ACHTUNG! Scary Linux system backdoor turns boxes into DDoS droids Cybercrooks have cooked up a backdoor for Linux-powered systems that boasts multiple malicious functions. The Swiss Army Knife-style malware – dubbed Xnote.1 by Russian anti-virus company Doctor Web – can be used as a platform to mount distributed denial-of-service attacks and other evil activities. To spread the software …
The original Russian disclosure says SSH, not SSL, so step one is to install and enable SSH, on a port where people can find it. This is a terrible idea on any machine visible on the internet because the machine will be found and hit with a continuous stream login requests attempting to find an account by brute force. Although this stands no chance of success with even basic precautions, it does waste a little CPU time and lots of network bandwidth. (The most popular way to avoid the network traffic is to set up port knocking.)
Next, you will have to make some changes to /etc/ssh/sshd_config. The one that is definitely required is 'PasswordAuthentication yes' otherwise all attempts to log in with a password will fail (sshd should be set up to require one type of public key authentication, and have all other methods disabled). You can save the crackers some time with 'PermitRootLogin yes'. Without that, the cracker will need to use some sort of privilege escalation - which a competent cracker probably knows. Next you need an account with a password that was not created with a random character generator. If you permitted people to log is as root, make sure you set root's password to a word or two out of the dictionary, swapping i to 1 and o to 0. You can save some network bandwidth by using the most popular pasword: 123456. (Logging in as root should require logging in as an ordinary user, then upgrading to root access).
Next up, this malware requires a bash script in /etc/init.d/ to install itself. The vast majority of them are sh scripts, but I did find a couple of bash scripts. The malware is looking for '#!/bin/bash', which is the way to specify the bash interpreter in Linux. The BSDs require '#! /bin/bash', and Linux accepts that too for compatibility. You can trip up this version 1 installer by adding a space to bash scripts in /etc/init.d/ - if you have any.
The translation of the incident page said something about using a virus scanner to detect infection. I stopped reading at that point because the advice is clearly bollocks. If you installed and configured sshd to use the ssh port and password authentication with a brute forceable root password then you computer will be infected with something that can hide from any virus scanner running on the computer. You might be able to find the malware by pulling out the hard disk, putting it in a USB enclosure, attaching it to a different computer and comparing it to your backup.
I think the biggest barrier to catching this malware is that something more nasty will get in first and close up the configuration errors before everyone and his dog pwns the machine.
You can also use fail2ban.
This is a small script that monitors your logs, for N occurrences of regexp X in Y seconds, from the same IP number.. If this is reached, then it carries out an action, and a second action after Z seconds.
By default it monitors /var/log/auth.log, looking for ssh login failures (either wrong password, or non-existent/no-login user). If this occurs 5 times in 10 minutes, then it will invoke iptables to block all incoming traffic from that IP number to your ssh server, and then automatically unban it 10 minutes later. It can also be set to email you an alert.
It is possible to have it monitor itself, so if the same IP address gets banned 5 times in a day, they get a week's ban (tweak to your inner BOFH's content).
Why did El Reg post this? Because all the AV companies create these stories if you watch. An obscure virus will have been found by one of the anti-virus companies and they put out a "Security Warning" which should really just say "Press Release" or "Advert for our product".
Almost every time the "answer" to the panic will be to buy protection from the company producing the advert press release.
This is a classic example as it seems to imply that the hacker needs root access to install his code. Which kind of defeats the point as once you have root you can do what you like, and you certainly would not be copying in the same old code you have used elsewhere. If your hacker can get root, then you can't blame a "virus" for taking down the machine. You blame the sys admin for leaving the door open.
There seems to be a slight uptick in vague articles about scary exploits in Linux; enough so that I'm beginning to wonder how (or why) they get past the editors. These kinds of "stories" smack of scare tactics that would be more at home in a FUD marketing campaign than in an IT news publication read by professionals & enthusiasts.
So, basically, this is either a trojan that has to be run as root (in which case, who in their right mind runs strange software as root) or spreads via SSH attacks by brute forcing their way into root (in which case who in their right mind runs SSH on the default port and doesn't prevent root logins).
Nothing to see here. Move along.
So it transpires:
+ Virus must run as root. Or "dangerous Bankrobber only needs all keys and access codes to get the job done"
So Cui Bono ?
+ Those folks who sell competitors to Linux and Android systems.
+ Folks who want to sell craptastic anti-virus products
Is this a bug in sshd? In which case, what versions of sshd? What can be done to mitigate the threat?
The Linux ecosystem is pretty large and there are many different ssh and ssl daemons out there. Hell, there are many different branches of the Linux Kernel itself out in the wild, the part that makes it Linux in the first place...
If you are running an internet server, you should be taking basic precautions to reduce the attack surface.
I know that default VPS setups are often pretty poor, so if you just set one up thinking "it's Linux, I'll be safe", your server was probably rooted a couple of months ago, right when you put it on the internet with no firewall settings, and a big sign saying " PLEASE ROOT ME".
A proper Linux server just exposes ssh initially. Which must be secured by a good password - best use 10 auto-generated characters.
E.g.
$ md5sum 200randomhitkeys.txt
Secondly, the apache (or other server) you chose to run normally has NO ROOT PRIVILEGES. Thats a big difference to Windows, which exposes a ton of kernel-level services like SMB. And which need to be hidden behind a firewall. The equivalent Linux (Samba) service can surely be run w/o root privileges.
Conclusion: Your post is F.U.D.
All correct apart from the fact that the default config on windows 2012 r2 has file sharing disabled by default and the firewall enabled. Hell it doesn't even come with a GUI by default.
My conclusion is that your post is FUD or you're years behind on your Windows knowledge.
...that almost everyone so far has merely scoffed at the very idea of a threat to Linux, and not once suggested that users should go and double check their software to make sure it's all as secure as can be. It only takes one new or clueless user to leave something open by accident and then, whoops, you're now part of the problem.
Of course, that that point no-one will offer any help or support, just merely scoff again and deride them for such a 'basic' mistake.
So, to make up for this... any and all intelligent sys-admins and users, do yourselves a favour, and go review your security settings. You can't be too careful now, can you?
I agree in principle, but from the information of this specific piece of malware from this article alone (I haven't read about it anywhere else) I don't think action is needed, it seems to take effort to infect yourself, rather than take effort to make yourself safe
I'll give you half of a crumbled brownie for your post. At least you worked hard to present us the two main points Windows users raise when it comes about OS security: Linux users are always feeling smug about the security of their OS and the Linux community horribly abuses those inocents who are looking for support.
I'll withhold the other half of the brownie because you failed to show us the threat in this particular case.
Blame Linux ? Even if the Virus was MSWindows based & they had your password or there was none, like like a lot of new PC users, the same thing or worse could be done ... So it's a Set-Up issue when u build system, not something you can always do something about, when you look @ it's results later ..
If it is some one/some bot brute forcing root using SSH, then the threat footprint has got to be pretty small. Isn't root disabled by default over SSH?
Its been awhile, about a year or so, since I switched from a Linux distribution to using FreeBSD and PC-BSD, but I'm pretty sure none of the major Linux distros will default to allowing something that stupid. So while it is a threat, its apparently not the nuclear apocalypse that some of my more excitable colleagues told me about earlier because most distributions won't allow that kind of behavior without being configured to do so, unless I'm gravely mistaken.
Yesterday, I noticed an unusually high number of ssh login attempts. This explains it.
And for the root access, what some commenters seem to miss is that it is much easier to do a brute force root login attack from a local account. A properly configured ssh doesn't allow remote root login.
Also, not many places allow outbound SSH connections, so its likely a VPN will be needed for remote access. That's going to hide the SSH server anyway. Otherwise, there's fail-2-ban, port knocking and other measures which can be used to mitigate brute-force password attacks.
Perhaps the SSL/SSH confusion comes from people putting ssh on port 443 so that they can get to it by pretending to be HTTPS,
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
