New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com) 63
An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.
Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.
Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.
Re: (Score:1)
It will only affect Linux servers that are run by people who have a single-user OS mindset (AKA Windows). Anyone with a clue doesn't run Linux with full superuser permissions.
Re: (Score:2, Insightful)
Alert. Clueless Windows user thinks desktop Linux runs like desktop Windows.
Re:Head in the sand Linux security (Score:4, Insightful)
Quite a bit of the world's banking infrastructure, including customer-facing sites run on Linux. That alone shows the utter cluelessness of morons like you.
Of course, an incompetent Linux admin (for example a former incompetent Windows admin) can configure Linux to be insecure and install insecure versions of applications.
Re: (Score:3)
The claim is that a) it is significantly easier to lock Linux down and b) the result is far better. With an incompetent admin, Linux is not more secure. No argument there. But this is also not a surprise. In actual fact, a networked computing device will be insecure, unless competently configured and administrated. Eventually, this may change, but not anytime soon.
The other thing is that admins that are actually competent often consider Windows to be an insult, because of how hard it makes good system admin
Open source is more secure (Score:4, Insightful)
After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly. This will be fixed quickly and only a few systems will be exploited. On Windows, however, this would be crippling, spreading to many millions of systems while Microsoft waited a month or two to issue a fix. This isn't a story because open source software is guaranteed to be fixed quickly.
Re:Open source is more secure (Score:5, Insightful)
Re: (Score:1)
Windows updates will be issued in due time
Except that, no, they are not.
Our group still has 35 zero day exploits present in all versions of windows since XP, all still exploitable in Win 10 today. Another 25 present since Vista and still exploitable today.
You won't be finding these bugs by looking at any of the closed source softwares source code, because you can't look at the source code.
And not a single one has a windows update available to fix them.
Re: (Score:1)
Re:Open source is more secure (Score:5, Interesting)
The finding is not the main thing. The main difference is that once you know you have a problem, with OSS you can do something about it, while with closed source you can only hope the vendor will.
Re: (Score:2)
The ignorant here is you and massively so. First, this is about what to do once a vulnerability is known. You, know, the time when it becomes really, really dangerous to leave it unfixed because all the script-kiddies start attacking it. And then, whoever said anything about you having to come up with patch yourself? That is the closed-source mind-set where every modification of software is almost a criminal act, to be committed in solitude and secrecy. Yes, somebody has to come up with a patch, and there a
Re: (Score:2)
Fascinating. A new level of ignorance and stupidity is reached. Ever heard about known vulnerabilities that get not fixed for a long, long time in closed-source software? And ever heard about the same thing in open source software? Well, with the fuzziness of your thinking, you probably have heard of the second and not the first, but that has not even a distant relation to actual reality.
Re: (Score:2)
only a tiny fraction of people patch correctly. Also the millions of eyes is all complete bullshit and I say that as one of those sets of eyes. only a very tiny fraction of a percent have the skills to review code for security and most of them are gainfully employed doing other stuff.
Yep. The glaring security holes in OpenSSL prove all of your points.
Re: (Score:3)
...except this is NOTHING like Blaster.
This is a Trojan, which by definition requires a great deal of user intent in order to work.
No, this is much more like Microsoft Office.
PSA: This does not affect Windows (Score:4, Funny)
If you're a Windows user, you have nothing to worry about. Only Linux is affected by this trojan.
You gotta love yellow journalism (Score:5, Informative)
Linux has nothing to do with this. It's a Drupal security issue.
I expected better reporting of an issue like this from Slashdot. Then again, maybe not...
Re: (Score:1)
Re: (Score:3, Informative)
To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP
Re:You gotta love yellow journalism (Score:5, Insightful)
To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP
This isn't a problem of the "widespread deployment of shitty PHP and Java apps". The vulnerability which this Trojan exploits is CVE-2014-3704 [nist.gov] and was patched by Drupal Security Team on the 15th of October in 2014 [drupal.org]
The circumstances and agents which have led to this Trojan exploiting Linux systems and Drupal frameworks in the wild is, as with many such things, are multiple and varied. They include installations that are underresourced, shops with critical dependencies that cannot easily upgrade, web apps that at first and second glance do not have interfaces outside an intranet, etc. etc. and so on and so forth
The key is to stop pointing fingers and laying blame, unless the fingers point to the creators and distributors of the malware. The exploitation and abuse of computer infrastructure is part of territory. Blaming failures on the vulnerable is a sysadmin's version of victim-blaming and does little to mitigate the problem and much to generate community dysfunction.
Instead of finger pointing, spread the word, inform your unknowing and unwitting colleagues, train junior developers about how to remain secure for multiple computing environments with complex layers of computing infrastructure.
Our great-great-great-great grandchildren will thank you.
Re: (Score:2)
And what has Java to do with that?
Considering that in Java you automatically use prepared statements 90% of the time ... and none of the softwares you mention are written in Java.
Re: (Score:1)
It just shows that with the right malware, you can get the full Windows experience on Linux.
Re: You gotta love yellow journalism (Score:5, Insightful)
I agree. Open source and Linux should never be criticized. Any criticism is false and, therefore, is yellow journalism. I find any criticism of Linux to be highly offensive and indicative of spamming from paid Microsoft trolls.
Way to mix issues here.
1/ Should open source or Linux be criticized? Hell yes, if there are reasons to.
2/ You conflate Linux and open-source. They aren't the same issues - they aren't even the same thing. Open-source is a development and business model and Linux is a fucking kernel.
3/ Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux. But in this case, it ain't the culprit.
I can sort of understand people mixing up GNU things and the Linux kernel, because it's been done for years, and people grew tired of hearing Stallman repeat "it's not Linux, it's GNU/Linux" a long time ago. But Drupal has never been remotely connected to Linux. What next? Run Drupal on FreeBSD and claim FreeBSD has been owned by a trojan?
Re: (Score:2)
Drupal is to be critized here. Not Linux. Linux as a kernel is doing what the flawed middleware on top of it tells it to. No more, no less. Show me a Linux kernel exploit and I'll be the first to criticize Linux.
Never heard:
"People should call it a vulnerability in GNU/Linux, not just a vulnerability in Linux".
Re: (Score:2)
To be honest, anyone still using Drupal or Wordpress (or any other database-aware software that doesn't use prepared statements) has actively begged to be owned, and should probably just be placed in a job more appropriate to their skill sets (such as janitorial work).
The term "SQL Injection" should have been relegated to the history books a decade ago, as avoiding it is easier than being subject to it.
Year of the Linux Botnet (Score:1)
Yes, security holes in WordPress, Magento, Jetspeed, Exarid, AirOS get the malware onto the system. But the malware is for Linux, and the subject and summary valid.
Words (Score:2)
in its attempt to install (and fail) web ransomware
It attempted to "fail" web ransomware? What does that mean?
That trojan, named Rex, has evolved
No, it's been reprogrammed.
That's mildly infuriating (Score:2)
A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites
Let's go ahead and fix that:
A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt (and failure) to install web ransomware on compromised websites
Much better.