Powerful, highly stealthy Linux trojan may have infected vic

[James C]

Powerful, highly stealthy Linux trojan may have infected victims for years

http://arstechnica.com/security/2014/12 ... for-years/

Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The previously undiscovered malware represents a missing puzzle piece tied to "Turla," a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. The unknown attackers—who are probably backed by a nation-state, according to Symantec—were known to have infected several hundred Windows-based computers by exploiting a variety of vulnerabilities, at least two of which were zero-day bugs. The malware was notable for its use of a rootkit that made it extremely hard to detect.

[battleshooter]

Interesting. I wonder if it nests itself in an actual hard drive partition or Linux system? I've destroyed so many Pup saves even within a week I don't think it would have had much of a chance on my system unless it operated outside of the actual system.

[mikeb]

So its a linux trojan but came through windows?????

A bit unclear...and using windows as a gateway is standard procedure for any naughty stuff anyway...

Mike

[Lobster]

Always glad to hear the international spies 'r us are doing their bit to make black hatting fashionable.

I would remind the terminally paranoid to run puppy from CD, in a cage, for short periods, and not store the results (so a fresh set up)

For those who do not care that much, run as root, Puppy style and have a good laugh . . .

. . . And yes I did write Growl Security program for Puppy and never use it . . .

[Lobster]

Yes it really is me impersonating a cructacean . . . see below . . . I am back from the AI computer Paradox realm for a short visit from where penguins and cructaceans are just part of the cloud . . .

[battleshooter]

Lobster! No way mate, haven't seen you in ages! Welcome back!

[nancy reagan]

http://www.reuters.com/article/2014/03/ ... YI20140307

https://securelist.com/blog/research/67 ... n-turla-2/

[8Geee]

The linux branch of the virus. Note coding in C/C++ which is common.

Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways."

Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers under the control of attackers and functions allowing attackers to run commands of their choice and perform remote management.

Even after its discovery, the Linux component remains a mystery. The underlying executable file is written in the C and C++ languages and contains code from previously written libraries, a property that gives the malicious file self-reliance. The code is also stripped of symbol information, making it hard for researchers to reverse engineer or analyze. As a result, Baumgartner said the trojan may have capabilities that have not yet been uncovered.

[mikeb]

Ok its been used against windows machines.

So how does it get into a linux machine?

mike

[bark_bark_bark]

Ok its been used against windows machines.

So how does it get into a linux machine?

mike

I don't know how it would get on a linux computer.

BUT....

If it was from Linux to windows, then the easy answer is the ntfs-3g driver.

[mikeb]

If it was from Linux to windows, then the easy answer is the ntfs-3g driver.

in what way??. I mean apart from deliberate human action?

mike

[bark_bark_bark]

If it was from Linux to windows, then the easy answer is the ntfs-3g driver.

in what way??. I mean apart from deliberate human action?

mike

ntfs-3g driver provides access to windows file systems.

I am not saying the driver is the problem and that the malware is exploiting it. I am saying that the driver opens the gate to the file system of a vulnerable OS (Windows).

[mikeb]

but its not going to leap out by itself.

all these threats but no one mentions how exactly they get on yer system.....or if they ever do. This one only mentions ACTUAL contamination of windows operating systems .

only caution in this case might be don't run wine as root and add IE to it and thats a long shot.

A windows executable written in C will still only affect windows...why would there be an elf(linux) build present on windows?

mike

[Sky Aisling]

bark_bark_bark writes:

If it was from Linux to windows, then the easy answer is the ntfs-3g driver.

Can you explain this a bit more?

Thank you.

[8Geee]

I would also like to ask if WINE is susceptible, as its a linux<--->windoez bridge.

[cthisbear]

Talking about Trojans and El Lobster is back after years of neglect.

Coincidence???

Welcome back mate....Chris.

[Burn_IT]

You completely mis-interpreted that sentence about Windows.

It did NOT say it got in through Windows; It said it got in in a similar manner that was used to infect Windows.

Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command.

[mikeb]

I am just trying to get concrete information.

It did NOT say it got in through Windows; It said it got in in a similar manner that was used to infect Windows.

That in itself is so vague its meaningless. And what about viral gateways in windows do not exist on linux for starters...I am very curious about what 'similar' method they are talking about.

'may have infected' means nothing..hence my assumption that there are only known windows infections. That sounds like journalistic speculation.

I ask questions to get answers...still waiting for someone to decipher this into the real world and how it affects linux so we can defend against it IF it is a real threat.

mike

[mikeb]

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion.

again there is not even one definite in there.

It tells you it exists and what it can do but no confirmation of its use and nothing about how its supposed to get there.

mike

[Burn_IT]

"And what about viral gateways in windows do not exist on linux for starters."

I'm curious as to what they mean by this as well. (Not taking sides here!)