Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Linux

Ransomware Found Targeting Linux Servers, MySQL, Git, Other Development Files (drweb.com) 93

An anonymous reader writes: A new piece of ransomware has been discovered that targets Linux servers, looking to encrypt only files that are related to Web hosting, Web servers, MySQL, Subversion, Git, and other technologies used in Web development and HTTP servers. Weirdly, despite targeting business environments, the ransomware only asks for 1 Bitcoin, a fairly low amount compared to other ransomware.
This discussion has been archived. No new comments can be posted.

Ransomware Found Targeting Linux Servers, MySQL, Git, Other Development Files

Comments Filter:
  • Root (Score:5, Informative)

    by Anonymous Coward on Saturday November 07, 2015 @06:01PM (#50884995)

    "Once launched with administrator privileges..."

    Well, there's your problem.

    • "Once launched with administrator privileges..."

      Well, there's your problem.

      This rarely happens, as it seems. I hope, at least.

      However, once someone figures out that common PHP applications, which are currently mostly exploited for sending spam and distributing malware, can be abused in this crypto-ransom fashion, some "interesting" times will follow. Specially vulnerable deployments are those where the very same user that owns executable files is used for running that application too (I am looking at your defaults, cPanel), or, to a lesser extent, applications that permit executab

  • Tape backups (Score:2, Interesting)

    Unlike desktops big iron use tape and raid backups

    • Re:Tape backups (Score:4, Informative)

      by Anonymous Coward on Saturday November 07, 2015 @06:09PM (#50885031)

      Unlike desktops big iron use tape and raid backups

      Raid is not a backup.

      • by Anonymous Coward

        RAID would simply increase the speed of encryption.

      • I would imagine that he meant that larger companies use virtual tape libraries (comprised of hard drives) or use backup systems which write to an array of hard drives instead of tape. These are great for fast backups and restoration of data. Pushing offsite via replication provides the offsite backups.

        • by Anonymous Coward

          They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
          Snapshots help but there are situations where they won't be available.
          Also tape is still cheap

          • by hawguy ( 1600213 )

            They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
            Snapshots help but there are situations where they won't be available.
            Also tape is still cheap at scale. Once you have the drive the media is less than $100 for 3TB (real size not compressed) so after a point it becomes cheaper to have a real backup on tape than buying drives that are likely to be online 100% of the time and fall victim to whatever they are supposed to be saving you from.

            Under what circumstances will snapshots not be available? We make snapshots every 4 hours and keep them for 3 days. Daily snaps are kept for 10 days, weekly snaps are kept for 6 weeks, and monthly snapshots are kept for 6 months. This is all done at the NAS level, application servers don't have access to the snapshots so can't modify or delete them. The primary NAS is replicated (including snapshots) to a secondary NAS (in a different building nearby), and that NAS makes weekly tape dumps that are shipped

      • Backups suck! tape sucks, raid has "backed up data" but is not, it itself, a backup.

        The ONLY real and reliable backup is deduplicated off-site replication, ala something like "Actifio."

  • whatever the market will bear
  • by Anonymous Coward

    Sounds like they're trying to figure out how far their ransomware can get into various networks and environments. See who they hit and do a more invasive hack/extortion later for big money.

  • by sims 2 ( 994794 ) on Saturday November 07, 2015 @06:05PM (#50885013)

    However 1 bitcoin is roughly $400. While still less than 10 bitcoins its not nothing either.

    • They could be betting that, at a lower price, more people will be willing to cough it up for the data. The first thing to consider is that real professionals won't be affected by this type of thing - they store separate backups on another server (or offline entirely) and so would just restore the data from the backup.

      Having worked for a web hosting company for a couple of years, I envision this being the scenario the ransomware makes the most money from:
      (1). Ransomware encrypts (say) the web site of a sma
      • If they don't notice for two weeks that their site is down, I'm not sure they should be wasting their money on either option.
      • ... The first thing to consider is that real professionals won't be affected by this type of thing - they ensure their filesystem is properly permissioned (as per reams of security best practices) to prevent this attack.

        FTFY

        The rest of your post is irrelevant if this. Because the site would not go down due to incompetence of the SA.

  • by CajunArson ( 465943 ) on Saturday November 07, 2015 @06:09PM (#50885037) Journal

    The relatively low price is designed to make it too much of a hassle for the victims to contact the police, lawyers, etc. etc. in an effort to track down and stop the perpetrators.

    They are probably hoping for higher volumes of payment from a lot of people instead of trying to go all Hollywood and ask for some insane amount of money that would make bringing in the cops worthwhile.

  • A nice low number (Score:5, Interesting)

    by mhkohne ( 3854 ) on Saturday November 07, 2015 @06:11PM (#50885043) Homepage

    That low ransom makes it REALLY easy for the business to justify just paying them off, instead of spending the time to deal with the problem in a different way. It's even small enough that a lower level manager who doesn't want to get fired for having screwed up and let this happen might pay it himself to keep from looking bad, which means that no one else in the organization might be informed.

    If the malware can get enough traction, it could still bring in the big bucks over time.

  • Consider yourself in a cyber-war... any line of program you run on your computer can be turned against you... why do you trust any of it with your full authority?

    Because you don't have a choice, your OS doesn't give you one. Read up on the principle of least privilege, and the ambient authority model we currently use.

    • You do have a choice though. You can use BSD.

      • This particular malware is a C program that must be run as root to do its damage. I'm sure porting it to BSD and running it as root would be just as bad there as on Linux

  • Not long ago someone was trying to convince me that git is an acceptable backup for your code, because it's distributed, so you don't need any other backups.

    This story is another reminder that Git is not a backup. (As the older saying went, "RAID is not backup"). Mirroring is not a backup either, for similar reasons.
    • Re:Git's not backup. (Score:5, Interesting)

      by Anonymous Coward on Saturday November 07, 2015 @06:22PM (#50885089)

      Given git's model, every developer has a full copy of the entire history. Sounds like a great backup to me.

  • A single bitcoin is likely to be a very common kind of transaction.
    Remember the Ashleigh Madison blackmailers who were asking for very specific amounts, which allowed multiple transactions to multiple bitcoin addresses to be grouped together by those investigating?
    It would be much harder to associate all those wallets if they were for an amount that's commonly used.

    • Business environment is also kind of why the price is so low. Most of the time they are ransoming a little downtime while restoring a backup, not priceless data.

  • by Anonymous Coward on Saturday November 07, 2015 @06:26PM (#50885113)

    How does this malware spread? How does it get on the servers? How does it get executed?

    If it relies on some idiot to run it as root, I just can;t see it as a real threat. If it's coming in via a distro's updates, well that would be... exciting.

    • by See Attached ( 1269764 ) on Saturday November 07, 2015 @06:48PM (#50885227)
      Is this a sales play from DrWeb? I can make a KSH called /tmp/ls that does the same thing....
      • Possibly, there is nothing on their site to say how its "delivered", sounds like another proof of concept
    • As of a few days ago, Cryptowall 4.0 [threatpost.com] has been released. Version 3.0 caused over 320 million in damages so far. This thing infects via spammed e-mail attachments, Flash, JS exploits, and MS Word / Excel documents containing instructions on allowing an untrusted macro (virus). Aside from proper lock-down of a Windows network and blocking file attachments, I'm real curious as to how all these ad servers are getting infected? These drive-by-downloads are nasty. AKA "malvertisements".

      Cryptowall is perhaps the mo

      • None of these are things you can even do on a nix server. Also...js? You mean java?
        Cache poisoning itself doesnt infect you.

        • JS, as in JavaScript. Though I suppose technically this would be a browser vulnerability for allowing it to happen?

          • Javascript doesn't attack a browser in the classical sense. The way you cause damage with JS is poisoning the browser's cache. So you add something sketchy to the cached version of a given webpage.

            The classical route of this attack is a proxy that injects code to cache sketchy objects on top of the cache of any page visited. The cache expiration is set to something ridiculously high, so it's not removed without clearing the cache.

            So for example injecting an ad that wasn't there before into youtube, slashdot

    • That is the exposure to be concerned with.. how does it get a foot hold on a server? What it does, is after the FAIL.
  • a fairly low amount compared to other ransomware.

    It's Dr. Evil, from the 1960's.

  • "Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands"
  • backup (Score:4, Insightful)

    by fluffernutter ( 1411889 ) on Saturday November 07, 2015 @07:38PM (#50885435)
    1. There is no reason to have anything rinning as root
    2. There is no reason to run any non-os command as root
    3. it takes 45 mins at most to reimage a server and redeploy from backup

    The people who get this are asking for it. Its like the internet startup darwin awards.
    • Re:backup (Score:5, Funny)

      by TeknoHog ( 164938 ) on Saturday November 07, 2015 @08:22PM (#50885619) Homepage Journal

      1. There is no reason to have anything rinning as root

      I'm afraid you just misspelled "rimming".

    • by jddj ( 1085169 )

      "1. There is no reason to have anything r[u]nning as root"

      Is that supposed to include the OS processes and services? 'cuz there's a ton of them on a server I work with.

      I can see how I'd (begin to) secure anything I'd installed from running on root - and probably differently for each app/service. But what am I to do about the OS itself?

      Or perhaps point 1 was stated with less precision than I'd imagine. (not being sarcastic - really wanna know).

  • Dummies. (Score:3, Interesting)

    by Anonymous Coward on Saturday November 07, 2015 @07:45PM (#50885475)

    eg. from this article...
    http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users

    It’s unclear at this point how the malware is distributed and installed on victims’ computers

    eg. from this article...
    http://securityaffairs.co/wordpress/41787/cyber-crime/linux-ransomware.html

    Linux ransomware already infected at least tens of users

    So nobody knows how this mysterious trojan gets run as root on web servers. No mention of what distro is affected, if this story is legit. Realize there are actual proprietary OS companies who pay to shill. The fact that Linux is better and open source and free makes Windows and Apple look stupid. So does it make sense they want to discredit Linux? FUD about web servers?

    Wait for an actual legit demonstration of how this "ransomware trojan" infects a web server. I mean other than some tweak got paid a few bucks to write a script and give it to his gamer buddies in Russia to run as root @ localhot.

    Read even this.
    https://en.wikipedia.org/wiki/Linux_malware

    Worms and targeted attacks

    The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

    Threats

    The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

    So don't believe the hype. If this story is legit at all, it will be scrutinized 100% and all possible methods of injection will be considered by one hell of a lot of smart people. The code is open source.

  • For Dr. Web anti virus crap.

    Once again, if you bypass all the security as only a complete idiot would do, Unix is vulnerable.

All life evolves by the differential survival of replicating entities. -- Dawkins

Working...