Advanced Linux Backdoor Found In the Wild Escaped AV Detection (arstechnica.com) 50
Researchers have discovered an advanced piece of Linux malware that has escaped detection bypasses antivirus products and appears to be actively used in targeted attacks. Ars Technica reports: HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer's post went live, the VirusTotal malware service indicated Hidden Wasp wasn't detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.
Some of the evidence analyzed -- including code showing that the computers it infects are already compromised by the same attackers -- indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It's not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies. Some of the code appears to be borrowed from Mirai, while other code has similarities to other established projects or malware including the Azazel rootkit, the ChinaZ Elknot implant, and the recently discovered Linux variant of Winnti, a family of malware that previously had been seen targeting only Windows.
Some of the evidence analyzed -- including code showing that the computers it infects are already compromised by the same attackers -- indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It's not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies. Some of the code appears to be borrowed from Mirai, while other code has similarities to other established projects or malware including the Azazel rootkit, the ChinaZ Elknot implant, and the recently discovered Linux variant of Winnti, a family of malware that previously had been seen targeting only Windows.
Linux finally has its "Year of the Desktop". (Score:5, Funny)
It did take a long time, but it did happen!
"Year of the Huawei Desktop". (Score:1)
It did take a long time, but it did happen!
That HiddenWasp malware is so well hidden, so well crafted to be a common hack.
In other words, the HiddenWasp malware must be from Huawei !
No wonder we ban Huawei.
By already having access (exploit of the week) (Score:3)
> they don;t know where it comes from and how it gets onto the PC. These are the only questions that I have.
It appears to be a payload, meaning it gets there via whatever vulnerablity the attacker has already exploited.
Re:By already having access (exploit of the week) (Score:4, Insightful)
Unlike on Microsoft Windows, where all you have to do is open on email or click on a weblink.
Whatever you do......... (Score:5, Insightful)
Whatever you do, don't tell us how to detect if our Linux box might be infected.
That would potentially be useful information and we don't have time for that here.
At least it's not systemd. (Score:4, Funny)
As malicious as this malware might be, at least it's not systemd.
Re:At least it's not systemd. (Score:5, Funny)
As malicious as this malware might be, at least it's not systemd.
The article doesn't actually state that. It's not beyond the realm of possibility that Poettering might rewrite some existing piece of Linux malware and call it malwared.
Re: Whatever you do......... (Score:1)
not much detail (Score:5, Informative)
Wonder if the article is being unclear on purpose. Looks like a root kit and someone has to download and install it, so did a search. And I found this
https://www.securityweek.com/s... [securityweek.com]
Re:not much detail (Score:5, Informative)
There is a much better write up available at https://www.intezer.com/blog-h... [intezer.com]
Re: (Score:3)
One way to detect it (possibly) (Score:5, Informative)
From the linked article:
Wednesday’s post lists indicators of compromise that people can use to tell if their computers have been infected.
One telltale sign: “ld.so” files that don’t contain the string “/etc/ld.so.preload.”
This is the result of the HiddenWasp trojan trying to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.
Re: (Score:2)
Time for a reinstall then!
Re:One way to detect it (possibly) (Score:5, Informative)
On a 64 bit system: /etc/ld.so.preload /lib64/ld-linux-x86-64.so.2
grep
Or for 32 bit: /etc/ld.so.preload /lib/ld-linux.so.2
grep
You should see a "binary file matches" message if the string exists.
Make your own malware (Score:1)
"linux malware evades AV detection" (Score:1)
Why could that possibly be? Oh right, because most "AV", even on linux, looks only for windows malware.
IMO, about time linux got hit. This even though it'll have lots of winderz fanbois go "ha ha every system can have malware (so our wading hip-deep through malware shit every day isn't so bad, see?)" which is ludicrous but to be expected anyway. But linux, despite working off a way better base than redmond can ever provide, doesn't need to get complacent, and that they do have a tendency to.
Common Practice (Score:3)
Not very interesting (Score:3)
A root-kit is the easy part. But how do they get in? That is the interesting part. A root-kit by itself is pretty harmless.
Re: (Score:2)
But then again how is slashdot going to inject 'Advanced Linux Backdoor' into the record. What a co-incidence this appears right under a story on Dell releasing a laptop pre-installed with Linux.
Re: (Score:2)
I had not noticed. Makes perfect sense.
Re: (Score:2)
I can see that. The thing is that a root-kit does not indicate any kind of weakness in the target. You can implement a root-kit on any OS, no matter how locked down. The interesting question is therefore whether attackers can get in, whether root-kits exist is completely immaterial.
Here is how to avoid infection... (Score:3, Insightful)
Re: (Score:1)
This is why I run Windows. I never got a virus yet.
Headline incorrect, not a "Linux Backdoor" (Score:1)
"Linux Backdoor" means code that is part of Linux that allows backdoor access. A virus, rootkit, or any other malware that is installed separately cannot be described correctly as a "Linux Backdoor". It is an important distinction, because if there really was a "Linux Backdoor" that would mean there was malicious code in the Linux repository, which would be an entirely different and much more serious issue.
Re: (Score:2)
Thanks Linus! By the the way, I totally agree with you on that one.
Re: (Score:1)
If you look a Linux Kernel it's data starts from 1999 till now, (so 20 years) and then you look at every other product M$ has and it's only 10 year life span, if your gonna play that game add every Windows OS up, or we'll use 2 comparisons that have been out an equal amount of years...
Windows 7 vs Fedora
Windows 7 https://www.cvedetails.com/pro... [cvedetails.com]
Fedora https://www.cvedetails.com/pro... [cvedetails.com]
I'll take Fedora all day long forever over any M$ OS