Linux Security

A newly discovered trojan is infecting Linux systems and possibly building up an arsenal of devices to be used in distributed denial-of-service (DDoS) attacks, according to a blog post from Avast.

The new threat, XOR.DDoS, alters its installation depending on the victim's Linux environment and then later runs a rootkit to avoid detection. Although a similar trojan has been spotted in Windows systems, Peter Kálnai, malware analyst at Avast, said in a Wednesday interview that this trojan ventures into relatively untapped territory by targeting Linux systems.

“It's very hard to set a rootkit component within a Linux boundary because it needs to agree with the versions of the victims' operating systems,” Kálnai said.

Attackers using XOR.DDoS prey on users who haven't changed default logins for their devices through brute force tactics against various network IDs. If successful, the trojan will then determine whether it's compatible with the kernel headers installed on the victims' systems and install a rootkit, if so.

“The rootkit hides all the files that are indicators of compromise, so the victims could not see those indicators,” Kálnai explained. “It also hides processes and other indicators of compromise.”

Kálnai said that the rootkit aspect of the attack was first spotted around October 2014. The trojan itself was initially detailed on MalwareMustDie in September 2014.

The trojan and its variants can infect 32-bit and 64-bit Linux web servers and desktops, as well as ARM architecture, which could indicate that routers, Internet of Things (IoT) devices, NAS storages and 32-bit ARM servers could be also be affected, the blog post said.

Not many infections have been detected yet, although those that have been do not follow a particular pattern. Both enterprises and individuals could be impacted, although Kálnai noted that individuals should be particularly aware of the threat, as enterprises typically have stronger security measures in place.

The Avast analyst also noted a small group is likely behind most infections because the trojan hasn't been spotted on any forums.

Linux OS security depend from anti virus soft - and there you do not have wide choice Grin

Quote from: pedrog on January 08, 2015, 04:43:57 PM

How does it spread?

can spread many ways remember you have little protection on the Linux platform from malware especially rootkits that mask themselves as part of the Linux OS

I would be devastated if such malware also tried to steal bitcoins.

Does this effect ubuntu? I guess if you boot from a live cd you're still ok which is the safest way for the security conscious.

how can we secure servers from this malware.

Quote from: activebiz on January 08, 2015, 05:38:59 PM

how can we secure servers from this malware.

Have your system up to date, latest sshd update you are given the choice to not allow root login, go with it, I think this is enough, and use strong passwords, that's always a good security policy.

Damn, the problem with Linux adoption is the more people adopt it the more of a target it becomes. at least the malware wont be targeting old grannies but instead lech literates meaning that infections as a whole will probably be quite low but damn, its a shame.

How do we detect if our systems have been compromised?

It has to be compatible with the kernel headers installed on your systems and install a rootkit, if so.

Quote from: elliwilli on January 08, 2015, 09:31:02 PM

Linux will never be fully adopted,its great if your tech savvy but a newbie could blow the whole thing in 2 minutes not knowing what he is doing

Starting a new project tomorrow turning an old computer into a server will keep you updated when its complete

I have a home web server how would i secure it from this virus? I use system mechanic as my antivirus, and antimalware and have not had any trouble thus far?

Quote from: bleeding2323 on January 09, 2015, 02:30:11 AM

I have a home web server how would i secure it from this virus? I use system mechanic as my antivirus, and antimalware and have not had any trouble thus far?

keep updated

configure firewall

restrict file permissions

Sounds like an impressive little bugger reading the description on it
The best way to detect it would be to do an offline scan I guess and try to figure out if anything is trying to communicate with the internet in other words really really really annoyingly.
(Does make me curious if based on this description what everyone could have hidden on their pc without their knowledge)

Why does a single piece of rootkit cause so much attention compared to thousands of them for windows?
Linux is not the ultimate safe system, but rather just much more safer than Windows.

Believe it or not, there are antivirus programs available for various Linux desktop distributions, such as Ubuntu among others. What most people may not realize is that these programs are merely for scanning and containing Windows threats, usually on Windows partitions. This isn’t to say that viruses don’t existing for Linux, rather software designed to combat viruses isn’t built to protect Linux installs in this way.
This brings up the next question -- do you need an antivirus program for your Linux installation? The short answer is no, unless you’re looking to protect Windows directories.

The key is that Linux isn’t susceptible to the same types of threats found pounding away on Windows. No, I’d say that at this point there isn’t a need for a Windows-like security suite for desktop Linux. There is however, a need for making sure certain security considerations are attended to.

While an antivirus might not be a requirement on your Linux distro, keeping it up to date is critical. Not only does updating your distribution keep things running securely, it can also protect against potential vulnerabilities yet to be discovered, by keeping the path to patches flowing freely.

At the end of the day, the single most important thing you can do to keep your Linux installation secure is to update frequently and to make sure you don’t put things off in this department.

Perhaps the biggest threat to understand with Linux isn't malware, but rather falling victim to having your account hacked. In recent years some web services have taken precautions to try and better protect user accounts, but despite these precautions, anything is possible.

Phishing attacks are most common among less experienced computer users. Still, using strong passwords and, going a step further, a good password manager can go a long way to protecting your important data.

Unfortunately a good password isn't going to protect you against a phishing attack, since you're volunteering to login from a fake website or otherwise giving up login details. This can happen on any operating system, even the most secure Linux distribution. Because this happens due to the end user choosing to give up their details, the only way to be sure to avoid a phishing scheme is to manually type in the address.

Email or social media links prompting for a login should be avoided if at all possible. Unless you're typing in the destination address, all hyperlinks should be considered potentially suspicious. A good rule of thumb: SSL first, or as a fall back try to stick to logging in from trusted networks only.

Another thing to remember is to make sure, when you're logging into a site, that it's SSL ready. While using https isn't always foolproof thanks to various security concerns, it's still safer than the alternative. Using a non SSL protected website is begging for trouble.

If logging into a site with SSL isn't possible, at the very least make sure you're logging into the target site from a trusted network, such as your home.

Disable unnecessary services

Another important consideration is to disable unused services. Not only do these services tie up system resources, but they can also create new targets from which malicious users can attack.

Bluetooth is one such example. All too often, Bluetooth is left on and in discoverable mode...which can lead to a potential attack should someone in your vicinity have hacking skills.

A much more commonly attacked service is SSH. Despite SSH being used as a means of securely connecting to remote machines, it is often a target of dictionary attacks run by those using port scans to look for easy targets.

What's really frightening is that some people use weak passwords to secure their SSH servers and as a result, these machines are easily broken into by random port scan users. In some instances, SSH was only used legitimately once, then promptly forgotten about. As a result, the SSH service is left running and the vulnerability of this service running rears its ugly head as the attacker easily compromises the target machine due to poor security practices. While there are ways of hardening SSH, running it when it's not being used is just using poor judgment
.
Blocking ports with a firewall

Linux has benefited from a great firewall feature called IPTables. Using this tool, you can keep port sniffers from trampling through your computer and also make sure you're in full control of what accesses the Internet from your computer as well. Distributions such as Ubuntu have gone even further to make using this tool simpler.
With Ubuntu's uncomplicated firewall, using terms like allow or deny translate into an easy to follow method for blocking unwanted port access.

The biggest benefit in having a firewall on the Linux desktop comes down to controlling the data flowing back and forth. If there is random data flowing in and out of an insecure port, then it's reassuring to have the ability to easily block it. While it might not be an immediate threat, in the future, that same port could be used maliciously. So port control is a nice feature indeed.

Nothing is truly secure

As we've learned during the well documented Heartbleed incident, nothing that executes code is ever going to be 100% secure. Claiming otherwise is misleading and inherently false. To the casual end user, the only difference with regard to security is that installable malware isn't an issue. Phishing, hacking exploits, and issues of a compromised network are still things to remain vigilant about.

To further summarize and offer actionable tips to keep your Linux box secure, remember the following:

Don't execute random code. If you don't know what it does, don't run it.
Be wary of untrusted, non-distro official software repositories. It may be safe, but you should always be aware you're using these user repositories at your own peril.
Use strong passwords and a password manager. If your password is a word from the dictionary, you're playing with fire.
Don't run a web server on your home machine. Unless you know exactly what you're doing.
Don't run unnecessary services on your computer. If you're not needing a mail server with open ports on your home computer, disable and uninstall it. Same applies for other similar applications running on their own ports.