Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
A virus for Linux?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1392
Location: Fayetteville, NC, USA

PostPosted: Tue Nov 27, 2018 12:06 am    Post subject: A virus for Linux? Reply with quote

Been a while since I read anything about Linux viruses, but I saw this today amd thought I would share it. I have never, to my knowledge, had a virus bother me in Linux. This includes Redhat 7 (from 2001), Debian 2 through 7, Gentoo, amd PCLinuxOS. How would this thing even get onto a system and execute itself?

Nasty new Linux virus
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
proteusx
Apprentice
Apprentice


Joined: 21 Jan 2008
Posts: 247

PostPosted: Tue Nov 27, 2018 3:22 am    Post subject: Reply with quote

How does it get in your machine?
The article is probably native advertising for DrWeb.
Back to top
View user's profile Send private message
CooSee
Guru
Guru


Joined: 20 Nov 2004
Posts: 461
Location: Earth

PostPosted: Tue Nov 27, 2018 3:32 am    Post subject: Reply with quote

proteusx wrote:
How does it get in your machine?
The article is probably native advertising for DrWeb.


agree - don't believe the hype.
_________________
beQuiet! Silent Base 800 Black - MSI C236A - Xeon E3-1245v5 - 32GB RAM Kingston - Sapphire Nitro+ Radeon RX590 8G - Samsung PM961 M.2 128GB - Samsung 840 EVO 120GB - Creative Sound Blaster RX PCIe - Logitech Z623 2.1 - G110 Keyboard - Mouse G400
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18084

PostPosted: Tue Nov 27, 2018 3:39 am    Post subject: Reply with quote

Sounds nasty, but yeah, the article is pretty sketchy.

Based on other coin mining references, it probably arrives via javascript.
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Tue Nov 27, 2018 3:40 am    Post subject: Reply with quote

There's plenty of malware for Linux. Viruses, not so much. This seems aimed at Windows users and possibly uneducated Linux users. Real malware articles are less cute in their wording and more correct on exactly what type of malware is involved.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5912

PostPosted: Tue Nov 27, 2018 4:03 am    Post subject: Reply with quote

“over 1000 lines of code” is meaningless buzzword-babble but does reveal that this isn't particularly competent malware, since it's not a binary payload.

Stripping the BS away, they're possibly referring to the cryptominer in the latest npm-js disaster which - surprise - would run just as well on Windows.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18084

PostPosted: Tue Nov 27, 2018 4:35 am    Post subject: Reply with quote

What's interesting are the claims about how it behaves on Linux outside of the mining.
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 553

PostPosted: Tue Nov 27, 2018 11:58 am    Post subject: Reply with quote

https://www.zdnet.com/article/new-linux-crypto-miner-steals-your-root-password-and-disables-your-antivirus/

Look up the cve's.

Also

https://www.itwire.com/security/85406-linux-malware-of-no-use-unless-it-gains-access-through-ssh.html
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5871

PostPosted: Tue Nov 27, 2018 12:39 pm    Post subject: Reply with quote

mrbassie wrote:
https://www.zdnet.com/article/new-linux-crypto-miner-steals-your-root-password-and-disables-your-antivirus/

Look up the cve's.

Also

https://www.itwire.com/security/85406-linux-malware-of-no-use-unless-it-gains-access-through-ssh.html


yawn, ssh bots have been around for forever. overhyped for mass hysteria. :roll:

also, what antivirus... i've never used one on linux, except for amavis/clamav for email.

edit: honestly this looks no worse than mirai.
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 553

PostPosted: Tue Nov 27, 2018 4:03 pm    Post subject: Reply with quote

Yep. Proteusx called it, click bait ad for dr.web.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7250
Location: Saint Amant, Acadiana

PostPosted: Tue Nov 27, 2018 5:55 pm    Post subject: Reply with quote

mrbassie wrote:
Yep. Proteusx called it, click bait ad for dr.web.


+1

Every serious virus description contains information about the vulnerability which is exploited. This one is for people who think computer virus is like a flu virus that just comes and infects you.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1392
Location: Fayetteville, NC, USA

PostPosted: Wed Nov 28, 2018 12:20 am    Post subject: Reply with quote

I thought it was odd, but wanted to be sure. I've never had a problem with Linux outside of occasional portage issues which the members here can help with, and prior to that maybe some odd conflicts with drivers on Debian. I also don't install Java at all, but not sure about JS. I believe many sites still need it to function correctly.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14159

PostPosted: Wed Nov 28, 2018 2:42 am    Post subject: Reply with quote

The JavaScript infection is spreading, not retreating. Ever more websites use it when they should not, and fail horribly when script is not executed. Even worse, ever more sites are deliberately sourcing Javascript from third party servers, often without Subresource Integrity tags, making it ever more dangerous to allow scripts, and ever harder to block dangerous scripts without completely breaking the intended site.

Running Javascript is theoretically safe, if you trust your browser to implement the Javascript sandbox correctly, and you run a browser with all the latest workarounds for CPU vulnerabilities, and a kernel with all its latest workarounds for those vulnerabilities.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18084

PostPosted: Wed Nov 28, 2018 3:53 am    Post subject: Reply with quote

Hu wrote:
Running Javascript is theoretically safe, if you trust your browser to implement the Javascript sandbox correctly, and you run a browser with all the latest workarounds for CPU vulnerabilities, and a kernel with all its latest workarounds for those vulnerabilities.
On a related note, Google & Mozilla are apparently working on persistent access to local storage.
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
Muso
l33t
l33t


Joined: 22 Oct 2002
Posts: 990
Location: The Holy city of Honolulu

PostPosted: Wed Nov 28, 2018 4:47 am    Post subject: Reply with quote

The real security issues with Linux are not viruses, but exploitable programs. Dirty CoW (copy on write) is mostly an issue with older kernels. Shell Shock has been more or less mitigated. But there's always the dangers of XSS, SQLi, Sticky bits, and unpatched vulnerable applications. Staying updated keeps you rather secure, as the package maintainers (in general) pay attention to the security alerts.

Zero days are another matter.
_________________
Time is a great teacher, but unfortunately it kills all its pupils.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Wed Nov 28, 2018 5:09 am    Post subject: Reply with quote

Hu wrote:
The JavaScript infection is spreading, not retreating. Ever more websites use it when they should not, and fail horribly when script is not executed. Even worse, ever more sites are deliberately sourcing Javascript from third party servers, often without Subresource Integrity tags, making it ever more dangerous to allow scripts, and ever harder to block dangerous scripts without completely breaking the intended site.

Running Javascript is theoretically safe, if you trust your browser to implement the Javascript sandbox correctly, and you run a browser with all the latest workarounds for CPU vulnerabilities, and a kernel with all its latest workarounds for those vulnerabilities.


Given that html5 has javascript in the spec, don't plan on this issue going away anytime soon.

There are 2 equally valid sides to the issue, and the "right" answer depends somewhat on who you ask, but in reality is a balance between having enough features to give a webapp a desktop feel, and having a web page be secure enough to keep your system and your data safe.
Back to top
View user's profile Send private message
Yamakuzure
Advocate
Advocate


Joined: 21 Jun 2006
Posts: 2273
Location: Bardowick, Germany

PostPosted: Wed Nov 28, 2018 12:46 pm    Post subject: Reply with quote

https://www.itwire.com/security/85406-linux-malware-of-no-use-unless-it-gains-access-through-ssh.html wrote:
Asked about how the malware could gain access to systems, Vurasko responded, "In the first place it works like this: somebody searches for servers with [the] SSH port open; he is trying to brute [force] servers he found; if the brute force attack was successful, he connects to the compromised server using brute-forced credentials and starts the malware."
So key-auth only and fail2ban. Case closed. :lol:
_________________
Important German:
  1. "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
  2. "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Wed Nov 28, 2018 3:00 pm    Post subject: Reply with quote

Yamakuzure wrote:
https://www.itwire.com/security/85406-linux-malware-of-no-use-unless-it-gains-access-through-ssh.html wrote:
Asked about how the malware could gain access to systems, Vurasko responded, "In the first place it works like this: somebody searches for servers with [the] SSH port open; he is trying to brute [force] servers he found; if the brute force attack was successful, he connects to the compromised server using brute-forced credentials and starts the malware."
So key-auth only and fail2ban. Case closed. :lol:


That's ridiculous.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7167

PostPosted: Thu Nov 29, 2018 1:16 am    Post subject: Reply with quote

So it's no more than just a script kiddy that brute force ssh password?
And once it have the password, it install another crap to mine bitcoin or whatever.
People would get more money by selling the root password instead

Agree with mrbassie about click bait, using the term virus for something that doesn't replicate itself was made for that, from what i know, it's called a virus when it replicate itself (to spread), a trojan when it show itself as another "safe" program, a malware when its task is to bug user with publicity or whatever, a ransomware when its task is to query money from user.
And script kiddy is a dumb brute force task where no action or skill from its user is need (hence why the "kiddy" term, as even a kid could use it).
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14159

PostPosted: Thu Nov 29, 2018 2:53 am    Post subject: Reply with quote

1clue wrote:
Given that html5 has javascript in the spec, don't plan on this issue going away anytime soon.
I fully recognize that the problem will get far worse before it gets any better. Developers who do not deserve that title have gotten a taste of power and will not soon yield it.
1clue wrote:
There are 2 equally valid sides to the issue, and the "right" answer depends somewhat on who you ask, but in reality is a balance between having enough features to give a webapp a desktop feel, and having a web page be secure enough to keep your system and your data safe.
I am specifically looking at sites that can serve their purpose perfectly well with no script, but are deliberately written to be broken with NoScript. For example, sites that use Javascript to implement their links to other internal pages, even though those pages have distinct URLs that could be bookmarked and loaded successfully; sites that use Javascript to drop open menus; sites that use Javascript to submit forms instead of using a dedicated submit element. I grant that there are some sites, sometimes even useful ones, which cannot reasonably be implemented without use of Javascript. I may not like some of them, but they are not the ones I consider to be an example of abuse. The abuse is in those sites that would work as well, if not better, if rewritten without mandatory Javascript.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Thu Nov 29, 2018 3:08 pm    Post subject: Reply with quote

@Hu,

I understand and I know there are many sites like you describe.

I build apps for enterprise financial use. We use webapps, and we use JavaScript to give grids much of the spreadsheet feel, and context-sensitive menus and other things that make the users' lives easier.

All our apps are used internally, inside a firewall. They link internally or to one of our other apps, or perhaps to some middleware or a third-party app being designed into their work flow.

Without the exact functionality being discussed on this thread with such angst, our apps would be required to be Windows-only, baked into the Microsoft paradigm. Instead we can have Windows, Mac, Linux, Android and iOS.

That's another thing: Mobile devices rely much more heavily on JavaScript than PCs do. There are entire apps written in essentially JavaScript. Not Java. There are other apps written in Java, but that's not what we're talking about here.

I'd like discussion to be aimed at securing JavaScript in web applications rather than simple JavaScript hate.

FWIW I think there are many online sites which would not be nearly so easy to use if there were no JavaScript. It could be argued that any site could be made without any client-side scripting, but the truth is they'd be much more difficult and cumbersome to use.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14159

PostPosted: Fri Nov 30, 2018 2:45 am    Post subject: Reply with quote

I don't hate Javascript, and your internal use sounds like a decent one (though I dislike things which override context menus). I hate the design patterns that lead to a site which is completely unusable when the client does not implement and permit all the latest script toys. I further despise the design pattern that reloading the page can meaningfully change its state, since I often get stuck performing reloads while trying to figure out the minimal set of things to unblock to work around the previous design anti-pattern. In my opinion, the first step to securing Javascript is to mandate much of the currently optional security hygiene: require that cross-site <script> tags use SRI (by rejecting any that lack it); require TLS for active content (by refusing to fetch out-of-line scripts served over HTTP, and refusing to execute inline scripts served over HTTP); require sites to serve a Content Security Policy that describes the limitations on active content. At a social level, discourage using a Content Security Policy that permits anything not required for correct operation. (For example, if the site only sources Javascript from a.b.example.com, don't whitelist *.example.com.) Wherever possible, deprecate using inline active content in any page that also includes any user-controlled text. Such text can be handled safely, but is easy to handle unsafely, so except where a high quality framework is responsible for inserting the text with appropriate quoting, it's better just to avoid the problem entirely by saying either active content or user content, but not both.

Securing Javascript at the browser level is hard, in part because of the proliferation of outdated software that will be months, if not years, behind on getting improvements. Mozilla has greatly exacerbated this problem with their WebExtensions stunt. Look at how many people are deliberately using pre-Quantum Firefox (which is now unsupported, has known vulnerabilities, and definitely will not receive any further security improvements) because post-Quantum breaks all their extensions.

I recognize that some sites which use Javascript are more useful for it, and I have no problem with that. However, I believe that if the default install of NoScript makes your site unusable and the site could reasonably be written in a way where NoScript does not make the site completely unusable, then the site is abusing Javascript. Going to your example, I don't see how what you do could be reasonably done without Javascript (as you suggest, if the Javascript-free version worked at all, it would probably be much more cumbersome), so I don't consider that an abuse, even though it is probably totally broken under NoScript. Sites that use Javascript for predictive searching, but which still work under NoScript at the expense of no prediction, are not an abuse, because they are still functional, even if they are somewhat cumbersome. Sites which hide all their content in Javascript variables, then generate an essentially static page through dynamic DOM addition are an abuse. Sites that use <a href="javascript:window.open(...)"> are an abuse. (They should point the href to the document, then use a Javascript event handler to suppress the event and run the window.open if the user uses an unmodified left-click, so that the user can usefully use Open in New Tab or Copy Link Location.)
Back to top
View user's profile Send private message
Maitreya
Guru
Guru


Joined: 11 Jan 2006
Posts: 425

PostPosted: Fri Nov 30, 2018 2:31 pm    Post subject: Reply with quote

Recently bought eset for linux.
The reason not really protecting my own machine but maybe other windows/mac boxes on my network.
I was skeptic at first, so I downloaded the trial. Decent installer. Correct placement.
Overall I was surprised for a commercial product to behave so decently, so I bought it.
Neatly intercepts CARS downloads so I'm pleasantly surprised.

Is this in anyway a security enhancement? To my opinion not a very big one. Rather have proper design than hindsight fixing (what antivirus basically is)
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Fri Nov 30, 2018 3:14 pm    Post subject: Reply with quote

@Hu,

I'd have to think about those suggestions to work out how it would affect our app. Most of what you say wouldn't affect us because our apps generally only reference internally to the same web application, with possible configurations to reference some other web application. Certainly nothing the customer doesn't pay for.

The key issue I have is with your active content vs user content. If you mean that to be animations then we're OK, but if you mean it to be widgets like grid-cell-based context menus then we would be broken.

It occurs to me that the things you're talking about come down to a limited number of things.


  1. Bling.
  2. Money.
  3. Bad code practices in general


Bling is just that. Animations or some sort of graphic art to make the page stand out.

It seems that most of the rest of what you're talking about are mechanisms by which sites make money. The idea that the app stays safe on one server and all the third-party banners are stored elsewhere. For us, the customer pays for an app which is used internally, so there are no ads because the only users are employees, and every bit of screen real estate is used for the task at hand.

The part where the entire site is generated inside a variable is just bad coding practices. It's not especially maintainable either.

All that said, in order for there to be true control of JavaScript one would need to ensure that the site designers are working ethically and carefully, and that both the site and the browser are using a "correct" implementation of JavaScript which works within the security framework. Without adding some sort of cryptographic signing of an app I'm not sure how you'd go about that. Even then, JavaScript is a dynamic language, which makes securing that type of code difficult.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18084

PostPosted: Fri Nov 30, 2018 6:45 pm    Post subject: Reply with quote

1clue wrote:
All that said, in order for there to be true control of JavaScript one would need to ensure that the site designers are working ethically and carefully, and that both the site and the browser are using a "correct" implementation of JavaScript which works within the security framework. Without adding some sort of cryptographic signing of an app I'm not sure how you'd go about that. Even then, JavaScript is a dynamic language, which makes securing that type of code difficult.

1clue wrote:
I'd like discussion to be aimed at securing JavaScript in web applications rather than simple JavaScript hate.
Given these comments, is it possible to secure JavaScript (or any dynamic language)?
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum