Stealthy 'sedexp' Linux malware evaded detection for two years https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware...
On 8/24/24 10:55 PM, Fred via openSUSE Users wrote:
Stealthy 'sedexp' Linux malware evaded detection for two years
https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware...
Interesting: [Researchers] found it present in many online sandboxes and without being detected (on VirusTotal only two antivirus engines flag as malicious the three sedexp samples available in the report). (shortened URL) https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware... They would have to have compromised the individual machines, or supply-chain, to get the rules into /etc/udev or /lib/udev I'm always a bit skeptical about "security research groups" that publish findings without any actual hard information on the extent it is seen in the wild or without detection and mitigation instructions. Almost seems like an Ad for Aon security services, but then I'm just cynical... -- David C. Rankin, J.D.,P.E.
On 2024-08-25 06:41, David C. Rankin wrote:
On 8/24/24 10:55 PM, Fred via openSUSE Users wrote:
Interesting:
[Researchers] found it present in many online sandboxes and without being detected (on VirusTotal only two antivirus engines flag as malicious the three sedexp samples available in the report).
(shortened URL)
https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware...
Once known, this command should detect it: grep asedexpb /etc/udev/rules.d/* ; grep asedexpb /usr/lib/udev/rules.d/* -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
On 8/25/24 7:55 AM, Carlos E. R. wrote:
Once known, this command should detect it:
grep asedexpb /etc/udev/rules.d/* ; grep asedexpb /usr/lib/udev/rules.d/*
I used: grep sedexp /etc/udev/rules.d/* ; grep sedexp /usr/lib/udev/rules.d/* Just to be sure :) -- David C. Rankin, J.D.,P.E.
On Aug 25, 2024, at 8:20 PM, David C. Rankin <drankinatty@gmail.com> wrote:
On 8/25/24 7:55 AM, Carlos E. R. wrote:
Once known, this command should detect it: grep asedexpb /etc/udev/rules.d/* ; grep asedexpb /usr/lib/udev/rules.d/*
I used:
grep sedexp /etc/udev/rules.d/* ; grep sedexp /usr/lib/udev/rules.d/*
Just to be sure :)
why not grep sedexp -r /{etc,usr/lib}/udev/rules.d
On 8/25/24 8:29 PM, tabris@tabris.net wrote:
Once known, this command should detect it: grep asedexpb/etc/udev/rules.d/* ; grep asedexpb/usr/lib/udev/rules.d/* I used:
grep sedexp/etc/udev/rules.d/* ; grep sedexp/usr/lib/udev/rules.d/*
Just to be sure :)
why not grep sedexp -r /{etc,usr/lib}/udev/rules.d
(because I was lazy and used the select-buffer to copy Carlos' suggestion :) -- David C. Rankin, J.D.,P.E.
Hello, In the Message; Subject : sedexp linux malware Message-ID : <222684713.642675.1724558114729@mail.yahoo.com> Date & Time: Sun, 25 Aug 2024 03:55:14 +0000 (UTC) Fred via openSUSE Users <users@lists.opensuse.org> has written:
Stealthy 'sedexp' Linux malware evaded detection for two years
https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware...
In the Message; Subject : Re: sedexp linux malware Message-ID : <0863c819-0155-4d58-bf74-25ba5c792285@telefonica.net> Date & Time: Sun, 25 Aug 2024 14:55:51 +0200 "Carlos E. R." <robin.listas@telefonica.net> has written: [...]
Once known, this command should detect it:
grep asedexpb /etc/udev/rules.d/* ; grep asedexpb /usr/lib/udev/rules.d/*
In the Message; Subject : Re: sedexp linux malware Message-ID : <8956EE82-8E8D-4CE3-A8C0-2CC5A0994EA3@tabris.net> Date & Time: Sun, 25 Aug 2024 21:29:30 -0400 tabris@tabris.net has written:
On Aug 25, 2024, at 8:20 PM, David C. Rankin <drankinatty@gmail.com> wrote: [...] why not grep sedexp -r /{etc,usr/lib}/udev/rules.d
Many thanks, all. The point is to close the vulnerability, but there is also this scary news; https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/ Best Regards. --- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "To hire for skills, firms will need to implement robust and intentional changes in their hiring practices — and change is hard." -- Employers don’t practice what they preach on skills-based hiring --
On 8/25/24 11:38 PM, Masaru Nomiya wrote:
Many thanks, all.
The point is to close the vulnerability, but there is also this scary news;
https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
Yep Masaru, I read that in an article on The Register, and was very glad I wasn't using windows. That attack-vector (security nerd term -- I guess), is particularly severe. By using windows roll-back itself apparently you evade all of the windows security by design. Roll-back essentially isn't checked and allows reset of the security info contained in the files. The nefarious earthworm installs malware that way and has windows essentially bless the file(s) deeming the files Okay..... That will take some serious thought to fix. Glad it wasn't a btrfs roll-back attack! -- David C. Rankin, J.D.,P.E.
Hello, In the Message; Subject : Re: sedexp linux malware Message-ID : <a76308b8-e61e-4f98-84a0-264ce97f18ba@gmail.com> Date & Time: Mon, 26 Aug 2024 01:00:34 -0500 [DCR] == "David C. Rankin" <drankinatty@gmail.com> has written: DCR> On 8/25/24 11:38 PM, Masaru Nomiya wrote: MN> > Many thanks, all. MN> > The point is to close the vulnerability, but there is also this scary MN> > news; MN> > https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/ DCR> Yep Masaru, DCR> I read that in an article on The Register, and was very glad I DCR> wasn't using windows. [...] DCR> That will take some serious thought to fix. Glad it wasn't a DCR> btrfs roll-back attack! In Japan, there is a word of admonition called; The same thing that happens to someone can happen to you else in the future. Best Regards & Good Night. --- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. " -- Microsoft overhauls cyber strategy to finally embrace security by default --
participants (5)
-
Carlos E. R. -
David C. Rankin -
Fred -
Masaru Nomiya -
tabris@tabris.net