Symbiote - Impossible-to-Detect Linux Threat
All (especially anyone running a server), There apparently is a nasty bit of Linux malware I hadn't been privy to until tonight. The report is: https://www.intezer.com/blog/research/new-linux-threat-symbiote/ The design is incredibly sophisticated, to the point of hooking execve for ldd and scrubbing it's own name from the list of shared objects returned. The sticky-wicket is it is hard to discover even if you are looking for it. Worth passing along to put a few more openSUSE eyes smarter than mine on it. -- David C. Rankin, J.D.,P.E.
On 6/13/22 1:12 AM, David C. Rankin wrote:
All (especially anyone running a server),
There apparently is a nasty bit of Linux malware I hadn't been privy to until tonight. The report is:
https://www.intezer.com/blog/research/new-linux-threat-symbiote/
The design is incredibly sophisticated, to the point of hooking execve for ldd and scrubbing it's own name from the list of shared objects returned.
The sticky-wicket is it is hard to discover even if you are looking for it. Worth passing along to put a few more openSUSE eyes smarter than mine on it.
Read the articles, the technical description, how it works, possible means of discovering its existence but nowhere in any of that is any info about how it would get into a machine to infect it in the first place. Any ideas?
On 6/14/22 10:15, Stevens wrote:
Read the articles, the technical description, how it works, possible means of discovering its existence but nowhere in any of that is any info about how it would get into a machine to infect it in the first place.
Any ideas?
Just judging from the masked files list, apache, apache-xyz, certbotX64, Java, etc.., etc.. those looked like likely target vectors, but there wasn't any one file targeted. There was a paragraph in the article talking about submissions to VirusTotal that discussed a list of files where payloads were found. But, unfortunately, that doesn't guarantee that file was the intrusion point. The bigger concern is the compromise of source repositories and packaging files as part of the software supply-chain. (like the Solar Winds hack) It is unnerving as hell knowing there are nasties out there that are good enough at hiding you may not notice unless you are checking for DNS packets with encoded payloads. (there just are not a whole lot of orgs that can do security at that level) Github has been bit, etc... And I use a good portion of the server files identified (even down to certbot) What that means to me is the malware may get in from anywhere, even through a zypper up. SuSE/openSUSE have always been on top of everything that is detectable -- but this bit of malware sounded really pernicious and damn near undetectable. -- David C. Rankin, J.D.,P.E.
David, et al -- ...and then David C. Rankin said... % ... % % What that means to me is the malware may get in from anywhere, even through % a zypper up. SuSE/openSUSE have always been on top of everything that is % detectable -- but this bit of malware sounded really pernicious and damn % near undetectable. Indeed. Yikes! Sooooo ... The closest I can think is booting from a known-clean (which is, admitted, perhaps tougher than it sounds!) thumb drive and scanning files. Anyone have any better ideas? TIA & HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On 2022-06-16 05:43, David T-G wrote:
David, et al --
...and then David C. Rankin said... % ... % % What that means to me is the malware may get in from anywhere, even through % a zypper up. SuSE/openSUSE have always been on top of everything that is % detectable -- but this bit of malware sounded really pernicious and damn % near undetectable.
Indeed. Yikes!
Sooooo ... The closest I can think is booting from a known-clean (which is, admitted, perhaps tougher than it sounds!) thumb drive and scanning files. Anyone have any better ideas?
From a CD :-D SCNR -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.3)
Carlos, et al -- ...and then Carlos E. R. said... % % On 2022-06-16 05:43, David T-G wrote: % > % > Sooooo ... The closest I can think is booting from a known-clean (which % > is, admitted, perhaps tougher than it sounds!) thumb drive and scanning % > files. Anyone have any better ideas? % % From a CD :-D Well, yes, but which one? How old do I need to go in the stack to ensure that the image didn't come out corrupted and happily hiding the damage? :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On Fri, 17 Jun 2022 06:30:01 -0400 David T-G <davidtg-robot@justpickone.org> wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 2022-06-16 05:43, David T-G wrote: % > % > Sooooo ... The closest I can think is booting from a known-clean (which % > is, admitted, perhaps tougher than it sounds!) thumb drive and scanning % > files. Anyone have any better ideas? % % From a CD :-D
Well, yes, but which one? How old do I need to go in the stack to ensure that the image didn't come out corrupted and happily hiding the damage?
Somewhat related: what do we call clean (I used to say sterile)? Around the turn of the millenium I considered dirty whatever had been in contact either with any network or as little as any device that had been in another machine. Any such exposure would mean that the goods were *infected instead of sterile*, I even thought that THE correct way wouldbe for an OS to run only off a read-only medium with session data only in RAM and saved-out as-per-user needs. This would mean source-code examination, compiling on an unconnected machine, and a similarly an entire protected chain.
On 6/17/22 05:58, bent fender wrote:
On Fri, 17 Jun 2022 06:30:01 -0400 David T-G <davidtg-robot@justpickone.org> wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 2022-06-16 05:43, David T-G wrote: % > % > Sooooo ... The closest I can think is booting from a known-clean (which % > is, admitted, perhaps tougher than it sounds!) thumb drive and scanning % > files. Anyone have any better ideas? % % From a CD :-D
Well, yes, but which one? How old do I need to go in the stack to ensure that the image didn't come out corrupted and happily hiding the damage? Somewhat related: what do we call clean (I used to say sterile)?
Around the turn of the millenium I considered dirty whatever had been in contact either with any network or as little as any device that had been in another machine. Any such exposure would mean that the goods were *infected instead of sterile*, I even thought that THE correct way wouldbe for an OS to run only off a read-only medium with session data only in RAM and saved-out as-per-user needs. This would mean source-code examination, compiling on an unconnected machine, and a similarly an entire protected chain. OH. You mean back when computers didn't have hard drives and everything was on floppies. Boot the machine from a floppy. Run each program [ only one at a time ] from it's own floppy and save any output to another floppy.
I remember my old Leading Edge 486 SX25 very fondly. Started out life with two five inch floppy drives which I soon upgraded to one five inch and one three point five. Mostly after I upgraded it to a 486DX75 and over clocked it to 100, added an ID card with the cable leading out the back to an old Apple SCUSI box with a hard drive [ I think it was a 40 meg hard drive ] in it and a Rampat board with 100 meg memory. Onboard memory was maxed out at 64 meg. Had my BAT file set up to load anything I wanted to run off the hard drive onto the Rampat board and execute it from there using it as a "solid state hard drive" when closing it would save any "data" back to the hard drive and delete the program from the Rampat board and go back to waiting for my next instruction. Had a very large and intricate BAT file. Those were the "good ol' days of computing". GAWD, I am so glad we don't have to go through that any more. And, Yes, I had a solid state drive back in DOS days. Still got the board somewhere. -- Women and cats will do just as they please. Men and dogs should just get used to the idea.
On Fri, 17 Jun 2022 06:51:15 -0500 Bill Walsh <Bill@kctu.com> wrote:
On 6/17/22 05:58, bent fender wrote:
On Fri, 17 Jun 2022 06:30:01 -0400 David T-G <davidtg-robot@justpickone.org> wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 2022-06-16 05:43, David T-G wrote: % > % > Sooooo ... The closest I can think is booting from a known-clean (which % > is, admitted, perhaps tougher than it sounds!) thumb drive and scanning % > files. Anyone have any better ideas? % % From a CD :-D
Well, yes, but which one? How old do I need to go in the stack to ensure that the image didn't come out corrupted and happily hiding the damage? Somewhat related: what do we call clean (I used to say sterile)?
Around the turn of the millenium I considered dirty whatever had been in contact either with any network or as little as any device that had been in another machine. Any such exposure would mean that the goods were *infected instead of sterile*, I even thought that THE correct way wouldbe for an OS to run only off a read-only medium with session data only in RAM and saved-out as-per-user needs. This would mean source-code examination, compiling on an unconnected machine, and a similarly an entire protected chain. OH. You mean back when computers didn't have hard drives and everything was on floppies. Boot the machine from a floppy. Run each program [ only one at a time ] from it's own floppy and save any output to another floppy.
I remember my old Leading Edge 486 SX25 very fondly. Started out life with two five inch floppy drives which I soon upgraded to one five inch and one three point five. Mostly after I upgraded it to a 486DX75 and over clocked it to 100, added an ID card with the cable leading out the back to an old Apple SCUSI box with a hard drive [ I think it was a 40 meg hard drive ] in it and a Rampat board with 100 meg memory. Onboard memory was maxed out at 64 meg. Had my BAT file set up to load anything I wanted to run off the hard drive onto the Rampat board and execute it from there using it as a "solid state hard drive" when closing it would save any "data" back to the hard drive and delete the program from the Rampat board and go back to waiting for my next instruction. Had a very large and intricate BAT file. Those were the "good ol' days of computing".
GAWD, I am so glad we don't have to go through that any more. And, Yes, I had a solid state drive back in DOS days. Still got the board somewhere.
-- Women and cats will do just as they please. Men and dogs should just get used to the idea.
My 1st Amiga had no HD either, I remember installing some wordperfect suite from 46 floppies, couldn't feel my arm anymore! But I still think that a read-only OS is the way to go (IF you want security), acting somehat like the window on a slide rule with the data moving through but the window being read-only. -- Oh Lord of the Keyrings on high, have I got bad news for you: the word trust is nowhere to be found in my security dictionary.
On 6/17/22 06:51, Bill Walsh wrote:
I remember my old Leading Edge 486 SX25 very fondly. Started out life with two five inch floppy drives which I soon upgraded to one five inch and one three point five. Mostly after I upgraded it to a 486DX75 and over clocked it to 100, added an ID card with the cable leading out the back to an old Apple SCUSI box with a hard drive [ I think it was a 40 meg hard drive ] in it and a Rampat board with 100 meg memory. Onboard memory was maxed out at 64 meg. Had my BAT file set up to load anything I wanted to run off the hard drive onto the Rampat board and execute it from there using it as a "solid state hard drive" when closing it would save any "data" back to the hard drive and delete the program from the Rampat board and go back to waiting for my next instruction. Had a very large and intricate BAT file. Those were the "good ol' days of computing".
GAWD, I am so glad we don't have to go through that any more. And, Yes, I had a solid state drive back in DOS days. Still got the board somewhere.
In the late 80's when I started with NASA we still had old 8088 with no hard drives and dual 8" floppy drives. That worked well, your system disk in one floppy drive and your application/data disk in the other. But .... there were about 30% of them with only 1-floppy drive and hell has no torment like running a fairly large applications in only one floppy drive: a) boot with system disk b) swap disks and launch application c) a write or other I/O operation is requested that can only be filled by system disk d) swap disks and wait for write to complete e) swap disks and wait for application to continue ... repeat 100 times and pray an unreadable sector error didn't pop up on one of the floppy disks... Nothing in my scrap pile older that 386/33 with Math Coprocessor, a couple of 20M RLLMFM had drives - and even those were more challenging than productive -- but the sure were a lot of fun. 1200 baud modem and all! -- David C. Rankin, J.D.,P.E.
David, et al -- ...and then David C. Rankin said... % ... % Nothing in my scrap pile older that 386/33 with Math Coprocessor, a couple % of 20M RLLMFM had drives - and even those were more challenging than % productive -- but the sure were a lot of fun. 1200 baud modem and all! I remember when I finally hit "fast" (9600 or 19200, I think) and couldn't quite keep up with the text loading onto the screen any more. Wow! More data than I could read in real time on my Hercules monitor? I WAS FLYING! :-) HANW :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On 2022-06-17 05:58:21 bent fender wrote:
|On Fri, 17 Jun 2022 06:30:01 -0400 | |David T-G <davidtg-robot@justpickone.org> wrote: |> Carlos, et al -- |> |> ...and then Carlos E. R. said... |> % |> % On 2022-06-16 05:43, David T-G wrote: |> % > |> % > Sooooo ... The closest I can think is booting from a known-clean |> (which % > is, admitted, perhaps tougher than it sounds!) thumb drive |> and scanning % > files. Anyone have any better ideas? |> % |> % From a CD :-D |> |> Well, yes, but which one? How old do I need to go in the stack to |> ensure that the image didn't come out corrupted and happily hiding the |> damage? | |Somewhat related: what do we call clean (I used to say sterile)? | |Around the turn of the millenium I considered dirty whatever had been in | contact either with any network or as little as any device that had been | in another machine. Any such exposure would mean that the goods were | *infected instead of sterile*, I even thought that THE correct way | wouldbe for an OS to run only off a read-only medium with session data | only in RAM and saved-out as-per-user needs. This would mean source-code | examination, compiling on an unconnected machine, and a similarly an | entire protected chain.
Once upon a time we could buy pre-burned installation CDs from OpenSuSE; that's how I installed my first three or four releases. One might think that they would be (at least relatively) 'sterile'. I don't suppose that option is still available. Leslie -- Operating System: Linux Distribution: openSUSE Leap 15.4 x86_64 Desktop Environment: Trinity Qt: 3.5.0 TDE: R14.0.12 tde-config: 1.0
On 2022-06-17 12:30, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 2022-06-16 05:43, David T-G wrote: % > % > Sooooo ... The closest I can think is booting from a known-clean (which % > is, admitted, perhaps tougher than it sounds!) thumb drive and scanning % > files. Anyone have any better ideas? % % From a CD :-D
Well, yes, but which one? How old do I need to go in the stack to ensure that the image didn't come out corrupted and happily hiding the damage?
:-D
Well, the CD has a self-check feature that, IIRC, runs directly from the boot menu. I wonder if they can crack that too. Otherwise, you might perhaps boot a very old rescue system in CD, and from that, checksum a modern CD, if it can run with the first CD removed. -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.3)
On Sat, 18 Jun 2022 17:40:16 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2022-06-17 12:30, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 2022-06-16 05:43, David T-G wrote: % > % > Sooooo ... The closest I can think is booting from a known-clean (which % > is, admitted, perhaps tougher than it sounds!) thumb drive and scanning % > files. Anyone have any better ideas? % % From a CD :-D
Well, yes, but which one? How old do I need to go in the stack to ensure that the image didn't come out corrupted and happily hiding the damage?
:-D
Well, the CD has a self-check feature that, IIRC, runs directly from the boot menu. I wonder if they can crack that too.
I think that David's point was that SUSE or openSUSE might already have been infected by Symbiote so everything it/they have been producing since Symbiote was first written might already include Symbiote if it was not detectable. Checksums etc would be correct including it.
Otherwise, you might perhaps boot a very old rescue system in CD, and from that, checksum a modern CD, if it can run with the first CD removed.
Again the checksum would be valid but Symbiote might be included. You need a known clean system (i.e. one supplied before Symbiote was written) to scan all the directories and files in any newer system.
On 2022-06-18 18:33, Dave Howorth wrote:
On Sat, 18 Jun 2022 17:40:16 +0200 "Carlos E. R." <> wrote:
On 2022-06-17 12:30, David T-G wrote:
Carlos, et al -- ...and then Carlos E. R. said... % On 2022-06-16 05:43, David T-G wrote:
...
Well, the CD has a self-check feature that, IIRC, runs directly from the boot menu. I wonder if they can crack that too.
I think that David's point was that SUSE or openSUSE might already have been infected by Symbiote so everything it/they have been producing since Symbiote was first written might already include Symbiote if it was not detectable. Checksums etc would be correct including it.
Ah, ok, I see. -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.3)
Dave, et al -- ...and then Dave Howorth said... % % On Sat, 18 Jun 2022 17:40:16 +0200 % "Carlos E. R." <robin.listas@telefonica.net> wrote: % % > On 2022-06-17 12:30, David T-G wrote: % > > Carlos, et al -- % > > % > > Well, yes, but which one? How old do I need to go in the stack to % > > ensure that the image didn't come out corrupted and happily hiding % > > the damage? % > % > Well, the CD has a self-check feature that, IIRC, runs directly from % > the boot menu. I wonder if they can crack that too. % % I think that David's point was that SUSE or openSUSE might already have % been infected by Symbiote so everything it/they have been producing % since Symbiote was first written might already include Symbiote if it % was not detectable. Checksums etc would be correct including it. [snip] Exactly. Thanks, Dave. Yes, the questions are 1) how old is this thing and thus how far back do we suspect our media, and 2) how does one check for it anyway? HANW :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
On Thursday, 16 June 2022 1:13:37 PM ACST David T-G wrote:
David, et al --
...and then David C. Rankin said... % ... % % What that means to me is the malware may get in from anywhere, even through % a zypper up. SuSE/openSUSE have always been on top of everything that is % detectable -- but this bit of malware sounded really pernicious and damn % near undetectable.
Indeed. Yikes!
Sooooo ... The closest I can think is booting from a known-clean (which is, admitted, perhaps tougher than it sounds!) thumb drive and scanning files. Anyone have any better ideas?
TIA & HAND
:-D
I have the advantage that my home VDSL router is a Cisco device that supports netflow, and I have (or had, until the SD Card in the Rpi running it died) an ntopng instance capturing that netflow data (I need to get that setup again asap). That means I can capture and analyse all flows passing through the router without them being filtered by the malware (as long as the ntopng box itself remains clean, at least, and it can run with a read-only root filesystem). If you don't have a network device (switch/router/firewall) that supports netflow, then it looks like it would be a lot harder, especially if trying to capture/monitor network traffic on an already-infected machine. -- ================================================================================================================== Rodney Baker rodney.baker@iinet.net.au ==================================================================================================================
On Fri, 17 Jun 2022 22:15:34 +0930 Rodney Baker <rodney.baker@iinet.net.au> wrote:
On Thursday, 16 June 2022 1:13:37 PM ACST David T-G wrote:
David, et al --
...and then David C. Rankin said... % ... % % What that means to me is the malware may get in from anywhere, even through % a zypper up. SuSE/openSUSE have always been on top of everything that is % detectable -- but this bit of malware sounded really pernicious and damn % near undetectable.
Indeed. Yikes!
Sooooo ... The closest I can think is booting from a known-clean (which is, admitted, perhaps tougher than it sounds!) thumb drive and scanning files. Anyone have any better ideas?
TIA & HAND
:-D
I have the advantage that my home VDSL router is a Cisco device that supports netflow, and I have (or had, until the SD Card in the Rpi running it died) an ntopng instance capturing that netflow data (I need to get that setup again asap). That means I can capture and analyse all flows passing through the router without them being filtered by the malware (as long as the ntopng box itself remains clean, at least, and it can run with a read-only root filesystem).
If you don't have a network device (switch/router/firewall) that supports netflow, then it looks like it would be a lot harder, especially if trying to capture/monitor network traffic on an already-infected machine.
Looks like BSD runs standards-based equivalent functionality (IPFIX) according to wikipedia at least. Dunno about linux.
Am Montag, 13. Juni 2022, 08:12:50 CEST schrieb David C. Rankin:
https://www.intezer.com/blog/research/new-linux-threat-symbiote/
That is so far the ONLY article talking about it - everything else you find with google is: 1. just quoting them 2. not on any news page that is actually known for having any kind of in-depth security and/or linux knowledge... Personally I'll start getting nervous about it once I get an actual CERT advisory, BSI advisory or an article on heise security that isn't just repeating the initial blogpost ... which after all was on a webpage of a company that sells software that claims to detect that kind of stuff. Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
participants (10)
-
bent fender -
Bill Walsh -
Carlos E. R. -
Dave Howorth -
David C. Rankin -
David T-G -
J Leslie Turriff -
Mathias Homann -
Rodney Baker -
Stevens