28 comments

[ 2.2 ms ] story [ 72.7 ms ] thread
Exactly how is this being executed on Linux systems?

Dr Web are selling anti-virus. I'd like more info on how it infects systems.

Edit: You know, this is really ONLY being reported by Dr Web. Funny that.

So nice that they fix this issue for all Linux users in the form of a 370 MB binary. Totally not suspicious.
We could try to get Linus to care more about the security of the kernel, but that's an impossible task, so I guess Linux users should soon start using anti-viruses, too.
I have to say, I'm surprised this didn't happen a lot sooner. While there aren't as many linux systems that won't have backups, there are a lot of very valuable systems out there, and some percentage of them must not have backups.
No information on how it spreads?

"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands"

This sounds like it needs to run as root, is there any vulnerability involved and do I need to patch things?

Is it just a particularly crazy spam campaign that would somehow trick "website administrators" into running malware as root on their servers?

I would guess it's privilege escalation (or that it logs in as a user and only affects that user's files)
According to Dr. Web, it spreads through USB disks and the internet, and Dr. Web has great solution to that problem:

"Dr.Web Office Control access restriction system: Restricts or completely prohibits access to Internet resources and removable devices, and therefore, excludes the possibility of a virus invading via those sources."

"Users should only have access to the local resources they require to perform their jobs. It's no use trying to convince staff that flash drives are dangerous. It is much easier to centrally disable access to such devices."

> No information on how it spreads?

If they are clever they would attack via wordpress and other systems that are unpatched and give shell access.

> No information on how it spreads?

If they are clever they would attack via wordpress and other systems that are unpatched and give shell access.

On one hand there are many open source software that are installed by piping a file into sudo; on the other the upside of open source is the ability to trace who tricked you into running that command.
"Once launched with administrator privileges" which is very difficult unless the soft goes out of its way to ask, and most open source software doesn't ask
It is somewhat suspicious that their screenshot of the alleged ransom file appears to be taken from Notepad++, a text editor available only on Windows.
This, combined with the fact that so far only Dr. Web is reporting on it, makes it appear suspect.

Besides, once someone has root access to your *nix server, or at least privilege escalation (either of which would be required for this exploit to work), they already own you and can do whatever they want anyway. If you have a good backup scheme in place this is little more than a headache and a few hours of work to recover from. The only way I see this being a catastrophic exploit is if you end up with it on your home box with no offsite or air gapped backup. This holds true for Windows based ransomware attacks that do actually exist; nothing about this is unique, if it's even real.

(comment deleted)
1) Flatten the server/VM/whatever 2) Load the last clean backup image 3) Apply updates made since the last backup 5) Carry on .... You do have back ups don't you? You do develop off-line and push deployments to servers don't you? No? Then remember to renew the notice in the front window of your house telling the potential burglars you didn't lock the place up and there all the valuable are stored.
Not sure why this made it on the HN frontpage.

It seems its lacking any relevant information and is mostly some marketing for an antivirus vendor that tries to tell Linux users they need antiviruses, too.

I just tried to look it up. Turns out the only announcements are from Dr. Web, a "famous" antivirus vendor, and techcrunch.com which quotes Dr. Web's announcement.

No word on how it spreads. Also, unsurprisingly:

> Once launched with administrator privileges, etc.

If you do that, you kind of deserve to get infected...

Exactly that.

> Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan.

"presume" .. tens of users ..

Right, a bit more details on the infection vector would have helped to properly validate the concerns. But when you start presuming and pull numbers out of a high hat I'm almost ready to discard it.

The only thing we know now is that "something" needs to be run with admin privileges.

Just make sure your backups are OK.

Unlike a lot of other malware out there, crypto lockers don't require privlidge escalation to be effective.

Got to hand it to them, its actually a pretty cool attack vector.

A lot of attacks don't require root/admin to be effective. Some Key stroke loggers run entirely in user space.

    edit: https://github.com/w8rbt/keycap
Good point, you're right that gaining root/admin isn't the only way to ruin someone's day.
This reminds me of my first mention in a Linux kernel commit message: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.... It's the fix for a bug I found in the kernel. This sounds quite boring, but the fun part is the background story: Antivirus vendor X (actually forgot which one) bragged about a new, dangerous virus that can spread on Windows as well as Linux platforms. Joe Barr reported on that for NewsForge, claiming that the Virus didn't work at all (on Linux). I jumped in and tested too, and found that it wouldn't work (meaning: infect other binaries) on newer kernels since there was an actual bug in the kernel preventing it from doing so.

Why I'm reciting that story is this: It is perfectly fine for a binary to write executable code to other files. Your typical compiler does. The kernel isn't there to prevent that. The kernel is supposed to prevent it if you configure a security policy that forbids it - starting with things as simple as file ownership and permissions. This is pretty much clear for anyone who knows some things about what the computer does. For people who only have some fuzzy ideas, fixing the Linux kernel to make (in this case) a virus work again sounded a bit weird.

Well, ransomware is in the news these days because of the raid in the Netherlands, and here there's another "security specialist" trying to use this for its PR. But again there is nothing that indicates that this is all about standard functionality. Yes, you can encrypt all your own files on a typical machine. Yes, a piece of software can do it for you. Yes, you can run such software. And if you're careless and follow orders easily, someone else might give you the software to do it.