back to article Linux software nasty slithers out of online watering holes

A malware instance built on the shoulders of a trojan so powerful it lead to the creation of the US Cyber Command has been updated with Linux-popping capabilities, Kaspersky researcher Kurt Baumgartner says. The Turla advanced malware is thought to have employed its top notch stealth capabilities to remain hidden on some …

  1. Anonymous Coward
    Anonymous Coward

    I wonder what attack vector they used. Is it a Linux version that hitches a ride on a Windows vulnerability then attacks the Linux host from the Windows box or is there some exploit in the Linux desktop they're targetting?

    Given the prevalence of Linux desktops, the former seems more likely. Guess we'll find out before long.

    1. Ole Juul

      What does this really mean?

      They do say that a regular user with limited privileges can launch it, and it can intercept traffic and run commands. However, to me that is meaningless when not accompanied with even a hint as to under what circumstances. The attackers can "run commands of their choice", but surely they cannot do that on all and sundry machines with any particular setup. Perhaps I'm missing some detail but surely the researchers are aware that not all Linux setups are the same. If all kernels, setups, and hardware configurations are indeed vulnerable, then they should say so. If not, then I feel that it is irresponsible of them to insinuate that to be the case.

      1. AlbertH

        Re: What does this really mean?

        This is the problem with journos that only deal with Windoze - they have no real understanding of *nix, and assume that proper operating systems are as trivially attacked as their system of choice. There's one variant of this "Snake" worm that piggy-backs on Windows documents and can (try to) attack VM-Ware. It doesn't work!

        1. TheVogon

          Re: What does this really mean?

          "they have no real understanding of *nix, and assume that proper operating systems are as trivially attacked as their system of choice"

          Welcome to the 21st century. Obviously you have been away from Planet Earth for some time, but since you have been gone it's now the other way round. Windows generally has far fewer vulnerabilities these days than most enterprise *nix versions that are also on average fixed faster. Internet facing *nix boxes are also several times more likely (as per web site hacking figures) to be remotely exploited than Windows Server based ones.

          1. Anonymous Coward
            Anonymous Coward

            @TheVogon re "Windows generally has far fewer vulnerabilities these days"

            Citation needed.

            Citation from individuals whose day job is "Director of Windows Security" or similar, which is the usual source for this kind of claim, not accepted. Sadly I can't remember the individual's name right now, suggestions/links welcome, I have posted it before...

            1. Anonymous Coward
              Anonymous Coward

              Re: @TheVogon re "Windows generally has far fewer vulnerabilities these days"

              "Citation needed."

              You mean like this sort of thing?

              http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html

              And that's JUST the kernel not a distro - versus say:

              http://www.cvedetails.com/product/2594/Microsoft-Windows-2003-Server.html?vendor_id=26

              ?

              1. Anonymous Coward
                Anonymous Coward

                Re: @TheVogon re "Windows generally has far fewer vulnerabilities these days"

                I like these better:

                http://www.cvedetails.com/vendor/97/Openbsd.html (on Sparc would be better);

                http://www.cvedetails.com/product/20621/Oracle-Solaris-Sparc.html?vendor_id=93

              2. Anonymous Coward
                Anonymous Coward

                Re: @TheVogon re "Windows generally has far fewer vulnerabilities these days"

                Doesn't CVE have some small print somewhere (that I can't find right now) that says not to use their statistics for comparing the security of two different OSes?

                Do the Windows Server 2003 stats include stuff like hypervisor bugs? KVM bugs are included in the Linux stats. What else isn't directly comparable?

                Do the Windows Server 2003 stats split vulnerabilities by platform? No, 'cos it's x86 only. How much do the Linux stats decrease if you remove vulnerabilities specific to particular architectures (which mostly seem to be x86-specific)?

                The MS Director whose name I couldn't remember earlier was Jeff Jones, Director of Trustworthy Computing.

                The other likely source for some of these crazy security claims is zone-h's defacement stats from a year or three back, when a commonly used Linux webserver config managed to reintroduce an x86-specific vuln that had been fixed a couple of years previously, and which has now been fixed again.

                Keep up the good work.

              3. CaptainPiccard

                Re: @TheVogon re "Windows generally has far fewer vulnerabilities these days"

                Is that how you assess system security? A total count of old CVEs? That alone says a lot about how confused you are. I'm not even going to mention that "The linux kernel" predates "windows server 2003" by a decade. Oops, I mentioned it.

          2. Anonymous Coward
            Anonymous Coward

            Re: What does this really mean?

            "Internet facing *nix boxes are also several times more likely (as per web site hacking figures) to be remotely exploited than Windows Server based ones.

            WTF? What sort of numbskull would run Windows on anything directly facing the internet (other than a honey pot). The mind boggles!

      2. John Hughes

        Re: What does this really mean?

        They do say that a regular user with limited privileges can launch it, and it can intercept traffic and run commands.

        That's what they say, however the advisor says:

        The module statically links PCAP libraries, and uses this code to get a raw socket, applies a filter on it, and captures packets, checking for a specific condition

        And, as Alan Jenkins points out in a comment:

        my understanding was you can’t capture packets / open raw sockets without root. Surely that’s big news? Are you going to elaborate on it?

        Seems fishy.

    2. big_D Silver badge

      Or a vulnerability in one of the many services which are Internet facing. Don't forget a majority of Linux machines are running in the server area and probably don't have a GUI at all or are rarely logged into via the GUI. But most of them then have services running, either on the internal network or internet facing.

      Poorly configured or unpatched servers can be relatively easily attacked - there were a number minor configuration changes needed on Apache, for example; including an Apache directory tree traversal exploit, which allowed the reading of /etc including the passwd! That is in the default configuration, which many non-security aware admins probably don't even know about, let alone configure Apache correctly to stop it.

      1. Vic

        allowed the reading of /etc including the passwd!

        Reading /etc/passwd is usually allowed - for local users, at least. It is not a vulnerability.

        It doesn't contain any passwords, and for an Internet-facing box, is unlikely to contain any account information at all that could not be presumed by anyone that hasn't even *seen* the box...

        Vic.

    3. ElReg!comments!Pierre

      It doesn't seem to exploit anything but user stupidity. What is described in the advisory is not a way to infect Linux machines, just an explanation of how it works when it's there. It's basically a user-level backdoor to /bin/sh, with network monitoring capabilities (statistically linked to pcap) although from the write-up it only seems to use pcap to catch the TCP/UDP packets containing the remote commands.

      The way it works makes it invisible to the way most people use netstat; however by checking the traffick at the packet level it would be pretty obvious I expect (there's not much info on how it parses the command packets other than that it passes the payload to /bin/sh -c , that must surely make for quite visibly fishy packets, no?).

  2. Anonymous Coward
    Anonymous Coward

    > hardened against reverse-engineering through the use of stripped symbol information

    "That's it, man. Game over, man! Game over!"

    -- Anti-virus engineer Hudson

    If the terrorists have got access to our secret "strip" technology then our worst fears are realised and they may be on the cusp of compiling with "-g0 -O3"...

    (I know AV firms like to spice things up but that's a bit ripe. C'mon El Reg, peck back at them a bit and find the real meat behind the scare quotes)

    1. Anonymous Coward
      Anonymous Coward

      Re: "find the real meat behind the scare quotes"

      I wish.

      I'm thinking it'll be a long wait.

      Maybe the AV companies need a survival strategy to reflect the end of Windows dominance in the client market. But this certainly doesn't sound like a good start.

    2. Vociferous

      Re: > hardened against reverse-engineering through the use of stripped symbol information

      > peck back at them a bit and find the real meat behind the scare quotes

      State actor attacking strategic state targets in the military, research and energy sectors means you're unlikely to get the full details of the attacks anytime soon, if ever.

      1. Anonymous Coward
        Anonymous Coward

        Re: > hardened against reverse-engineering through the use of stripped symbol information

        yes, even Radio4 mentioned this morning that there were two types of company in the world of 'cyber-attacks': those companies that *know* they have lost all their confidential data via data-breach, and those that haven't yet discovered that they have also lost all their confidential data via data-breach...

  3. thames

    From the sounds of it, it's not a virus or anything like that. It's just a specialized user level (i.e. non-root) program. If the attacker can get a user's log-in and password, they can simply log in, upload this program (e.g. by wget or something like that), and then start this program and leave it running. The program then just sits there, waiting for commands to do things like monitor traffic or send files. The only thing really special about it is that it communicates in a way which is not likely to be noticed by standard network monitoring tools.

    So, it's not a one-stop shopping bit of malware. If however the attacker can get into your system by some other means, it's a nice little present they can leave behind and use it to keep an eye on you later.

    I guess this is why they were able to make a Linux version after having a Windows version for so many years. Since it doesn't on its own need to break into the system, it doesn't need to be designed to exploit any operating system vulnerabilities.

    1. Anonymous Coward
      Anonymous Coward

      Re: "I guess this is why they were able to make a Linux version"

      Don't guess.

      Use logic and real verifiable facts.

      Then you'll realise how much BS is in the article and the reported claims.

  4. RAMChYLD
    Boffin

    Well...

    Remember that Flash is available for Linux and is required to watch Youtube unless you grab the official Google Chrome. Additionally, so is Java, which is used by many, many corporate intranet webapps. So yeah. Drive by downloads of userland apps are still a scary reality on Linux.

    Honestly, this is why I have ClamAV's daemon on all my *nix boxes (Linux, OpenBSD and Mac OS X), no exceptions, especially since the discovery of trojans disguised as Gnome themes back in 2011. I trust that Kaspersky has shared the sample with the ClamAV team?

    1. Anonymous Coward
      Anonymous Coward

      @RAMChYLD - Re: Well...

      Let's not get silly, shall we ?

      Any decent company who cares about security blocks Youtube and if Java is used on their corporate intranet I strongly doubt they will allow Linux desktops on their network. And since you mention together Linux, OpenBSD and Mac OS X I'm having a hard time imagining you're working in a real, medium to large sized corporate environment.

      For your information, I'm working in a large enterprise having 1000+ Linux servers and a grand total of 0 (that's zero) *nix desktops, none of them running any form of anti-virus and they are being subjected to some important North-American industry regulations. Everybody here agrees it is plain silly to run antivirus on a Linux server.

      1. Wzrd1 Silver badge

        Re: @RAMChYLD - Well...

        Well, my company, a Fortune 200 company, uses antivirus on our *nix servers.

        As for Youtube, you do realize that watering holes are not only there, right?

        I've received notices for regional government sites serving up drive-by malware and even some BBC IP's as well.

        Add in malvertisement and you have quite the suite of threats out there.

        BTW, the treat that caused Cyber Command to be pushed to the forefront for bringing into operation was Agent.btz, which was PRC malware spread by USB drives via autorun. The idiot contractors for the DoD didn't follow best practices or even the DoD mandated baseline.

        I know, as I was there, running information assurance for the only installation that remained uninfected, for both incidents (they cleaned it up, then re-infected again a month later).

        The first incident cost one billion dollars to clean up, as they literally cleaned out the entire DoD of system administrators to help clean up the infection. The second incident cost still remains classified.

        Wouldn't want to get a large DoD contractor in hot water, they might not hire you when you retire from the military!

      2. Tom 38

        Re: @RAMChYLD - Well...

        Any decent company who cares about security blocks Youtube

        Generally its about reducing the amount of time people spend looking at cat videos, but yeah ok…

        if Java is used on their corporate intranet I strongly doubt they will allow Linux desktops on their network.

        lolwut?

        Everybody here agrees it is plain silly to run antivirus on a Linux server.

        He's right, clients fucking love it when you serve them up virii. Of course they accept it completely when you explain that their users uploaded the virus to your server before they downloaded it, they don't blow their top and go to one of your competitors at all.

    2. Anthropornis
      Linux

      Re: Well...

      Flash is *required* ? For me, youtube videos *without adverts* have worked fine, for a long time, in both firefox and qt4 browsers (arora, qupzilla) on linux.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well...

        Youtube works fine in HTML5 mode on Opera too. Not needed flash for a long time, personally.

    3. eulampios

      Re: Well...

      >>Remember that Flash is available for Linux and is required to watch Youtube unless you grab the official Google Chrome.

      May I recommend NoScript, FlashBlock, vlc/youtube-dl? Most other flash videos can be sourced via tcpdump /wireshark.

      >>Honestly, this is why I have ClamAV's daemon on all my *nix boxes (Linux, OpenBSD and Mac OS X)...

      No need for any *antivirus* software, the approach to security that is so prone to both the I- and II-type errors.

  5. T. F. M. Reader

    hardened against reverse-engineering ...

    ... through the use of stripped symbol information and hidden network communications, adding it could not be discovered using Netstat.

    Eh, so it was a stripped binary, which I expect it to be just to reduce its size. Looks like Mr Kaspersky Bod is waving his hands wildly around some nonsense.

    And undetectable with netstat? What exactly does this mean? Guessing wildly: it is detectable with netstat but doesn't advertise itself as a nasty but masquerades as something else, eh? Given the "hardened by stripping" bit in the same sentence, might it be an ssh tunnel? That would be similarly "undetectable" evenif one is looking at the packets on the wire...

    1. Anonymous Coward
      Anonymous Coward

      Re: hardened against reverse-engineering ...

      Re netstat, it might just not keep a connection open for very long: UDP or ICMP to establish a session and return packets when required and libpcap the rest of the time to receive instructions. I doubt that would work behind a firewall of any sort though.

    2. ElReg!comments!Pierre

      Re: hardened against reverse-engineering ...

      And undetectable with netstat? What exactly does this mean? Guessing wildly: it is detectable with netstat but doesn't advertise itself as a nasty but masquerades as something else, eh?

      No, it only sends the one packet containing its contact info, then uses PCAP to catch the TCP and/or UDP packets containing remote instructions. No real connection here for netstat to sniff.

  6. AlbertH

    The anti-virus snake-oil salesmen are panicking - Windows is no longer viable in corporate environments (Windoze 8 is a telephone "operating system").... They're going to try to persuade Unix / Linux / BSD users that they "need" their (useless) products!

    1. Anonymous Coward
      Anonymous Coward

      "Windows is no longer viable in corporate environments"

      Strange that sales are steady then - still over 90% share of desktops.....

    2. Vociferous

      > Windows is no longer viable in corporate environments

      Tell me, did you ever visit the planet "Earth"?

  7. frank ly

    Fingerprinting/characterising?

    Right now, I have 35 processes running on my laptop (or so mate-system-monitor tells me). They all have a particular memory size and have other named characteristics. Could this list be regarded as 'normal' (assuming it is normal and my laptop is not infected in any way) and then any future changes be flagged as "alert - strange new process"?

    I realise that as a home user I'm likely to install all sorts of stuff to try it out but for a stable commercial or industrial system then the 'normal' process profile should be stable and their characteristics known.

    1. Fibbles

      Re: Fingerprinting/characterising?

      35 processes seems rather low for Mint. You're likely only looking at processes you have adequate permissions to tamper with.

      1. frank ly

        @Fibbles Re: Fingerprinting/characterising?

        You're quite right. 'ps -A' shows more like 135 processes though my point remains the same.

      2. ElReg!comments!Pierre
        Joke

        Re: Fingerprinting/characterising?

        35 processes seems rather low for Mint.

        It will come. With oncoming systemd domination and all the in-browser apps, it will eventually be down to 2:

        PID 1: systemd

        PID2: firefox

        And that's it.

  8. rtfazeberdee

    eh?

    So, nothing concrete, just some guesses without proof. Come back when you have definite proof.

    They must be trying hard to promote linux anti-virus software again.

  9. ElReg!comments!Pierre

    Agent.Biz, [...] the "worst breach of US military computers in history"

    Ah. A bit like McKinnon then. Or like that time when the general's dog pissed on a comms cabinet. Got to love the US and their tendency to have "the worst (biggest) X in human history" roughly every 2 month.

    Regarding the trojan "described" in the article, the details are a bit too thin on the ground to really get an idea of the threat.

  10. alain williams Silver badge

    So how does it work then ?

    This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands. It can't be discovered via netstat, a commonly used administrative tool. It uses techniques that don't require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.

    If it does not use elevated privileges then, I assume, that it has not tampered with the kernel. So how does it hide from netstat ?

    Ah, later he says: The module statically links PCAP libraries, and uses this code to get a raw socket, ..., but use of PCAP requires superuser privileges???

    I am not saying that this is not a threat ... but I would like to see something more plausible - if only so that we can protect ourselves -- without having to buy something from Kaspersky ... which is what I get the feeling this is all about - a marketing exercise.

    1. ElReg!comments!Pierre

      Re: So how does it work then ?

      The module statically links PCAP libraries, and uses this code to get a raw socket, ..., but use of PCAP requires superuser privileges???

      Statically linked. That doesn't fix the raw socket issue though; in the examples contained in the advisory they do run it as root...

      1. eulampios

        setcap

        I don't know what does the "statically linked" change here. tcpdump can be statically linked as an option. Is it allowing to read the raw and packet sockets and passing the corresponding capabilities checks? No, unless, there is CAP_NET_RAW capability pre-set (with setcap) which by itself requires root privileges.

        1. ElReg!comments!Pierre

          Re: setcap

          I don't know what does the "statically linked" change here

          It changes that you can run it. As I said, it doesn't change the problem with the socket.

          1. eulampios

            @ ElReg!comments!Pierre

            >>It changes that you can run it. How, so? I can run tcpdump too:

            ls -l /usr/sbin/tcpdump

            -rwxr-xr-x 1 root root 962544 May 25 2013 /usr/sbin/tcpdump

            Again, what difference would that make? I can pretty much run any executable in /sbin or /usr/sbin

            AMOF, most executable in /usr/sbin dir have 755 perms, including the files they link at. I think you and Kasperski people are confused with the fact that some distros exclude sbin dirs from the $PATH variable:

            echo $PATH

            /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

            Hence the filename name of the executable won't be sourced to the shell and you'll get the "not found" error, if the exact path is not supplied.

            BTW, the problems arise not from running it or even accessing specific files with insufficient credentials when the kernel sees that the uid != 0, so it wouldn't allow to read the packets. The issue is insufficient capability, not insufficient file permissions.

            However: "Reading a saved packet file doesn't require special privileges"

            So yes, no problem running /usr/sbin/tcpdump with the "-r" option for any user.

    2. eulampios

      Re: So how does it work then ?

      >>but use of PCAP requires superuser privileges???

      Exactly, it's been the case for some time now. On my machine here:

      id -u; /usr/sbin/tcpdump -w $(date +%Y_%h_%d_%M).dump -s 0 -i eth1

      1000

      tcpdump: eth1: You don't have permission to capture on that device

      (socket: Operation not permitted)

      tcpdump's man also says:

      " Reading packets from a network interface may require that you have special privileges; see the pcap (3PCAP) man page for details. Reading a saved packet file doesn't require special privileges"

      The linked article's example shows a screenshot of the process running as root as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: So how does it work then ?

        Maybe it's sudo?

        1. eulampios

          Re: Maybe it's sudo?

          That's the point. Either su, or sudo, or "sudo setcap cap_net_raw+eip' /usr/sbin/tcpdump". What Kasperski "experts" are trying to tell us that you can get a specially crafted binary capable of grabbing network packets when run with a regular privileges. Sounds like a vulnerability when/if were true.

          Statically linking libpcap or even using raw sockets won't remove the kernel credentials checking when trying to eavesdrop on the sockets. Granting CAP_NET_RAW capability to the binary is also done by the root -- no luck here as well.

  11. MyffyW Silver badge

    To be honest there's a lot of noise here but no perceptible signal.

    Beyond normal good systems hygiene (firewall, patching, no unnecessary services, not being an idiot etc etc) should I do anything different as a result of this news?

    1. ElReg!comments!Pierre

      should I do anything different as a result of this news?

      Well you should certainly stop downloading trojans, run them, and give them correct ID and interface parameters when it asks. That should keep you safe.

      Oh, and don't give access to your system to someone who may install trojans, run them, and give them correct ID and interface parameters.

      1. MyffyW Silver badge

        Re: should I do anything different as a result of this news?

        Thanks hun. And that nice gentleman from Nigeria? I shouldn't let him fix my "Windows PC" over the phone (even though everything in my house has a penguin on it)?

  12. strings
    Childcatcher

    Fingerprint

    it would be interesting to see how this "new WINDOWS BASED malware " will fingerprint the *nix based system and decide "which" cve to exploit ,considering there are multiple *nix vendors ?.

    Sounds like another method /vector to attack the hypervisor host,not exactly new if you look at the large citrix clients base servering up web applications and the flow of cve's for this area,although more arm based issues than x86.

    It makes my heart bleed and i'am shell shocked by these new discoveries!.

    Serve those patches up! with no desert.

  13. Anonymous Coward
    Anonymous Coward

    If you think you have it you have but you wont know

    @ MyffyW

    Bronze badge

    To be honest there's a lot of noise here but no perceptible signal.

    Beyond normal good systems hygiene (firewall, patching, no unnecessary services, not being an idiot etc etc) should I do anything different as a result of this news?

    @ in 2 years time when your av picks it up you will know !.

  14. JamesTQuirk

    Or another thought is running a OS under Visualization, a cut down, built for Job Distro, DSL is @ 50meg stock Version, ready to internet, BUT say like an example a the "Tiny Core Project" can produce, an 12MB FLTK/FLWM desktop.

    If u can cut that down further, and run bash Scripts .... ON a say 8core,32gb, sata ssd System, lucky to have a fibre 100MBsx40MBs internet, I think a sub 5-6 meg iso style file, which would DOWNLOAD in milliseconds, could contain, a whole other OS, running in Back ground VM Process, before you could blink, it could be unpacking, & then be lying doggo, waiting .....

    (My choice be a VM of a newer DOS Based, BAT file driven Monster, Easier to hide in windows coop ..)

    Why I switch it off Visualization in bios on my Online machines & have 2 networks, TRUE home, & other internet capable, things only moved between networks on USB drives, after carefully inspection, but last virus that got me, was on a Amiga, not letting me guard down now ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like