Powerful, highly stealthy Linux trojan may have infected vic

[mikeb]

The ONLY reason I bought my first computer WAS because I was so bad with a typewriter and I needed to make a CV fast.....

commodore plu4 by the way and a dot matrix printer...was dirt cheap from comet (they used to sell out returns and I seemed to get lucky )

I love the back space and spell checkers

mike

[Sky Aisling]

If such a packet is received and the condition check is successful, execution jumps to the packet payload contents, and it creates a regular socket. The backdoor handles this socket as a file with read/write operations. It's not the typical recv/send used in this code. It uses this new socket to connect to the source address of the "magic packets". Then it reports its own PID and IP to the remote address, and starts an endless loop for receiving remote commands. When a command arrives, it is executed with a "/bin/sh -c " script

.

Where would the "/bin/sh -c " script be housed?

A nooby question. Would this script appear in a Puppy file system like in startup? or /bin?


smile, go Musher0, go!

[greengeek]

I think it pays to remember that every network port using tcpip was designed according to a seven layer osi model using protocols designed for US military use. Allocation of MAC addresses unique to each interface is done for a reason.
Do we as individuals control tcpip protocols? No. Do we write and control Unix functionality? No. Do we control the actions of Bios? No. There are so many ways such a portal could become ingrained in our systems.

[rufwoof]

I think it pays to remember that every network port using tcpip was designed according to a seven layer osi model using protocols designed for US military use. Allocation of MAC addresses unique to each interface is done for a reason.
Do we as individuals control tcpip protocols? No. Do we write and control Unix functionality? No. Do we control the actions of Bios? No. There are so many ways such a portal could become ingrained in our systems.

One commercially available example being : https://www.realvnc.com/products/viewerplus/

Computers with particular Intel® Core™ vPro™ processors enjoy the benefit of a VNC-compatible Server embedded directly onto the chip, enabling permanent remote access and control. A RealVNC™ collaboration with Intel's ground-breaking hardware has produced VNC Viewer Plus, able to connect even if the computer is powered off, or has no functioning operating system.

[mikeb]

Hmm could but is it.?..you are free to examine the software providing tcp/ip anytime.... one of the small joys of open source. Its not a huge piece of coding either. Funny if you check out that bit of windows code you will see some familiar chunks too .......

mike

[8Geee]

So If I read this correctly, the malware is very small 650Kb, taps into EXISTING structure, and is a stripped binary. Good Luck reverse-engineering this one. Chunks of this snake are in various parts of different files, only when the magic code appears does it reveal itself. If parts of this beast are in WINE, and WINE does not close fully or properly, I suspect the bridge to Linux is built. It might even figure out how to make a nan0-drive out of itself disguised as management software in a USB stick for example. I rule nothing out.

Editted: for those of us that glazed over rufwoof's last paragraph. This taken diirectly from the link to Intel, owners of this unique ability.

Out-of-band KVM

Technicians no longer need rely on a functioning operating system and network drivers to take control of a computer. VNC Viewer Plus can connect to a supported computer with Intel® Core™ vPro™ technology out-of-band, so that more complex issues, such as OS failures and boot problems, can be diagnosed remotely. Without the need to take a desk-side trip, productivity increases and users experience less downtime.
Intel® Fast Call for Help

With appropriate infrastructure and configuration, VNC Viewer Plus can act as the management console in a Fast Call for Help session, automatically establishing a secure connection back out to a computer over the Internet, and enabling a technician to take control.
Remote reboot

Even if it is possible to obtain an out-of-band remote control session, a computer may not respond to keyboard or mouse input. VNC Viewer Plus can perform a hardware reset, allowing a technician to resume diagnosis without a desk-side visit.
Remote power on/off

With the increasing emphasis on energy saving, many users turn off their computers before leaving work for the day. This can make a technician's job difficult if out-of-hours maintenance is required. VNC Viewer Plus can power a machine up and down again as required, providing a simple solution to this common problem.

[mikeb]

Ok I understand some people need to have something to needlessly worry about .
That's ok just keep it to yourselves....

mike

[greengeek]

Ok I understand some people need to have something to needlessly worry about .

The key word is 'worry'. There is no point in worrying. Just accept the fact that smart people and foreign governments can read our information. They've got plenty of opportunities to do it once we start sending data over the internet.

But why worry? Sure, take steps to minimise their opportunities, but unless we design the hardware, bios, firmware and kernel ourselves then there are plenty of things we have to take for granted...

It was always a joke to say that Open Source is bulletproof just because "many eyes look over the code". We know how powerful 'nix is and it is obviously possible for the code to have hidden unspotted bugs for years. Most of the hardware we use is proprietary and contains god-knows-what capabilities.

There's always backdoors. Most people don't worry. Thats why they use Android so freely.

[mikeb]

If something has been looked over for years that would suggest little is hidden.

'Worry' would only be concerned with yer machine being messed up.... thats the sort of threat i am interested in.

If someone wants to know what I ate for breakfast and stores that amongst mega quads of data then they are sad gits and who cares

Now about censorship......

mike

[Burn_IT]

The thing about the many looked over it is.....

chances are that half didn't understand so skipped checking it...

and the other half probably thought it was too trivial and skipped it.

and the other half thought the first halves had checked it for errors.

[greengeek]

chances are that half didn't understand so skipped checking it...
and the other half probably thought it was too trivial and skipped it.
and the other half thought the first halves had checked it for errors.

Three halfs = buffer overflow exploit.

[Burn_IT]

Quicker than I expected.

I did think of an empty post, but that wasn't accepted.

[mikeb]

You can sniff my connection for bad jokes and decipher me https activity for random info to login with if yer like.... once you get through that you are welcome to the 15 quid in my account

mike

[rufwoof]

There's always backdoors. Most people don't worry

Exactly. Unless you're a high profile individual - there ain't much point in worrying.

Thieves will likely target easier options. If they want your credit card/bank details they'd set up a web site selling a wanted item at a bargain price and collect card details that way. Or get a job in a petrol station and intercept the card reader. Or go for the banks server. [Financial]

If the intent is to cause damage, crash as many PC's as possible such that many have to reinstall their op system etc, then for puppy frugal users that's very low impact upon the user (provided data has been backed up, reinstalling a new puppy takes minutes (seconds)). [Damage]

If they want personal details they'll set up a bogus 'great job' and collect details that way (CV's). [Identify theft]

Those sort of thing will always go on - and providing you're aware of such risks you're less likely to fall foul of such attacks.

[mikeb]

Well my old soapbox...without the glaring windows gateways life on the net has been safe for 10 years now.... and linux does not have them anyway.
They bringeth the damage and mad popups mainly.

Anything beyond those is hard work and who is going to bother for a pile of potentially useless info when as mentioned there are far more effective methods.... I did get one paypal email that was waaay too convincing..... just stopped in time.

If the dodgy ones around were that smart they would be running some smart business or hacking barclays bank directly wouldn't they
Those windows gateways are so well known a 4 year old that been in suspended animation since 1998 could use them.

mike


spammers do seem to get emails a bit too easily....via the likes of ebay and such.... once upon a time not having it all over yer webpage and giving it to dodgy geezer was enough. Don't get much junk mail ...one or 2 a day but it used to be non.

[gjuhasz]

If someone wants to know what I ate for breakfast and stores that amongst mega quads of data then they are sad gits and who cares

Stands for: you are surely among the ducky preys in hackers' cross hair.

"Distributed Denial of Service (DDoS) is a type of DoS attack where multiple compromised systems -- which are usually infected with a Trojan -- are used to target a single system (a high-profile web server such as bank, credit card payment gateway, and even root nameserver etc.), causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin."

Have fun!

Regards,

gjuhasz

[mikeb]

But this is not happening..... so perhaps not quite the easy target you would like us all to be...sorry to disappoint and all.
I have security measures... just not the ones most are hiding behind.

'I believe we are all infected' is just groundless scaremongering. Just one persons non technical opinion based on reading too much web garbage.

Only data gathering I will be part off are those joyous cookies and associated websites who want to know where I have been and what I like to buy.......

Your attempts to make me as paranoid as you are not working.....
Especially on a linux forum...borders on the insulting...

mike

[mikeb]

I am also getting pretty bored of this thread and similar ones since once again no one has giving one tangible shred of evidence that this is happening on linux and how exactly such contaminations can take place.

Mike

[neerajkolte]

One thing I like about spammers though....

When I open my mail inbox, I find:

10 banks are giving me easy loans.

I have won GBP 10000000 and USD 500000 for unknown reasons.

10 Job companies have best jobs for me.

5 matrimonial sites have most suited matches for me.

Dr. XXX has claimed that he will cure my hair fall & greying.

3 universities are giving me degrees in random subjects.

Approx.200 mails from Priya, Payal, & Neha who are feeling lonely and want to meet me.

All this, kind of lift's my spirit when I am feeling down.

Thanks.

- Neeraj.

[rokytnji]

I don't g-a-s either but I did post a link on what door was open.
Nobody read it. As usual.

http://www.murga-linux.com/puppy/postin ... ESC#813980