[opensuse] New Trojan Backdoor Malware Targets Mac OS X And Linux, Steals Passwords And Keystrokes - Forbes
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal... Is openSUSE susceptible? Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2012/09/01 00:03 (GMT-0400) Greg Freemyer composed:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
That page says to block IP 212.7.208.65. How does one "block" an IP? I tried adding a line '0.0.0.0 212.7.208.65' to /etc/hosts/, but it doesn't prevent a ping from getting out and back, and seems more like it should have prevented me from reaching it (which it didn't) rather than vice versa. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
On 2012/09/01 00:03 (GMT-0400) Greg Freemyer composed:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
That page says to block IP 212.7.208.65. How does one "block" an IP?
How about: iptables -A INPUT -s 212.7.208.65 -j DROP iptables -A INPUT -d 212.7.208.65 -j DROP -- Per Jessen, Zürich (10.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
On 2012/09/01 00:03 (GMT-0400) Greg Freemyer composed:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
That page says to block IP 212.7.208.65. How does one "block" an IP? I tried adding a line '0.0.0.0 212.7.208.65' to /etc/hosts/, but it doesn't prevent a ping from getting out and back, and seems more like it should have prevented me from reaching it (which it didn't) rather than vice versa.
Any firewall should be able to do that. Or you could create a host route that sends it to a route that's not available. The hosts file won't do it, as it's only used to map a host name to an IP address. "I miss the good old days when Mac users felt a smug superiority over Windows users who had to deal with this stuff…" I remember the good old days, when Apple computers were the target, before DOS/Windows were. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, On Sat, 01 Sep 2012, Greg Freemyer wrote:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
No idea. What I can find ATM is tons of blabbering (went as far as a page >20) citing _one_ source. And that smells a bit fishy[1] and is much lacking: http://www.google.com/search?q=BackDoor.Wirenet.1 http://vms.drweb.com/virus/?i=1957835 The latter, fed through http://translate.google.de/ reads: ==== Added to Dr.Web virus database: 2012-08-21 Virus description was added: 2012-08-22 Trojan backdoor that can run on Linux and MacOS X. Has keylogger functionality, can steal passwords typed by the user in the browser Opera, Firefox, Chrome, Chromium, and passwords from applications such as Thunderbird, SeaMonkey, Pidgin. When executed, it copies itself to the user's home directory. In MacOS: folder% home% / WIFIADAPT.app.app In Linux: in ~ / WIFIADAPT Establishes a connection to a remote command center at 212.7.208.65. Uses a check connections using encryption algorithm Advanced Encryption Standard (AES). ==== WTF? ONE specific IP in a virus? That resolves to a polish operated host in the Netherlands attached to a router in the Netherlands? (c.f. 'whois 212.7.208.65' and 'traceroute 212.7.208.65' and a whois on the second to last hop). And _NOTHING_ about method of attack / propagation??? Via Flash / JS^WECMA Script / Java / browser-specific bugs, or whatever??? Fishy! I'd stay wary and follow this a bit, watch CERT announcements etc., but it has a more than just a hint of a hoax / scareware ... Oh, and of course, keep your browser updated. Just these days there was an update: $ rpm -q --changelog seamonkey | head -50 * Mon Aug 27 2012 wr@rosenauer.org - update to SeaMonkey 2.12 (bnc#777588) [..] Haven't looked yet for any connection, there's too many bnc#, bmo# and MFSA/CVE's involved for my time of day ;) -dn'Guru Meditation'h [1] I don't like fish BTW. --
Seems you really are a social leper these days if you're not on FB. -- Julian Macassey Farcebook is AOL with better graphics. -- Michel And worse grammar. -- Roger Burton West -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 01/09/12 02:00, David Haller escribió:
WTF? ONE specific IP in a virus? That resolves to a polish operated host in the Netherlands attached to a router in the Netherlands? (c.f. 'whois 212.7.208.65' and 'traceroute 212.7.208.65' and a whois on the second to last hop).
And _NOTHING_ about method of attack / propagation??? Via Flash / JS^WECMA Script / Java / browser-specific bugs, or whatever???
Fishy!
I'd stay wary and follow this a bit, watch CERT announcements etc., but it has a more than just a hint of a hoax / scareware ...
Looks like a pretty amateurish thing to use one IP address... but there is not enough information to make a judgment, however there is more than enough history on buggy plugins like flash or java to be at least cautious. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"Cristian Rodríguez" <crrodriguez@opensuse.org> wrote:
El 01/09/12 02:00, David Haller escribió:
WTF? ONE specific IP in a virus? That resolves to a polish operated host in the Netherlands attached to a router in the Netherlands? (c.f. 'whois 212.7.208.65' and 'traceroute 212.7.208.65' and a whois on the second to last hop).
And _NOTHING_ about method of attack / propagation??? Via Flash / JS^WECMA Script / Java / browser-specific bugs, or whatever???
Fishy!
I'd stay wary and follow this a bit, watch CERT announcements etc., but it has a more than just a hint of a hoax / scareware ...
Looks like a pretty amateurish thing to use one IP address
Most malware has a series of backup IPs. But modern malware uses internal encryption to hide its internal info such as backup command and control IPs. Static analysis/disassembly can be almost useless in trying to find the backup IPs. Better is to let it run, then get a memory dump. But the bad guys know this, so they only unencrypt functionality and data as they need it. Malware analysts in turn use VMs to fake out the malware (using fake clocks etc.) and try to trigger the malware to use additional functionality/data. The malware writers work hard to detect the malware is being analysed and shutdown. A friend of mine has estimated 80% of malware in 2011 looked to see if it was running in a VM and terminated itself if it was. That only one IP is provided likely just means the virus writer was better than the anlysis tools used to analyse it. As to where the IP is, that means little. Bad guys typically hack systems around the world and then use them as command and control systems. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2012/09/02 08:02 (GMT-0400) Greg Freemyer composed:
As to where the IP is, that means little. Bad guys typically hack systems around the world and then use them as command and control systems.
So maybe the best thing to do until someone comes up with a better idea is to create ~/WIFIADAPT and ~/ WIFIADAPT and make them inaccessible with chmod 000 and/or chattr +i? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2012 08:17 AM, Felix Miata wrote:
On 2012/09/02 08:02 (GMT-0400) Greg Freemyer composed:
As to where the IP is, that means little. Bad guys typically hack systems around the world and then use them as command and control systems.
So maybe the best thing to do until someone comes up with a better idea is to create ~/WIFIADAPT and ~/ WIFIADAPT and make them inaccessible with chmod 000 and/or chattr +i?
Is there something I'm missing here. In order for this malware to work wouldn't the user have to enter the admin password? Surely even the greenest Linux user would know that if they aren't intentionally installing something they don't enter the admin password for something to install. -- A veteran is someone who, at one point in their life, wrote a blank check made payable to ‘The United States of America’ for any amount, up to and including their life. _ _... ..._ _ _._ ._ ..... ._.. ... .._ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 02 Sep 2012 08:48:23 -0500 Billie Walsh <bilwalsh@swbell.net> wrote: ...
Is there something I'm missing here. In order for this malware to work wouldn't the user have to enter the admin password?
Not for installation and run in ~/ directory because tilde represents /home/user or $HOME where one has all rights necessary. Flash, Java and Javascript, used in web browsers, are vulnerable independent of underlying operating system. That is what openSUSE security guys told us long ago. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
So maybe the best thing to do until someone comes up with a better idea is to create ~/WIFIADAPT and ~/ WIFIADAPT and make them inaccessible with chmod 000 and/or chattr +i?
Or perhaps link them to /dev/null. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 02 Sep 2012 09:17:43 -0400 Felix Miata <mrmazda@earthlink.net> wrote:
So maybe the best thing to do until someone comes up with a better idea is to create ~/WIFIADAPT and ~/ WIFIADAPT and make them inaccessible with chmod 000 and/or chattr +i?
Names written in all CAPITALS and not even hidden from listing, resemble on something that one wants to be found. Claim that was found 1st Linux virus is good for those that don't follow security very carefully, and that smells too. Thanks to long standing propaganda that Linux is not vulnerable due to its architecture, there is a lot of users that are careless about user support to their computer security. It seems that "1st Linux virus" is targeting them. They have no idea where to look for protection and can just download offered solution. It is either what Greg said, malware authors are smarter then discoverers, or it is a little ploy, well known from Windows, scare people and offer "solution" that does exactly what malware is accused for. Software is not that vulnerable as their users. It is easier to trick users then to find exploit, and that is what is happening in the majority of cases. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Sep 1, 2012 at 6:03 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
Hmmm how convenient that the Russian A/V company has the Linux A/V software to "solve" the problem... and.. the "first" virus... is, on first look, no different than any other social engineering "virus" for Linux... exploits at least similar to this have been around on Linux for ages. I'd say - due to a rather convenient lack of information - that openSUSE is no more or less vulnerable to this than any other exploit on Linux. Basically... if you explicitly download something from an unknown source, and then explicitly execute it... you get what you deserve :-P This whole thing stinks of self-promotion and FUD. C. -- openSUSE 12.1 x86_64, KDE 4.9.0 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Aug 31, 2012 at 11:03 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
In a nutshell, if you are using Oracle Java 7, then yes. If you are using any version of OpenJDK, or any other version of Oracle Java (other than 7), then no. Good luck! -- Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Sep 1, 2012 at 3:15 AM, Christofer C. Bell <christofer.c.bell@gmail.com> wrote:
On Fri, Aug 31, 2012 at 11:03 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-mal...
Is openSUSE susceptible?
In a nutshell, if you are using Oracle Java 7, then yes. If you are using any version of OpenJDK, or any other version of Oracle Java (other than 7), then no.
Good luck!
-- Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Guys, A couple things. You can do the iptables as stated. Or you can use route route -v add -host 212.7.208.65 reject inferno:~# route -v add -host 212.7.208.65 reject inferno:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 212.7.208.65 - 255.255.255.255 !H 0 - 0 - Here are some tips to search for it find / -name WIFIADAPT netstat -tap | grep 212.7.208.65 But to be honest, the people that -- Terror PUP a.k.a Chuck "PUP" Payne (678) 636-9678 ----------------------------------------- Discover it! Enjoy it! Share it! openSUSE Linux. ----------------------------------------- openSUSE -- en.opensuse.org/User:Terrorpup openSUSE Ambassador/openSUSE Member Community Manager -- Southeast Linux Foundation (SELF) skype,twiiter,identica,friendfeed -- terrorpup freenode(irc) --terrorpup/lupinstein Register Linux Userid: 155363 Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try. www.susestudio.com. See you at Southeast Linux Fest, June 8-10, 2012 in Charlotte, NC. www.southeastlinuxfest.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Billie Walsh -
C -
Christofer C. Bell -
Chuck Payne -
Cristian Rodríguez -
David Haller -
Felix Miata -
Greg Freemyer -
James Knott -
Per Jessen -
Rajko