Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday June 15, @05:12AM   Printer-friendly
from the nearly-impossible-is-slightly-possible dept.

Linux Malware Deemed 'Nearly Impossible' to Detect:

Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit[sic] functionality and install a backdoor for remote access.

A new Linux malware that's "nearly impossible to detect" can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.

Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.

Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—"Symbiote." In biology, the word means an organism that lives in symbiosis with another organism.

"What makes Symbiote different ... is that it needs to infect other running processes to inflict damage on infected machines," he wrote. "Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine."

Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.

In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.

[...] Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.

"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect," he explained. "Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware."

In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote " in highly targeted or broad attacks," he said.

Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won't pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Spam) by Anonymous Coward on Wednesday June 15, @08:56PM (4 children)

    by Anonymous Coward on Wednesday June 15, @08:56PM (#1253504)

    0.0.0.0 caixa.wf
    0.0.0.0 git.bancodobrasil.dev
    0.0.0.0 bancodobrasil.dev
    0.0.0.0 ns1.cintepol.link
    0.0.0.0 ns2.cintepol.link
    0.0.0.0 cintepol.link
    0.0.0.0 assets.fans
    0.0.0.0 caixa.cx
    0.0.0.0 dpf.fm
    0.0.0.0 dev21.bancodobrasil.dev
    0.0.0.0 bancodobrasil.dev
    0.0.0.0 cctdcapllx0520.df.caixa.cx
    0.0.0.0 cctdcapllx0520.df.caixa.wf
    0.0.0.0 webfirewall.caixa.wf
    0.0.0.0 x3206.caixa.cx

    (Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)

    Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)

    * That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?

    So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??

    The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).

    Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.

    Going to "downmod this" too, assholes? I bet you will... fuck you all.

    APK

    P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!

    Other than those doing what I noted above? Hey, admit it TO YOURSELVES:

    What a pack of FUCKING UTTER WEASELS you have around here!

    (ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk

    Starting Score:    0  points
    Moderation   -1  
       Spam=1, Total=1
    Extra 'Spam' Modifier   0  

    Total Score:   -1  
  • (Score: -1, Troll) by Anonymous Coward on Wednesday June 15, @09:01PM (3 children)

    by Anonymous Coward on Wednesday June 15, @09:01PM (#1253506)

    Why are the people here minus moderating you? I caught your post to tangomargarine and you have a point https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253495#commentwrap [soylentnews.org] and nobody else here on this site is even coming close to what seems like a logical solution from you in blocking sources of this attack in addition to the servers it uses which would stop it stealing information out of any system by stopping communication by black holing the rootkit c2 servers from doing so. You noted it does not attack hosts so you are correct I think https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org]

    • (Score: 0, Spam) by Anonymous Coward on Wednesday June 15, @09:16PM (2 children)

      by Anonymous Coward on Wednesday June 15, @09:16PM (#1253512)

      It's because I tell facts on things on this site. A lot of "dirty pool" goes on around here which I noted in the post you originally replied to.

      On a guess due to what I stated (just facts even the admins here admit, janrinok in particular noting he has equated a sockpuppet named unionrep to an AC poster - how would HE know that unless he logged IP addresses used by posters, especially registered ones? Ask yourself that).

      No It's probably not the posters here replying (well, maybe maxwell demon per https://soylentnews.org/comments.pl?noupdate=1&sid=49835&page=1&cid=1253466#commentwrap [soylentnews.org] my putting him away with ease regarding this particular rootkit).

      I mean tangomargarine is solid so I replied in kind asking things as even I don't know it all.

      Again/However I think it is the owners &/or admins that can't stand what I wrote. Read my original post closely. It goes on everywhere online.

      * You can try help out like I do but scumbags are scumbags. Their loss. Not mine. I did what I think and you too apparently, will work.

      APK

      P.S.=> Onwards & upwards @ this point - they won't stop but then, neither will I - IF I have to I will "fireup" another creation of mine called CYBERIAN TIGER & it will run them DRY of "downmodpoints" but it won't work (well, it will but they will just keep downmodding even IF/WHEN I have a good answer as I do per your statements even) vs. admins here (they have unlimited downmod)... apk

      • (Score: 3, Informative) by janrinok on Thursday June 16, @04:58AM

        by janrinok (52) Subscriber Badge on Thursday June 16, @04:58AM (#1253582) Journal

        On a guess due to what I stated (just facts even the admins here admit, janrinok in particular noting he has equated a sockpuppet named unionrep to an AC poster - how would HE know that unless he logged IP addresses used by posters, especially registered ones? Ask yourself that).

        You are not very bright are you? It is how the internet works. We have to know the return IP address so that we can respond to your browser. But we don't store them. We store hashes of IP addresses. We have to store them because that is how we reconstruct pages showing the comments and moderations for all of our stories going back to 2014. Every story, comment, moderation, every password has a hash. (you wouldn't want us to know your password or to store them in clear in the database would you?). It is how databases work. We could use table index numbers, hashes, the IP addresses themselves (which the very early slashdot code did!) or random strings - but they would still link data items together in relationships.

        Now it used to be that one could use a rainbow table to convert IP hashes back to IPs - have you tried doing that with IPv6? It would take billions of years to even create such a table assuming that you had enough computing power and storage space for the results./p>

        My internet provider's network is all IPv6 nowadays. How come your host file doesn't use them? How do you block IPv6 addresses? Ah, your solution was not even good a decade or so back but now it is almost a museum piece. Have you made sure that it can cope with stone tablets or cave drawings as well? It must be great living in a technologically advanced nation.

        Going back to 2015, where NCommander wrote:

        Rehash 15.05 - What's New

        • Rewrote large amounts of the site to migrate to Apache 2, mod_perl 2, and perl 5.20.
          This was a massive undertaking. I did a large part of the initial work, but paulej72, and TheMightyBuzzard did lots to help fix a lot of the lingering issues. Major props to Bytram for catching many of the bugs pre-release
        • Nexus Support (finally).
          Currently we have the Meta and Breaking News nexii, with the possibility of adding more in the future, such as a Freshmeat replacement.
          Nexii can be filtered in the user control panel under the Homepage tab. At the moment, this functionality is hosed due to unexpected breakage, but should be functional within the next 24-48 hours
        • IPv6 support - the AAAA record is live as we speak
        • Themes can be attached to a nexus independent of the "primary theme" setting; user choice overrides this [...]
      • (Score: 1, Insightful) by Anonymous Coward on Friday June 17, @05:41PM

        by Anonymous Coward on Friday June 17, @05:41PM (#1254036)

        It is because of your NEED to inject racism into every post along with your spammy self promotion stuff. Get fucked you hate filled bigot.