Researchers smell a cryptomining Chaos RAT targeting Linux systems
All, Something I hadn't heard of, but worth keeping an eye on: https://www.theregister.com/2022/12/13/cryptoming_chaos_rat_targets_linux/?utm_source=daily&utm_medium=newsletter&utm_content=article Courtesy of El Reg -- again... -- David C. Rankin, J.D.,P.E.
David, et al -- ...and then David C. Rankin said... % ... % https://www.theregister.com/2022/12/13/cryptoming_chaos_rat_targets_linux/ [trimmed and snipped] Thanks for the pointer! Speaking of which ... What are folks' favorite malware scanners? Do you favor anything other than (or in addition to) ClamAV? It's probably time I revisted the topic after having been conveniently comfortable for a long time ... TIA & Happy Holidays to all :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On 15/12/2022 21.18, David T-G wrote:
David, et al --
...and then David C. Rankin said... % ... % https://www.theregister.com/2022/12/13/cryptoming_chaos_rat_targets_linux/ [trimmed and snipped]
Thanks for the pointer!
Speaking of which ... What are folks' favorite malware scanners? Do you favor anything other than (or in addition to) ClamAV? It's probably time I revisted the topic after having been conveniently comfortable for a long time ...
I don't have any. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.4 (Legolas))
On 2022-12-15 14:18:41 David T-G wrote:
David, et al --
...and then David C. Rankin said... % ... % https://www.theregister.com/2022/12/13/cryptoming_chaos_rat_targets_linux/ [trimmed and snipped]
Thanks for the pointer!
Speaking of which ... What are folks' favorite malware scanners? Do you favor anything other than (or in addition to) ClamAV? It's probably time I revisted the topic after having been conveniently comfortable for a long time ...
TIA & Happy Holidays to all
:-D
A quick search on DuckDuckGo for "linux malware scanner" found a couple besides ClamAV (I didn't read the actual articles, just the synopses): Malscan (malware scanner for web servers) malware protection, malware scanning. Malscan is a tool to scan for malicious software (malware) such as viruses, worms, and backdoors. Its goal is to extend ClamAV with more scanning modes and signatures. It targets web servers running Linux, but can also be used on mail servers and desktops. Lynis - Security Auditing and Rootkit Scanner. Lynis is a free, open source, powerful and popular security auditing and scanning tool for Unix/Linux like operating systems. It is a malware scanning and vulnerability detecting tool that scans systems for security information and issues, file integrity, configuration errors; performs... Linux malware detect (LMD) is a tool that can be used on the Linux system to scan, detect, and remove malware from your system. The LMD can be used as a backdoor scanner on Linux. Leslie -- Platform: GNU/Linux Hardware: x86_64 Distribution: openSUSE Leap 15.4 Desktop Environment: Trinity Qt: 3.5.0 TDE: R14.0.13 tde-config: 1.0
Leslie, et al -- ...and then J Leslie Turriff said... % On 2022-12-15 14:18:41 David T-G wrote: % > % > Speaking of which ... What are folks' favorite malware scanners? Do ... % % A quick search on DuckDuckGo for "linux malware scanner" found a couple besides ClamAV (I % didn't read the actual articles, just the synopses): [snip] Thanks. I saw the same [rather heartening, but only sorta compared to the Good Old Days when everyone was friendly] long list, which led to asking what folks smarter than I use. HANN & HH :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On 12/15/22 14:18, David T-G wrote:
Speaking of which ... What are folks' favorite malware scanners? Do you favor anything other than (or in addition to) ClamAV? It's probably time I revisted the topic after having been conveniently comfortable for a long time ...
For my servers, since I do no business outside the US, most effective defense I've found is just to block RIPE, APNIC and AFRINIC IP blocks. (cloud servers have made this more work -- I end up having to create exceptions -- but, on balance, it eliminates 90%+ of the intrusion attempts. (Idiot engineers are using proton mail -- that routes mail though chinese servers) Software wise, just ensure you are up to date with your apps, apache, php, mariadb, postgres, postfix, dovecot, etc... Keep any public facing web-apps up to date as well, groupware, nextcloud, etc.. and make sure the configurations are no looser than needed for your use and require https-only connections and keep your site certificates up to date. (no more self-signed certs allowed. "Let's Encrypt" certs are full-chain and free, certbot makes it simple to keep them up to date, you can use the same certs for https and mail) Other than that, in the past, if you accept uploaded content, scanning with clamav and occasionally with rkhunter was about all that was available. Knock on wood. Never infected -- yet... -- David C. Rankin, J.D.,P.E.
David, et al -- ...and then David C. Rankin said... % On 12/15/22 14:18, David T-G wrote: % > Speaking of which ... What are folks' favorite malware scanners? Do % > you favor anything other than (or in addition to) ClamAV? It's probably % > time I revisted the topic after having been conveniently comfortable % > for a long time ... % % For my servers, since I do no business outside the US, most effective % defense I've found is just to block RIPE, APNIC and AFRINIC IP blocks. ... % (Idiot engineers are using proton mail -- that routes mail though chinese % servers) Oooh! Now that's a clever idea. I should look into that more. % % Software wise, just ensure you are up to date with your apps, apache, php, % mariadb, postgres, postfix, dovecot, etc... Keep any public facing web-apps % up to date as well, groupware, nextcloud, etc.. and make sure the Yep and yep. % configurations are no looser than needed for your use and require https-only % connections and keep your site certificates up to date. (no more self-signed % certs allowed. "Let's Encrypt" certs are full-chain and free, certbot makes % it simple to keep them up to date, you can use the same certs for https and % mail) Agreed ... I know I need to catch up there :-/ % % Other than that, in the past, if you accept uploaded content, scanning with % clamav and occasionally with rkhunter was about all that was available. Good to know. % % Knock on wood. Never infected -- yet... :-) % % -- % David C. Rankin, J.D.,P.E. Thanks & HANN & HH :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On 15/12/2022 09.52, David C. Rankin wrote:
All,
Something I hadn't heard of, but worth keeping an eye on:
Courtesy of El Reg -- again...
They don't clearly say how one can get infected. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.4 (Legolas))
From: "Carlos E. R." <robin.listas@telefonica.net> Date: Thu, 15 Dec 2022 22:44:45 +0100 On 15/12/2022 09.52, David C. Rankin wrote:
All,
Something I hadn't heard of, but worth keeping an eye on:
Courtesy of El Reg -- again...
They don't clearly say how one can get infected. -- Cheers / Saludos, Carlos E. R. This trendmicro.com article [1] says in the first paragraph: . . . the routines and chain of events were fairly similar even if it involved different threat actors . . . For more sophisticated threats, we also observed capabilities that allowed it to spread to more devices. This suggests there are a number of variations with different attack avenues. It also shows some of the code. Disabling curl ought to stop it from downloading its pieces. -- Bob Rogers http://www.rgrjr.com/ [1] https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-v...
participants (5)
-
Bob Rogers -
Carlos E. R. -
David C. Rankin -
David T-G -
J Leslie Turriff