New Virus that targets *.nix
Valeri Galtsev
galtsev at kicp.uchicago.edu
Sat Nov 24 18:56:48 UTC 2018
On 11/24/18 11:58 AM, Dale Scott wrote:
> I don't know about everyone else, but considering my general lack of success running Linux shell scripts in general on FBSD, I don't think I'll panic just yet. ;-)
>
I fully agree with Dale. First of all it can not be called virus (it
does not upon arrival take over the system), it can not even be called a
worm as it doesn't propagate itself, unless it compromises machine on
system level, about which few words below, and has sure way to
compromise next hop machine.
Well, the worst this thing can be called is elevation of privileges
script(s) based on LOCAL (not remote) vulnerability, namely Dirty COW.
Now, here are the questions:
1. Do you keep your system updated (and and have implemented solutions
mitigating Dirty COW)? If yes, then you should not be expecting system
level compromise.
2. Do you run one or another system integrity check system? One example
could be from long ago before they went commercial: tripwire. There are
variety of others, do your research and choose what sounds appropriate
for you (not mentioning what I do: I do not want to help bag guys in the
first step of any attack: collection of information).
It is also interesting to note where this is coming from: DrWEb based in
Russia (closed source commercial provider). I can not comment on DrWeb
as I would comment on Kasperski same based in Russia. Kasperski is KGB
(or whatever current name of that powerful agency is), note: not "ex" as
there is no "ex" in these services. I can imagine that in countries with
"strong" government, such as Russia (or USA for that matter - continue
your own opinion list) "free" services or software (which are not open
source) offered by some companies may carry additional load. And maybe
some commercial (closed source) too. So, use your own reasoning, people.
Incidentally, do you run antivirus software on your UNIX or Linux
servers for any purpose other than scanning emails that can be accessed
by clients running MS Windows or files shared to MS Windows machines
(via SAMBA)? If not, and if you feel anxious about DrWeb's piece, then
you become their potential user on machines that do not need their
software at all. Which may be one of the goals. Another, to create
larger userbase between Windows people (maybe even making it look taht
they are also helping poor UNIX and Linux people which may look legit in
eyes of big majority of people who do not have expertise in computers).
If you need to run antivirus for well justified reasons I mentioned
above, use software from trusted provider. My choice on UNIX (-like) and
Linux machines is open source clamav.
I hope, this helps.
Valeri
>
> Original Message
> From: Carmel NY
> Sent: Saturday, November 24, 2018 7:14 AM
> To: FreeBSD
> Reply To: FreeBSD
> Subject: New Virus that targets *.nix
>
> This looks like a particularly nasty virus.
>
> https://www.zdnet.com/article/new-linux-crypto-miner-steals-your-root-password-and-disables-your-antivirus/
>
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the freebsd-questions
mailing list