Inside Adwind: A DIY malware toolkit used by 1,800 crooks to spy on 443k victims Security researchers have lifted the lid on Adwind – a malware-as-a-service platform which has hit more than 400,000 users and organisations across the globe. The Adwind RAT (remote access tool) is a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, which is …
I have just searched for Adwind on several Linux discussion forums and found no mention.
There was I, smugly about to pronounce Linux safe for all but the most idiotic of users and, ahem, the silence is deatheningly ominous.
I know for a fact several Linux aficionados post on ElReg, could you please confirm my belief, that only an utter fool running Linux would be open to an Adwind derived attack.
From the linked FAQ:
"It relies on user interaction: double-clicking the .JAR attachment in the email"
From many posts on El Reg
"I set up my husband / wife / partner / S.O. with Ubuntu / Mint / Cinnamon"
I think you can only be smug if you believe that none of that group of people would ever double-click an enticing attachment in an e-mail.
Yeah, I read the FAQ, but it didn't convince me that a drive by attack was out of the question, as many people run Java in their browser and could easily click on a malicious app.
I just assume, Linux is crafted to mitigate such privilege escalations and therefore the whole attack is mute, but I still know too little to be absolutely sure.
"I'm pretty sure that most recent linux distributions don't install a java browser plugin by default..."
That's something you should check. I know that a couple of my Linux instances have some kind of java browser plugin because I installed a particular Java based software package which uses the browser.
I don't honestly know whether those plugins came with the linux distro or the software package involved, so need to check that myself.
"I just assume, Linux is crafted to mitigate such privilege escalations."
That would depend on whether anything involved in this runs with root setuid permissions. On a quick rootle round my jvm and browser files I can't see anything but (a) it was a quick look and (b) YMMV.
In some ways, you Linux types (and myself included) are like the Apple folks.. "we can't get a virus". Once upon a time, that was very true since the malware writers were ignoring anything other than Windows. They've now set their sights on the non-windows platforms and rely on social engineering. The key is going to be a change of mindset for both Apple and Linux users from "The OS won't let me get a nasty" to "the odds are in my favor but I shouldn't be stupid".
So I think what the "worrying" part is, isn't the OS, but the person using the keyboard.
A quick look at my .mozilla/plugins (in Debian 7) revealed a number of links placed to a Java plugin by Crossover Office. Despite Crossover Office supposedly being removed long ago there was a .cxoffice directory containing the library. In addition there was a .netscape/plugins directory containing similar links; the dates suggest that Crossover Office created that entire path. Wine doesn't seem to have set such links.
There was also a dead link to Java in a long removed LibreOffice 4.2 installation. Subsequent LibreOffice versions don't seem to have set a link.
With those links removed the relevant Java plugin disappeared from the browser. There's still an Iced Tea plugin but that's set as ask to activate. Iced Tea Java in installed from the Debian repository.
Of these I only expected Iced Tea. Clearly applications can casually install Java in the browser even if you don't expect it. Vigilance is needed.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
