New Linux Rootkit Emerges

[Linuxisfast]

So:

1. No way to detect it.
2. No way to fix if you do detect it.

Nice. Way to not solve anything. I guess this isn't big concern, really. Except that this does poke a hole in the myth that Linux isn't a big target.

No myth, its the proven fact and do read up on the impact of this so called rootkit which is a work in progress and doesn't affect Ubuntu as pointed out by previous posters.

[lykwydchykyn]

So:

1. No way to detect it.
2. No way to fix if you do detect it.

Nice. Way to not solve anything. I guess this isn't big concern, really. Except that this does poke a hole in the myth that Linux isn't a big target.

If you've bothered to read the actual analysis of the rootkit, you'll note:

- It's pretty simple to detect using ps, since the author botched process hiding.
- It's pretty simple to fix, since it's a discrete set of files that is started off at every boot with a line in /etc/rc.local
- It is nothing more or less than a rootkit. It's not a virus, a trojan, or a worm. It has no propagation method, exploits no security flaw, has no inherent means of elevating privilege. It is software that has to be placed on a compromised system by an intruder with root.
- The execution of this rootkit is described in the analysis as amateur and mediocre.

Anyone whose ever put an SSH server on a public IP and bothered to browse their auth logs can tell you that Linux Servers are constantly being targetted for intrusion. Mostly what these intruders want to do is install rootkits and use what they presume is a web server to distribute malware and spam.

So please, before everyone goes spreading FUD about how the Malware apocalpyse has finally hit your Ubuntu desktop, educate yourself and stick with the facts.

[Hungry Man]

There is no myth about Linux being too little to attack. Linux dominates the server market - this is an attack against servers (hence why it's designed to inject iframes into websites to steer traffic). Linux users, however, are rarely attacked, due to tiny market share.

[CharlesA]

If you've bothered to read the actual analysis of the rootkit, you'll note:

- It's pretty simple to detect using ps, since the author botched process hiding.
- It's pretty simple to fix, since it's a discrete set of files that is started off at every boot with a line in /etc/rc.local
- It is nothing more or less than a rootkit. It's not a virus, a trojan, or a worm. It has no propagation method, exploits no security flaw, has no inherent means of elevating privilege. It is software that has to be placed on a compromised system by an intruder with root.
- The execution of this rootkit is described in the analysis as amateur and mediocre.

This x 9000. It sounds like a poor attempt to write malware for a *nix web server.

Anyone whose ever put an SSH server on a public IP and bothered to browse their auth logs can tell you that Linux Servers are constantly being targetted for intrusion. Mostly what these intruders want to do is install rootkits and use what they presume is a web server to distribute malware and spam.

So please, before everyone goes spreading FUD about how the Malware apocalpyse has finally hit your Ubuntu desktop, educate yourself and stick with the facts.

Indeed. It also looks like the machine needs to be compromised first for this thing to be installed, and if that is the case, you are already owned.

There is no myth about Linux being too little to attack. Linux dominates the server market - this is an attack against servers (hence why it's designed to inject iframes into websites to steer traffic). Linux users, however, are rarely attacked, due to tiny market share.

Yep. Servers are a huge market for *nix, which makes them a target.

[koenn]

- It is nothing more or less than a rootkit. It's not a virus, a trojan, or a worm. It has no propagation method, exploits no security flaw, has no inherent means of elevating privilege. It is software that has to be placed on a compromised system by an intruder with root.

Well, at least the author adheres to the unix philosophy of small tools that do one thing only. Maybe he's also hoping for some bazaar style distributed development where other people write the propagation system or extensions such as a delivery system of pluggable privilege elevation mechanisms.

If you're writing malware, might as well do it in line with the established practices of the target system.

[rai4shu2]

If you've bothered to read the actual analysis of the rootkit, you'll note:

- It's pretty simple to detect using ps, since the author botched process hiding.
- It's pretty simple to fix, since it's a discrete set of files that is started off at every boot with a line in /etc/rc.local
- It is nothing more or less than a rootkit. It's not a virus, a trojan, or a worm. It has no propagation method, exploits no security flaw, has no inherent means of elevating privilege. It is software that has to be placed on a compromised system by an intruder with root.
- The execution of this rootkit is described in the analysis as amateur and mediocre.

Anyone whose ever put an SSH server on a public IP and bothered to browse their auth logs can tell you that Linux Servers are constantly being targetted for intrusion. Mostly what these intruders want to do is install rootkits and use what they presume is a web server to distribute malware and spam.

So please, before everyone goes spreading FUD about how the Malware apocalpyse has finally hit your Ubuntu desktop, educate yourself and stick with the facts.

Thanks for the information.

Okay, what we need is better communication from these hacker guys. Sheesh. Those of us who aren't security pros don't know how to read between the lines and really need things like the above spelled out to us more plainly (preferably within the first three paragraphs of the article pointing out the threat).

[lykwydchykyn]

Thanks for the information.

Okay, what we need is better communication from these hacker guys. Sheesh. Those of us who aren't security pros don't know how to read between the lines and really need things like the above spelled out to us more plainly (preferably within the first three paragraphs of the article pointing out the threat).

Unfortunately, you can count on the tech press to blow everything out of proportion, especially when it comes to security issues. Take everything with a grain of salt.

https://www.eviscerati.org/comics/co...ogy-journalism

[CharlesA]

Unfortunately, you can count on the tech press to blow everything out of proportion, especially when it comes to security issues. Take everything with a grain of salt.

https://www.eviscerati.org/comics/co...ogy-journalism

That is a fact. They will do anything to get people's attention. Attention = hits.

The same thing happens on other news sites too.

[sffvba[e0rt]

well, at least the author adheres to the unix philosophy of small tools that do one thing only. Maybe he's also hoping for some bazaar style distributed development where other people write the propagation system or extensions such as a delivery system of pluggable privilege elevation mechanisms.

If you're writing malware, might as well do it in line with the established practices of the target system.

:d


404

[jerome1232]

I heard it's easy to install a rootkit on a well secured server.

Oh wait...

Nothing that new here, rootkits have existed for how long?