back to article 'FIRST ever' Linux, Mac OS X-only password sniffing Trojan spotted

Security researchers have discovered a potential dangerous Linux and Mac OS X cross-platform trojan. Once installed on a compromised machine, Wirenet-1 opens a backdoor to a remote command server, and logs key presses to capture passwords and sensitive information typed by victims. The program also grabs passwords submitted to …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge
Linux

Could THIS be the year of the Linux desktop?

Platform being targeted by trojans...

...time to check where the uploaded packets are going I think

3
2
Anonymous Coward

Re: Could THIS be the year of the Linux desktop?

https://en.wikipedia.org/wiki/Desktop_Linux#Year_of_Desktop_Linux

So no,not yet....but Win8 will help it along.

6
2
Bronze badge
Thumb Down

need to manually run it: proof of concept yet again

You have to manually run it (allowing it to run with chmod in the first place) or worse to knowingly install it. Both of these things are hard to implement on the up-to-date GNU/Linux and *BSD systems unless a 0-vulnerability is known. You can install and run xinput <key-board-id> to capture all key pressings, BTW.

Don't take Dr.Web's FUD for a sure thing.

8
1

Re: need to manually run it: proof of concept yet again

All of us on here are less likely to get a virus than the average member of the public.

The average member of the public doesn't know how to secure their computer properly (probably have more of a chance with Windows going by the number of users on Linux forums who reply 'RTFM' to general questions.)

The average member of the public will click on any box that pops up when they think they are installing something fun, like a pink pony screensaver.

Factor in the recent Java vulnerability (others will follow covering your currently installed software) and you aren't looking as safe as you thought you used to be.

8
2

This post has been deleted by its author

This post has been deleted by its author

Anonymous Coward

@Wize - Re: need to manually run it: proof of concept yet again

Could you please care to tell us why should we RTFM to the lazy user who just wants us to fix his problem while he doesn't even bother to read and (that's a tough one!) understand the documentation ? They should stay in Windows land where there are no manuals or documentation to be read. I don't want those users to come to Linux just for the sake of Linux desktop widespread adoption.

Just to make myself clearly understood, as I Linux user I had the opportunity to be RTFMd but I used it to learn and improve my skills, both in Linux and in how to ask questions on support forums, no matter if it's Linux, Windows, Cisco or any other technology vendor.

5
6
Bronze badge

RTFM?

To be honest, was not sure what that abbr. meant until googled it!

1) I have never seen RTFM on any of Linux forums. There are tons of linux forums where things are explained for dumbies

2) GNU/Linux and *BSD systems are still more secure for those who do not how to secure his/her computer properly. More precisely, there is no absolutely no rocket science here to follow : update your system whenever the update is available (just press that button!) and do not install anything outside of the repositories. Both of these thinks, although very clear to us, should be crammed into users' heads when they come from the Windows (95%) and Mac OS X world. User unfriendliness (reboot after most updates on M$ systems) and lack of repos on both is the ultimate reason for such behavior.

As far as the Java or javascript vulns are concerned, just

a) don't use Java (easy)

b) use noscript, flash-killer, adblock across all platforms (easy)

c) use AppArmor enabling firefox profile (fairly easy)

6
1
Bronze badge
Mushroom

Re: Could THIS be the year of the Linux desktop?

I wouldnt expect too many malware authors will be bothered until Linux hits at least 1% market share no matter how easy the Swiss Cheese of OSs is to hack....

1
13
JDX
Gold badge

Re: @Wize - need to manually run it: proof of concept yet again

>>Could you please care to tell us why should we RTFM to the lazy user

And that sums up in a nutshell why Linux will never replace Windows; the users are dicks who shoot themselves collectively in the foot at every step.

4
4
Anonymous Coward

Re: @Wize - need to manually run it: proof of concept yet again

Windows users should be told to RTFM as well. Can you pass a driving test without knowing what, never mind where, a tyre/tire or accelerator/gas pedal is? That's the level of dumb we have to put up with.

1
3
Anonymous Coward

Re: need to manually run it: proof of concept yet again

I'm not convinced about your assertion of RTFMage. I have received friendly, courteous and above all helpful assistance from actual kernel hackers (the most friendly of whom is easily Jes Sorensen, who is a lovely chap). If you ask your question in a sensible way, include relevant information, and don't force people to real LOLcat or cross examine you to get the facts (i.e. exercise basic good manners), a lot of folks will be surprisingly helpful.

Contrast this with the FreeBSD lot, when I was installing it on my Alpha, and couldn't get any console output on my DEC TGA, which was listed as supported by the default kernel. I enquired politely and clearly, detailing what I had done, and what I was using, and was told to "RTFM" in broken English. It turned out that there was a small bug that prevented it from working, in the end (after a slightly more grown-up dev looked into my problem, after I grumbled in response).

(Oh, and don't even get me started on OBSD and Theo.. I thought my people skills were bad :D)

2
0
Anonymous Coward

Re: need to manually run it: proof of concept yet again

Should have read "to reaD" LOLcat, dang nabbit.. Wish there was an "edit" button :)

0
0
Anonymous Coward

Re: @Wize - need to manually run it: proof of concept yet again

come to linux - no support, but the community will embrace you - here's a fine example

1
1
Linux

Re: Could THIS be the year of the Linux desktop?

I wouldnt expect too many malware authors will be bothered until Linux hits at least 1% market share

How does >90% of web servers grab you? Or ~100% of web routers?

Clueless fanboi morons like you are welcome to their fundamentally insecure "operating systems" - the ones that are actually just silly computer games. Why don't you run off and let the grown-ups get on with real computing?

Unix and its siblings are (effectively) invulnerable to malware. Sure enough you could (possibly) fool someone into downloading something malicious, but they would have to give it permission to run. It would also not have access to the operating system, as the OS is entirely divorced from the user files that could possibly be compromised.

Go back to Windoze - you deserve it.

0
0
Linux

Had to happen

It had to happen sooner or later. I hope they find the details on this thing and publish them soon, I'd like to see what common components between Linux and Apple's BSD/Mach mashup they're using.

Of course, it could turn out that this thing must be manually installed or that it only runs in user space... in which case it's not a yawner but less unexpected.

And I do suppose the envitable MS vs. the world flame war will erupt in 3.... 2.... 1....

6
0
Anonymous Coward

Re: Had to happen

"Of course, it could turn out that this thing must be manually installed or that it only runs in user space... in which case it's not a yawner but less unexpected."

Yeah, I reckon there's at least a chmod +x required somewhere to make it executable and even then I reckon it's still only user space - that is, until you enter your root password and then has it.

I wonder if that recently reported Java vuln could be used to do the chmod +x and spread it though.

Definitely need more info on this.

5
0

Re: Had to happen

According to the site at the end of the link in the article:

"It's not clear yet how the Trojan, which was added to the Dr.Web virus database as BackDoor.Wirenet.1, spreads. This malicious program is a backdoor that can work under Linux as well as under Mac OS X.

When launched, it creates its copy in the user's home directory. The program uses the Advanced Encryption Standard (AES) to communicate with its control server whose address is 212.7.208.65."

So no details as to how it gets installed and no details as to how it's spread. Does this really merit an article? Because anybody can write a Linux virus - a shell script will do. The trick is getting it installed, giving it execute permissions and permissions to do its stuff.

I'll start to worry when I find out it exploits a weakness in the OS that allows it to install itself by stealth and then escalate its privileges. Or when it somehow gets added to the Ubuntu repositories, of course.

22
0
Silver badge
Mushroom

Re: Had to happen

hang on... id didnt have to happen at all!!!1!!11!!

if i've read it once i've read it a thousand times, windoze boxes get virii cos they are crap, and the ppl who code for them smell of poo!

linuxexexe on osexexex dont never get virii on account of them being super and smashing and programmed by angels and intrinsically resistant to anything bad.

i thought it was bollocks then, glad to see you caught up at last.

now if only there was a mature AV sector to help you out... or even some kind of system of regularly eradicating vulnerabilities as they become exposed....

is that the sorta fing you are looking for :D?

7
36
Anonymous Coward

Re: Had to happen

> Does this really merit an article?

At least you can firewall off that IP address.

1
0
Silver badge

Nothing new here

Linux distributions already have regular security updates. I have heard Windows users complain that AV software smells of pooh so often that I am glad there is very little for Linux (There is some for filtering Microsoft malware out of email). In the Microsoft world, malware is installed and executed so it can hide and do damage before AV software can hunt for it. The rest of us don't run malware in the first place unless it is to test security.

I have tried installing some but the install scripts got tripped up by little things like mounting /tmp and /var/tmp noexec. Trivial changes to the configuration like that make most Linux boxes more trouble than they are worth. There are plenty of more complex options available for high value targets to ensure that viruses have to be targeted to a specific organisation or machine.

X86 is getting rare these days as much has been moved to AMD64, but my home also has MIPS and two incompatible flavours of ARM. Multiply that by the number of distributions and the users' choices about what software to use and you can see why Linux malware is just not as profitable as stuff for Microsoft even though some of the machines are very high value targets and Unix malware has been around longer:

This is the Unix e-mail virus. It works on the honour system. Please send copies of this e-mail to your friends then delete a few files.

11
0
FAIL

Re: Had to happen

"it's unclear how the trojan is designed to spread"

also unclear how this AV company got their hands on it. Just because someone made a keylogger, that doesn't make it the 'FIRST ever' Linux, Mac OS X-only password sniffing virus.

4
0
WTF?

Re: Had to happen

Hmmm... not sure if joking or just Ballmerizing.....

4
0
Anonymous Coward

@Naughtyhorse - Re: Had to happen

Frustrated Windows user, eh ? Chill out, there is life after Windows after all!

2
1

Re: Had to happen

"I'll start to worry when I find out it exploits a weakness in the OS that allows it to install itself by stealth and then escalate its privileges."

Agreed. Except you should add "compile itself" as well. Unless a binary compiled on MacOS X will run on a Linux box and vice-versa. I strongly doubt that's even possible.

Colin

5
0
Anonymous Coward

Re: Had to happen

The GNU base system and daemons probably.

0
1
Silver badge

Re: Had to happen

"I reckon there's at least a chmod +x required"

Almost certainly - which is why it is a trorjan and not a virus or a worm. Clue is in the name.

0
0
Anonymous Coward

Re: Had to happen

It's not "virii". I would say "being pretentious and fucking up like that makes you look like a prat", but it's almost superfluous, looking at the rest of your execrable post.

0
0
Bronze badge
Meh

trojan

This article seems to be from a Dr Web press release:

http://news.drweb.com/show/?i=2679&lng=en&c=14

So far the only reported transmission method seems to be to get it from Dr Web and self-harm;

8
1
Alert

"Creating a strain of malware that infects Mac OS X and Linux machines but not Windows boxes seems, frankly, weird"

Not if you consider that those two user bases, although small, are likely to have a higher personal disposable income.

5
0
Anonymous Coward

Only Linux users have

a higher personal disposable income, Apple fans are wasting their money buying expensive iStuff from Apple so they should be the poorest from all crowd (Windows fans included).

4
0
jai
Silver badge

key logger?

So does it pick up keystroke from the keyboard interface? or characters populating text fields on websites?

Just wondering if utils like 1Password can be seen as a protection against this kind of attack, since they drop your password directly into the password field, the data isn't coming via the keyboard interface.

0
0

an organisation that uses a mix of the two Unix flavours

I can think of one rather large organisation that only uses Linux and Mac OSX.

3
0
Trollface

Re: an organisation that uses a mix of the two Unix flavours

Yes, Microsoft....

2
1
Silver badge

Re: an organisation that uses a mix of the two Unix flavours

That would be Google, wouldn't it.

0
0
Silver badge
Joke

Simple explanation for non-windows focus:

The authors of this malware have all the complete set of passwords for windows boxes

7
0
Thumb Up

not Windows boxes seems, frankly, weird

not if the hack author is a typical Linux/Apple fanbois who won't touch Windows because it is unsafe. Oh, wait...

3
5
Anonymous Coward

It's probably "cross-platform" in the sense that it uses *nix sockets and not Windows ones. I wish people would use cross-platform properly, to describe something that'll run on multiple architectures and not merely different OSes on the same platform.

Writing a piece of Java code that runs on Linux and Windows is not exactly a challenge. *cough JVM cough*

0
1
Anonymous Coward

How it spreads...

"Dear friend

I hope you are well

Please to run "sudo dpkg -i install makemoneyandpenisfast" on attached.

For great money and health!

"

16
0
Vic
Silver badge

Re: How it spreads...

> Please to run "sudo dpkg -i install makemoneyandpenisfast" on attached.

[vic@fortyniner ~]$ sudo dpkg -i install makemoneyandpenisfast

[sudo] password for vic:

sudo: dpkg: command not found

Vic.

1
0
Linux

Linux trojan is not news

#!/bin/bash

sudo rm -rf /

#

# now all you need to do is get some idiot to run this and enter their password.

0
1
Silver badge

Re: Linux trojan is not news

Only if the idiot is authorized to do this in the sudo config. Unfortunately, many Linux distro's automatically put the first user set up during the installation into whatever group the sudo config. allows.

It doesn't have to be this way!

1
0

Re: Linux trojan is not news

Unfortunately as the population of linux and OSX users increases, the number of mouth-breathers who would blindly enter the root password blindly will increase...

The vector of infection is usually those with the least technical ability. The only good thing is that in those OS's the need to enter that password cannot be overriden (as far as I know, please correct me otherwise), at least yet..

2
0

@ChrisM - Re: Linux trojan is not news

Sadly, the population of Linux users is still not increasing and I doubt it will ever do. We're the same number we were a couple of years ago. Not that I feel bad about it or lonely. I guess we're becoming like those who prefer to build/drive custom cars in that only those who really want to be like us will join us and it's nothing wrong or special about it.

And you're absolutely right about carelessly using the root password and let's pray Gnome and KDE and other WM devs will not goof for the sake of mimicking you all know who.

0
0
Bronze badge

sudo != su

Unfortunately, many Linux distro's automatically put the first user set up during the installation into whatever group the sudo config.

And what is your problem with that? "sudo" is not "su"! Do you realize that?

Also, with that bash virus you need to get it chmod'ed ( unless to be run with bash ~/virus ) and provide the password :

<code>

#/bi/bash

echo "Please provide your password so we could erase your system. Thank you! "

sudo rm -fr /

echo "Now you can shut down this system for the last time ;( Bye now"

exit 0

</code>

0
0
Bronze badge

this won't even run with this shabang

Should have typed it in Emcas with shell-mode enabled:

#!/bin/bash

0
0
Bronze badge
Mushroom

Re: Linux trojan is not news

Well at least you can upgrade to Windows after it finishes cleaning your HDD....

0
7
Anonymous Coward

Re: sudo != su

Sudo may not be su, but the default behavior on many linux distros is as near as makes no odds. The problem is:

sudo su -

If you can su to root only using your own password, or even without a password it's game over for the security of your system.

0
0
Bronze badge

Re: sudo != su

sudo su -

Why not just "sudo -i"?

If you can su to root only using your own password, or even without a password it's game over for the security of your system.

Why without a password? What is the problem?

0
0
Vic
Silver badge

Re: Linux trojan is not news

> the need to enter that password cannot be overriden

That's trivially over-ridden.

But to do so, you need to understand the sudoers file. Which means understanding the ramifications of such a thing. And that's why, quite often, a sysad says "no" when asked to do something[1].

Vic.

[1] For example, I installed MediaWiki for a customer once. The first thing he tried to do was to write a load of PHP in the pages to run his advertising scripts. He was furious when that didn't work, and *demanded* that I make PHP work in wiki pages. I told him I'd need written instructions before I'd do that...

1
0

Page:

This topic is closed for new posts.

Forums