ago.
BY THE WAY per your JEW bullshit Chaim ANYTIME you want to see 1,000's of literal articles I have bookmarked to the contrary of how "hosts don't work" per YOU no-mind DO NOTHING zero you & yours are leeches on society?
ASK!
I'll do 1 of my FAVORITE things to do in making YOU "EAT YOUR WORDS" (& to YOU in particular you NOT MAN punk, see my ps below, ah the memories, lol...)
Ask & "ye shall receive" YAHOOTI SWINE! I will let everyone see just what you are - a FAKE NAME fuck slinking lurking JUDEN - which I bet you are.
* Fact is, YOU haven't done SHIT - ever... lol! See subject - answer my question JEW! I have, see the list I put out from those studying it stupid JEW! Eat your words... loL!
JEW!
Scumbag somes OUTTA THE SHADOWS not posting on the main forums for how long now? Only in journals - OK juden, here comes below (you have EXTERMINATED youself, dalek JEW - not I).
Bottom-line: I didn't do THIS to you SLINKY jew - you did (not that you care - you KNOW you & yours are THIEVING nobodies kicked from 110 nations since the beginning of recorded history & don't try say "I am no JEW" or I'll simply quote your BOOK OF SATAN the Talmud & show all the "rules" of devils you & yours use PUBLICLY - then, you have NO "outs" do you? LOL!)
APK
P.S.=> LMAO - & then, ESPECIALLY regarding YOU you STINKING jew? Here 'tis (regarding COVID & genetics you NO-MIND sheeple) & WHO tells it HOW it is & what works against it?? I do, not YOU jew, lol - hilarious & FACT https://soylentnews.org/comments.pl?noupdate=1&sid=46034&page=1&cid=1197563#commentwrap [soylentnews.org] +5 & ALL which despite your downmods (& lack of ANYTHING worthwhile like the TYPICAL JEW useless LEECHES you are) there tis - nothing you can DO about it, lol & I am LMAO @ YOU in particular, SLINKING slimy JEW - ALL of what I wrote is coming out as FACT vs. your JUDEN SWINE Bullshit - & THIS is what gets YOU & YOURS "exterminated" thru ALL TIME Jew DALEK (how ironic, lmao)... apk
(Score: 4, Informative) by dalek on Thursday June 16 2022, @01:59AM (3 children)
I actually modded one of your posts [soylentnews.org] up. And now, here you are reduced to posting drivel like this and showing that you're still obsessed with me. I'll address the one part of your comment that's actually remotely on-topic:
On many current Linux systems, using /etc/hosts to block sites is woefully inefficient without some modifications. Many current Linux systems will have a single entry in /etc/resolv.conf, which is 127.0.0.53. Those systems use systemd-resolved for resolving domain names, which is very inefficient at parsing large hosts files [askubuntu.com]. Although I agree that systemd is the real problem here and that dnsmasq should be used in place of systemd-resolved, this requires a bit more work for users to properly configure their systems.
If you're going to block domains linked to this malware from being resolved, you really want to block things like *.dev21.bancodobrasil.dev and *.x3206.caixa.cx. As I noted previously, you can't use wildcards in /etc/hosts. You need a better solution.
Let's also consider how this malware exfiltrates credentials that have been captured:
Those two domains I mentioned above are used for exfiltrating credentials, and DNS is an integral part of this process. As I understand it, the malware resolves the domains of one or more servers used to receive credentials. As I noted previously, you'll need wildcards to block subdomains that are used for receiving stolen credentials. You'll want to make sure that whatever domain in *.dev21.bancodobrasil.dev or *.x3206.caixa.cx that's being used for this purpose never gets resolved. Because you can't use wildcards in /etc/hosts, you'll want to install dnsmasq, make sure the nameserver is 127.0.0.1 in /etc/resolv.conf (so the local dnsmasq is used), and block the domains with configuration files in /etc/dnsmasq.d/ or lines in /etc/dnsmasq.conf. Using /etc/hosts for this purpose is inadequate.
As for using hosts or dnsmasq.conf to prevent being infected with this malware, that only protects you from hosts that are known to be malicious. If you don't know that the host is malicious, and therefore aren't blocking it already, your solution is useless. As for blocking the exfiltration of credentials, you can block that if you're resolving domains with dnsmasq or even systemd-resolved. If you are using dnsmasq and wanted to block the two domains I mentioned, you could add address=/dev21.bancodobrasil.dev/127.0.0.1 and address=/x3206.caixa.cx/127.0.0.1 to your dnsmasq.conf. Again, you can't block wildcards with /etc/hosts, meaning that your solution is inadequate.
One other problem with using /etc/hosts to block being infected with this malware is that the distribution vector seems unclear. If you don't know what hosts are being used to distribute this, if any, you can't block it with your solution. You can mitigate the damage, but as I noted, /etc/hosts is inadequate for this purpose.
Like I said, /etc/hosts can be a useful tool for security, but you greatly exaggerate its usefulness and give users a false sense of security.
THIS ACCOUNT IS PERMANENTLY CLOSED
(Score: -1, Troll) by Anonymous Coward on Friday June 17 2022, @03:53AM
Did I say hosts do wildcards? No I did NOT here OR ever anywhere, Jew so don't try to put words in my mouth I never said OR try "make me look bad" because you did that vs. ME on COVID in a HUGE blunder I quoted out of your mistakes here https://soylentnews.org/comments.pl?noupdate=1&sid=46034&page=1&cid=1197563#commentwrap [soylentnews.org]
(QUESTION (not that YOU as a LYING JEW would answer honestly, your own TALMUD & KALNIDRA prove that) you are a jew aren't you? I see you don't DENY it, good enough for me). So tell us, are you a JEW?? I am curious.
Did I list the exfiltrators as wildcarded in my lists I put out from https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat [blackberry.com]
?
No again. I only lisetd their base domains (with good reason below).
I was only showing that hosts ARE USEFUL (which you admit) & yes, they ARE USEFUL HERE TOO (per those lists from the blackberry research link above, period, so cut your crap you do NOTHING zero that's never done anything of worth in software EVER (prove otherwise, I can)).
HOWEVER, per the lists given, I did cover the C2 servers this uses in it IN THEIR ENTIRETY (except for wildcarded ones but I still block their base domains anyway in hosts - can't hurt to do so - once a subdomain is compromised? You can BET the base parent domain & system are too).
For the last wildcarded ones, I covered those in my firewlall AND router (mine allows wildcards), & my router also closes off the ports this malware uses too.
FACT: I never said hosts are a "cure-all" here OR anywhere - I only said WHAT YOU ADMIT YOURSELF (hosts are valuable for security) - no 1 single thing is a cure-all (though I know of 1,000's of cases I keep bookmarked where hosts DO work as a cureall in "what you can't touch can't hurt you")
ADDITIONALLY: I don't use a systemd based system for Linux. I use PCLinuxOS (no systemd). I did use it for 2 yrs. on KUbuntu but felt it was useless to me personally/of no benefit vs. costs of using it...
On a guess on systemd's inefficiency with hosts? I've SEEN THAT before!
Just like how Microsoft F'd up in their dnscache client in fact!
My guess, like MS making the SAME mistake long ago?
Systemd is using a non-redimmable array OR fixed length list (this I know & confronted MS on listing problems it had with large hosts files, a DECADE++ ago, but it was never fixed). It can't flush/age out FAST enough & reload it fast enough BECAUSE of that.
Besides - Linux minus systemd does FINE using it - ANY DISKCACHE will handle caching hosts in its entirety (it's just a file like any other for caching) & IT DOES on Linux AND YES, on Windows when you turn off the BUGGY (& more bugs than I noted above, I have lists if you would like to see them) dnscache.
I also asked WHY hosts files were never given wildcard ability.
I asked since hosts files do NOT demand added layering drivers like firewalls do (that means more complexity & yes, overheads of many kinds). Same vs. DNS systems (like dnsmasq which has had MANY bugs popup in it over time - would you ilke a list of some?? Ask).
In any event - a firewall can cover wildcards. You neglected to mention that.
YOUR SOLUTION? It's not YOURS @ all in dnsmasq (which YOU did not create)?
dnsmasq has a HISTORY of bugginess! That has backfired on PiHole's too that use that buggy ware. You're offering a buggy ware as a SOLID solution? LMAO! No thanks.
APK
P.S.=> LASTLY - OBSESSED with YOU? You're a DO-NOTHING little CREEP - I don't POPUP in YOUR BULLSHIT POSTS BUT YOU DO MINE CONSTANTLY & like I SHOT YOU TO PIECES ON COVID since you shot yourself ("what does this have to do with genetics" LMAO @ U for that one when it had EVERYTHING TO DO WITH IT) - you don't teach me anything. You don't have the skills OR EDUCATION to DO so nor the history to prove it in ANYTHING you've EVER DONE, which is CLEARLY, zero/nothing.
PROVE OTHERWISE (but then again, you can't LURK AROUND/STALK ME with your FAKENAME then can you WHEN I WOULD KNOW WHO YOU ARE, which I don't hide about myself BUT YOU DO)... apk
(Score: -1, Spam) by Anonymous Coward on Monday June 20 2022, @10:50PM
Guess what? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct... & YES, hosts work vs. this threat too stupid!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @05:55PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Monday June 20 2022, @10:54PM
Guess what? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct... & YES, hosts work vs. this threat too stupid!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk
(Score: -1, Spam) by Anonymous Coward on Tuesday June 21 2022, @05:52PM
Guess what Dalek? YOU LOSE, hosts work vs. Symbiote C2 server(s) per this line from a MUCH better article than the one used here from bradley13 per "configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server" from https://www.intezer.com/blog/research/new-linux-threat-symbiote/ [intezer.com] (INTEZER's now owned by Microsoft iirc as well).
& did I block that in my original posts here https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253504#commentwrap [soylentnews.org] on this BOGUS sockpuppet upmodding yourselves shithole website (which also noted FIREWALLS are invaluable here too, per wildcards (or even IP address use, URL domain/subdomain too in many as well)?
YES I DID! I was correct...
& YES, hosts work vs. this threat too stupid!
FACT: hosts files block symbiote C2 servers which is all you really need to do to nullify their communication.
FACT: Exfiltration isn't possible without orders either.
FACT: Orders come from C2 servers!
So YOU LOSE chump... a BETTER ARTICLE than what I used proves it for me!
* THANKS FOR LOSING TO ME yet again, as always for you... try me again? THIS COMES UP AS PROOF (as well as another I have on YOU regarding using sources where YOU contradict yourself - want quotes of that too? ASK!)
HOW ESPECIALLY EMBARASSING FOR YOU with your NO-DOUBT self-upmodded by sockpuppet accounts of YOURSELF too - now that YOU have EGG ON YOUR FACE fucko!
APK
P.S.=> Do yourself a FAVOR - don't ever, EVER try me ever again OR I WILL MAKE SURE YOU SHIT ON YOURSELF yet again as always, easlly... apk