News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • New Linux crypto-miner steals root password, disables antivirus

    Home » Forums » AskWoody support » Non-Windows operating systems » Linux – all distros » New Linux crypto-miner steals root password, disables antivirus

    Author
    Topic
    #235390

    New Linux crypto-miner steals your root password and disables your antivirus

    Trojan also installs a rootkit and another strain of malware that can execute DDoS attacks.

    By Catalin Cimpanu | November 23, 2018

     
    Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by.

    The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn’t have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174.

    But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes.

     
    Read the full article here

    6 users thanked author for this post.
    Viewing 0 reply threads
    Author
    Replies
    • #235539

      It should not be a big concern for people with even somewhat up-to-date systems.  I’d guess this one is a bigger threat to routers and IoT devices that run Linux but often do not get updated.

      For Ubuntu-based desktops:

      “Dirty Cow” vulnerability patched within hours in Ubuntu (in 2016)

      CVE2013-2094 applies to kernel versions prior to 3.8.9 (2013)

      In order for this even to be an issue, it first has to be run on the system that is to be infected, and from there it will attempt to spread.  It looks like this is mainly done though SSH (secure shell) credentials that are stored on the “patient zero” infected PC, which can then execute code on the remote machine (by design; it’s one of the things SSH is meant to do).

      If no infected PC has the stored credentials to SSH into your PC, it looks like this SSH vector isn’t going to happen.  Given that no PC has credentials to SSH into my PC at all, I think I’m good here.  It seems like this is a malware that is rather self-limiting in that it cannot easily spread unless it is in an environment where SSHing into other PCs or devices and storing credentials is commonplace.

      Of course, there is always the possibility of a miscreant getting the victim to voluntarily run the malicious script on his own PC through social engineering. The usual precautions about software and knowing where it’s coming from apply just as they do in Windows.  Don’t run things sent to you in email or from sites whose origin can’t be validated.  (Not that there is any word yet of this malware being spread this way.)

      The thing about it terminating known antimalware process names makes me wonder.  Back when I first got my Android tablet, I installed one of the antivirus programs on it, and it gave me the choice of a bunch of randomly chosen, often whimsical multi-word names for the antimalware process.  I’ve wondered why this practice isn’t commonly used otherwise.

       

      Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
      Dell G3 15/3579, i7-8750H/16GB, KDE Neon
      Asus P8P67 Deluxe, i5-2500k/16GB, KDE Neon

      1 user thanked author for this post.
      • #235541

        I installed one of the antivirus programs on it, and it gave me the choice of a bunch of randomly chosen, often whimsical multi-word names for the antimalware process.  I’ve wondered why this practice isn’t commonly used otherwise.

        If you were not able to reason that out that or know it was normal program behavior a user might get panicked about the process strange names.

        • #235547

          I’m not so sure.  Hopefully, the user would remember having selected the name in question.  It would be a simple thing to include a reminder on the antimalware UI to that effect, so that the person sees it every time he interacts with the antimalware product.

          Besides, there are already lots of processes running that don’t have names that immediately indicate what they do in a plain Windows or Linux installation (especially Linux, with its penchant for silly process names like “whoopsie”).  This list of unknown processes just gets larger as more and more stuff gets installed. I can’t even count the number of times I have seen things with strange names running in Windows over the years, and they’ve always proven to be something that belongs there, never malware.

          Is the risk of people wrongfully panicking really worth accepting the risk of malware knowing that there is antimalware software running, and also knowing which exact product it is?  It’s relatively simple to scan running processes for a handful of known filenames.  Blocking that by using a non-recognizable filename would require considerably more complex and costly (in terms of code size) methods to accomplish the same thing.

          Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
          Dell G3 15/3579, i7-8750H/16GB, KDE Neon
          Asus P8P67 Deluxe, i5-2500k/16GB, KDE Neon

          • #235548

            That would be fine if users were told what they may see, like people that use GMER or other rootkit detection tools are sometimes told to rename the file before saving and using the tool.

    Viewing 0 reply threads
    Reply To: New Linux crypto-miner steals root password, disables antivirus

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.