Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bitcoin Crime Linux

New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com) 63

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

This discussion has been archived. No new comments can be posted.

New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware

Comments Filter:
  • by Anonymous Coward on Sunday August 21, 2016 @02:54AM (#52741783)

    After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly. This will be fixed quickly and only a few systems will be exploited. On Windows, however, this would be crippling, spreading to many millions of systems while Microsoft waited a month or two to issue a fix. This isn't a story because open source software is guaranteed to be fixed quickly.

    • by Aristos Mazer ( 181252 ) on Sunday August 21, 2016 @02:57AM (#52741787)
      Patches may be available quickly. Whether those get applied or not is a different story.
    • by Anonymous Coward
      only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.
      • by gweihir ( 88907 ) on Sunday August 21, 2016 @05:30AM (#52742165)

        The finding is not the main thing. The main difference is that once you know you have a problem, with OSS you can do something about it, while with closed source you can only hope the vendor will.

      • only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.

        Yep. The glaring security holes in OpenSSL prove all of your points.

  • by Anonymous Coward on Sunday August 21, 2016 @03:19AM (#52741841)

    If you're a Windows user, you have nothing to worry about. Only Linux is affected by this trojan.

  • by Rosco P. Coltrane ( 209368 ) on Sunday August 21, 2016 @03:33AM (#52741897)

    Linux has nothing to do with this. It's a Drupal security issue.

    I expected better reporting of an issue like this from Slashdot. Then again, maybe not...

    • by Anonymous Coward
      story seems accurate? what are you complaining about exactly. It is a Linux Trojan installed via drupal (exactly as the summary states), it doesn't say it was a Linux vulnerability.
      • Re: (Score:3, Informative)

        by Anonymous Coward

        To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP

        • by MisterSquid ( 231834 ) on Sunday August 21, 2016 @10:56AM (#52743051)

          To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP

          This isn't a problem of the "widespread deployment of shitty PHP and Java apps". The vulnerability which this Trojan exploits is CVE-2014-3704 [nist.gov] and was patched by Drupal Security Team on the 15th of October in 2014 [drupal.org]

          The circumstances and agents which have led to this Trojan exploiting Linux systems and Drupal frameworks in the wild is, as with many such things, are multiple and varied. They include installations that are underresourced, shops with critical dependencies that cannot easily upgrade, web apps that at first and second glance do not have interfaces outside an intranet, etc. etc. and so on and so forth

          The key is to stop pointing fingers and laying blame, unless the fingers point to the creators and distributors of the malware. The exploitation and abuse of computer infrastructure is part of territory. Blaming failures on the vulnerable is a sysadmin's version of victim-blaming and does little to mitigate the problem and much to generate community dysfunction.

          Instead of finger pointing, spread the word, inform your unknowing and unwitting colleagues, train junior developers about how to remain secure for multiple computing environments with complex layers of computing infrastructure.

          Our great-great-great-great grandchildren will thank you.

        • And what has Java to do with that?

          Considering that in Java you automatically use prepared statements 90% of the time ... and none of the softwares you mention are written in Java.

    • by Anonymous Coward

      It just shows that with the right malware, you can get the full Windows experience on Linux.

    • To be honest, anyone still using Drupal or Wordpress (or any other database-aware software that doesn't use prepared statements) has actively begged to be owned, and should probably just be placed in a job more appropriate to their skill sets (such as janitorial work).

      The term "SQL Injection" should have been relegated to the history books a decade ago, as avoiding it is easier than being subject to it.

    • Yes, security holes in WordPress, Magento, Jetspeed, Exarid, AirOS get the malware onto the system. But the malware is for Linux, and the subject and summary valid.

  • in its attempt to install (and fail) web ransomware

    It attempted to "fail" web ransomware? What does that mean?

    That trojan, named Rex, has evolved

    No, it's been reprogrammed.

  • A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites

    Let's go ahead and fix that:

    A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt (and failure) to install web ransomware on compromised websites

    Much better.

I had the rare misfortune of being one of the first people to try and implement a PL/1 compiler. -- T. Cheatham

Working...