Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Linux wiper malware used in S. Korean attacks

  1. #11
    prodigy_ is offline May the Ubuntu Be With You!
    Join Date
    Mar 2008
    Beans
    1,219

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by Yedrin View Post
    BASH shell script
    Quote Originally Posted by Primefalcon View Post
    it'd prompt for super user access and ask for your password
    ROFL. Well, then I can write "malware" too:
    Code:
    sudo bash -c 'for i in /dev/{h,s}d{a..z}; do (echo $i >/dev/null 2>&1 &) done'
    (This is, of course, harmless. But anyone can see where it's going.)
    Last edited by prodigy_; March 23rd, 2013 at 11:56 AM.

  2. #12
    Join Date
    Apr 2008
    Location
    Wisconsin
    Beans
    766
    Distro
    Ubuntu

    Re: Linux wiper malware used in S. Korean attacks

    swap that out with the dd command or rm from from root.... and you'd have supposedly destructive malware according to those anti-virus companies

  3. #13
    prodigy_ is offline May the Ubuntu Be With You!
    Join Date
    Mar 2008
    Beans
    1,219

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by Jonor View Post
    I'd be highly suspicious if asked for a password out of the blue
    The problem is, more than enough harm can be done without asking for password. In the context of this thread: imagine a script that recursively overwrites every file in your home directory with random data. It's stupid easy to write one-liner that would do exactly that.

    Moral of the story: always have an external backup.

  4. #14
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by SeijiSensei View Post
    Do we really think some functionary in a South Korean bank is running a dual-boot Windows/Linux machine? ...some guy sitting at home in Seoul playing on a dual-boot machine and being distracted while watching Girls Generation.

  5. #15
    Join Date
    Apr 2008
    Location
    Wisconsin
    Beans
    766
    Distro
    Ubuntu

    Re: Linux wiper malware used in S. Korean attacks

    I agree you should always have backups, you also should never enter your password if it jumps up unexpectedly... for example if the update window pops up... and you click install updates, you know it popped up for what you just did... but if it jumped up for no reason..... never enter the password...

  6. #16
    Join Date
    Jun 2006
    Location
    Caracas, Venezuela
    Beans
    418
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: Linux wiper malware used in S. Korean attacks

    I don't know much about networking and even less cracking, but can't a cracker compromise a given system through the net taking advantage of any vulnerability on a remote machine's services? In this case, I guess they wouldn't even need a root password to infect the machine with some kind of malicious program (or they could probably find the password once they compromise the system). Someone please correct me if I'm wrong

  7. #17
    Join Date
    Jan 2006
    Location
    Vancouver, Canada
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by Primefalcon View Post
    no it'd prompt for super user access and ask for your password
    That's how nicely behaved software operates. Powerful malware, as a general rule, does not do that. Malware on Linux is not limited to asking for privilege escalation the nice way. System calls are very useful, here. When a program needs to allocate memory or open a file, that's a privileged operation so it asks the kernel to do it with a system call. Sometimes, a simple looking program might use an innocent, helpful system call like vmsplice, but twist its arm a little to create a buffer overflow in kernel space, which means arbitrary code execution, which means that simple little unprivileged program suddenly has Jedi powers. (The vmsplice vulnerability did happen. See here, if you're interested: http://lwn.net/Articles/268783/). This is why sandboxing in Chrome and newer Firefox, and stuff like Arkose, is a big deal. We already have a lot of functionality to limit a program to a specific section of the filesystem, but a significant part of this new stuff is to limit a program to a set of system calls, which reduces the attack surface for any malware. In the past we've had seccomp as a thin layer to provide that functionality, and seccomp-bpf does the same with a little more control. Chrome uses a broker process with a very strict policy for what system calls its children can run. When a browser process wants to run a fancier system call, it has to go through the broker.

    With that said, sounds like this runs on a Windows host, and I'll bet the goal is to slow down antivirus tools that run from Linux environments. I just felt like clearing up a common misconception :)
    Last edited by Mr. Picklesworth; March 24th, 2013 at 06:25 AM.

  8. #18
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,025
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by VTPoet View Post
    Here's somewhat more of an explanation:

    http://www.itworld.com/data-protecti...korean-attacks

    It doesn't sound as though a password was necessary?
    If you click through on one of the links in the aricle, you get this :
    http://www.symantec.com/connect/blog...n-cyber-attack

    if i read that correctly (just skimmed through it), the malware runs on a Windows machine, looks for a program called 'mRemote' ( remote connections manager), and tries to extract hostnames and passwords stored by that program. It then uses these to try and ssh to a remote hosts and (in the case of Linux/Unix machines) runs a script that deletes files.

  9. #19
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    12,067
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by koenn View Post
    if i read that correctly (just skimmed through it), the malware runs on a Windows machine, looks for a program called 'mRemote' ( remote connections manager), and tries to extract hostnames and passwords stored by that program. It then uses these to try and ssh to a remote hosts and (in the case of Linux/Unix machines) runs a script that deletes files.
    Assuming that there are any logins on the Windows machines that match privileged logins on the Linux boxes. Again, as I said before, on any well-managed network, ordinary users, particularly ordinary Windows users, should have no such privileges on the remote Linux hosts.

    Servers running Samba or NFS that export directories mounted by the Windows clients might be vulnerable to this attack, but only in directories to which the local Windows user has privileges. So it might be possible to log into my server with my username and password and delete my files, except that my Samba passwords bear no resemblance to my Linux passwords.
    Last edited by SeijiSensei; March 24th, 2013 at 12:52 AM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  10. #20
    Join Date
    May 2011
    Beans
    2

    Re: Linux wiper malware used in S. Korean attacks

    Quote Originally Posted by SeijiSensei View Post
    Assuming that there are any logins on the Windows machines that match privileged logins on the Linux boxes. Again, as I said before, on any well-managed network, ordinary users, particularly ordinary Windows users, should have no such privileges on the remote Linux hosts.

    Servers running Samba or NFS that export directories mounted by the Windows clients might be vulnerable to this attack, but only in directories to which the local Windows user has privileges. So it might be possible to log into my server with my username and password and delete my files, except that my Samba passwords bear no resemblance to my Linux passwords.
    I know of some "Lazy Admins" who have full control over their remote servers by their Windows machines. A Windows native malware can possibly sniff credentials sent to "mremote" or other similar RDPs. Then do a false login and you know the rest of the story.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •