Linux A Target Rich Environment for Malware after All, Wirenet Trojan in the Wild

rated by 0 users
This post has 17 Replies | 1 Follower

Top 10 Contributor
Posts 25,676
Points 1,155,745
Joined: Sep 2007
ForumsAdministrator
News Posted: Fri, Aug 31 2012 10:24 AM
No one is arguing that Windows isn’t the biggest target for malware writers, but it’s starting to look like Microsoft’s OS isn’t alone. Threats for the Mac have made the occasional headline, and a new Trojan is making the rounds on both Mac and Linux. That’s right: a cross-platform virus.

Wirenet, as it’s being called by Dr. Web (the Russian security company that discovered the malware), is designed to steal passwords. The bug goes after passwords stored in popular Internet browsers and sends them to a server, encrypted with AES.

According to Dr. Web, the Trojan can pull passwords from stored password lists and also function as a keylogger. Targeted applications include Chrome, Chromium, Firefox, Opera, Pidgin, SeaMonkey, and Thunderbird. Dr. Web hasn’t yet determined how Wirenet spreads, but it says that the Trojan has been seen in the wild. It installs to the user’s home directory.

Wirenet Mac and Linux Trojan

Image Credit: Dr. Web

Dr. Web says that Wirenet is the first virus to target both Mac and Linux. Although it’s disturbing to see virus writers attacking these operating systems, but we suspect it’s going to take many more headlines before Linux and Mac users begin to look for malware protection on a large scale. If you have Wirenet on your system (or want to protect against it), you can pick up Dr. Web or block access to the server at 212.7.208.65.
  • | Post Points: 35
Top 200 Contributor
Posts 354
Points 3,075
Joined: Aug 2012
Location: Canada

NOOOOOO!

MY VIRUS FREE LINUX! D:

PC Specs:

  • AMD Athlon 64 x2 6400+  Cooled by a Cooler Master Hyper 212 Plus (push-pull)
  • 2GB DDR2
  • MSI Radeon HD 6450 2GB
  • Stock Dell motherboard
  • 250Gb HDD
  • XFX Pro Core edition 650W PSU
  • Stock Dell inspiron case

 

  • | Post Points: 20
Top 500 Contributor
Posts 290
Points 2,255
Joined: Aug 2012

No one is safe. Lol. Just dont go to porn site guys. Lol and ownloading malicious stuff

  • | Post Points: 35
Top 500 Contributor
Posts 309
Points 2,990
Joined: Mar 2011
JOMA replied on Fri, Aug 31 2012 4:47 PM
No system will be safe and it's only going to get worse. It's possible my digital watch is safe since it has no internet access and no usb ports.
  • | Post Points: 5
Top 500 Contributor
Posts 164
Points 1,630
Joined: Nov 2010
MCaddick replied on Fri, Aug 31 2012 7:49 PM

Actually nicoletoledo, its not the porn sites that now pose the biggest threat/risk.

Its the religious sites where the operators have no real idea about security and use crappy wordpress and similar systems without a second though to their user's security.

http://bit.ly/KULksc

  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Sep 1 2012 12:50 PM

Don't worry. It's not a virus; it's a trojan. So, if you don't run random bash scripts that people email you, you're safe.

I love how news sites are going crazy bashing how "insecure" Linux is given the existence of this thing, when there's not even a single detail about how this trojan is spread or a total infection rate (it very well could be one single machine)!

This trojan is a non-issue.  We haven't heard from one single infected user - just some Russian software company trying to sell you their product.

People that install their software from signed repos (i.e. almost every Linux user), are safe.

This "news" item looks like it's designed to spread the russian Dr. Web software (which is closed source and god only knows what's in the binary).  I would never install that, from a company that I've never heard of before.  Worst case, go download BitDefender, then follow their instructions and they'll send you a free key for personal use if you're running Linux.  I run it about once every 6 months, and in the last 7 years it has not found anything except for Windows viruses in my Thunderbird junk mail folder.

 

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

Top 500 Contributor
Posts 309
Points 2,695
Joined: Aug 2010
JDiaz replied on Sat, Sep 1 2012 5:08 PM

Dr. Web has been around since 1992, and you can check the reviews to see how it stacks to the others.

While whether the trojan is a issue remains to be seen, all we know right now is that it's new and it can apparently infect both OSX and Linux systems.

You're probably right that it's not a serious threat but it could be the start of a bad precedent.

Cross platform vulnerabilities should be a concern regardless, especially if it results in attracting more malware makers by increasing target potential. Besides, most malware infections are usually caused by user error by a ratio of about 4 to 1 versus system vulnerability exploits. So should be a concern even if system is mostly secure otherwise.

Btw, signed repos aren't foolproof because malware can be self signed and depends on how well each repo is maintained.

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Sep 1 2012 5:42 PM

>> Dr. Web has been around since 1992,

I've been around since 1970.  Trust me with your system.  :D

>> Cross platform vulnerabilities should be a concern regardless, 

I won't disagree there.  But... how is it cross-platform?  Early reports indicate it is *not* Java.  So what is it?  A shell script?  There's literally not enough info to go on to be scared.

>> "Btw, signed repos aren't foolproof because malware can be self signed and depends on how well each repo is maintained."

You're apparently unaware of how package signing works in Linux (which is okay, just follow me here).

Unless the users machine has previously accepted the key of the signer, the package is the equivalent of unsigned. The user doesn't get prompted to "accept the key" or anything, it just fails (or at least warns them in no uncertain terms and asks for confirmation that they want to do something extremely unwise).

There's a particular set of Linux/Open-source dynamics that prevent all of this from ever being a serious issue of concern on Linux.  I wrote it up and sent it to Dave and Marco earlier, so it may be appearing here soon.  I know I'm looking at it from the less seen perspective, I'm just seriously tired of the alarmist reactions to any malware that attempts to support Linux - especially when most are laughable and can never spread beyond the LUG of the guy who wrote them.  It's been 21 years... let's see someone name 100 Linux viruses.  :)

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • Filed under:
  • | Post Points: 20
Top 500 Contributor
Posts 309
Points 2,695
Joined: Aug 2010
JDiaz replied on Sat, Sep 1 2012 8:07 PM

"But... how is it cross-platform?"

Details are sketchy but if it effects both Linux and OSX and they specifically mentioned web browsers ("including Chrome, Chromium, Firefox, Opera, Pidgin, SeaMonkey, and Thunderbird") then it's cross platform.

"You're apparently unaware of how package signing works in Linux (which is okay, just follow me here)."

You're either trying to be condescending or naively believe it's as effective as you think it is, but fact is the system isn't foolproof and no system ever is!

First, previously accepted doesn't mean the package can't be later compromised. Each time a package is loaded it's a risk involved as repositories are only as secure as the maintainers keep it and even then only to the extent that security precautions make it harder to compromise but harder never means impossible.

Second, previously accepted doesn't matter when people are trying new software. There-in is where self signing packages pose the most threat as they can pass off as legit and they're harder to identify as malware. Never mind the threat of hackers getting their hands on authentic sign-ages. Then all the trusted sources go out the window!

Third, I'll again point you to the fact infections are 4 to 1 more likely because of user error! Especially if they don't think they have anything to worry about!

Really, a clueless Linux user is just as insecure as a clueless Windows user.

Besides, not all Linux distros follow all security standards...

Ex: http://igurublog.wordpress.com/2011/02/19/archs-dirty-little-notso-secret/

Along with any possible vulnerabilities of package managers or anything else either overlooked or undiscovered vulnerability.

Ultimately, it pays more to be paranoid than sorry later regardless of how good your system's security measures might be.

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Sep 1 2012 8:32 PM

>> You're either trying to be condescending or naively believe it's as effective as you think it is,

I was being nice.

You're apparently mad. In multiple senses of the word. Point me to a repo that my system won't warn me isn't signed by an accepted sig, and we'll talk. And by "talk" I mean I'll submit a patch that fixes it for all unsigned repos.

>> Each time a package is loaded it's a risk involved as repositories are only as secure as the maintainers keep it and even then only to the extent that security precautions make it harder to compromise but harder never means impossible.

Wrong. I wasn't being mean before, but please learn how git repositories and upstream patches work before professing this stuff. You keep mentioning "self-signing" packages... but there's no trust for self-signed packages in Linux.

>> Never mind the threat of hackers getting their hands on authentic sign-ages.

You might as well say "Never mind people getting their hands on Microsoft keys". Though... the MS thing actually happened.. with keys they didn't think would be used for signing things other than terminal services.

>> infections are 4 to 1 more likely because of user error!

I don't know where you get your stats, but I'd guess to error on your side more like 10 to 1.

>> Really, a clueless Linux user is just as insecure as a clueless Windows user.

That's true! But, how many clueless Linux users are there, really? So.. for now, this is a non-issue.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 500 Contributor
Posts 309
Points 2,695
Joined: Aug 2010
JDiaz replied on Sat, Sep 1 2012 9:51 PM

"I was being nice.

You're apparently mad. In multiple senses of the word. Point me to a repo that my system won't warn me isn't signed by an accepted sig, and we'll talk. And by "talk" I mean I'll submit a patch that fixes it for all unsigned repos."

No, you were just thinking you were being nice (I accept that you trying) but the problem is you're assuming too much. First, security in Linux depends on each distro setup, so it's a assumption to believe this is automatic. Android is based on the linux kernel too but has lousy security for example and has issues with self signing packages.

Just because Linux has many inherent security options doesn't mean it's always setup to use them or always using them properly!

Even when properly done, some developers do sign all their release but the weak point is the signatures checked by the distribution packagers. All it takes is one weak point in the link between developers and end users!

Second, I already pointed out no repo is 100% secure even when properly set up and I already gave you a link showcasing of at least one distro, Arch Linux, that doesn't even use package signing and it has been that way for years!

While it's not just a matter of the repos but also the package managers, which running as root thus pose one of multiple ways malware makers may choose to attack a system.

Possible vulnerabilities of package managers fall into three main categories: replay and freeze attacks, metadata manipulation attacks and denial-of-service attacks.

A replay attack for example comes down to a package manager requests signed metadata, a malicious party responds with an old signed file. This is possible without the need to compromise the signing key, because once a file is signed, it is always trusted by clients. This can work even after vulnerabilities are discovered in a package that was once considered safe because the attacker just has to respond with old metadata that lists package versions the attacker knows how to exploit.

A freeze attack works in a similar way in that the attacker keeps giving the client the same version of the metadata, essentially "freezing" the metadata at one point in time to prevent updates to vulnerable packages.

If the package manager does not use signed metadata, like with Arch Linux repositories, an attacker doesn't have to even bother with a replay attack as the system is at risk because the attacker can just make up his own metadata.

While the last type is endless data attacks, which essentially are a form of denial-of-service. This attack is dead simple: the malicious party responds to a client request (metadata or a package) with an endless stream of data. Possible results are filling up the partition or exhausting memory.

Mind, I'm not saying Linux is inherently vulnerable or any such nonsense but neither is it automatically secure and definitely nothing is 100%. Even while many vulnerabilities get patched, there are always new ones to find.

Basically, like any other OS, security depends on both set up and how the end user handles the system. You may feel secure but you can never be certain of that security and it's as stated before better to be paranoid first than sorry later.

Vulnerabilities like this example, http://www.computerworld.com/s/article/9223675/Linux_vendors_rush_to_patch_privilege_escalation_flaw_after_root_exploits_emerge

Pop up every now and then, it's fine when the security experts find it first and patches get made quickly but worst case is a vulnerabilities discovered by malware makers first and no one catches on until too late.

Such a scenario may seem unlikely but it can happen, especially if anywhere as many malware makers that attack Windows turn their attentions elsewhere...

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Sep 1 2012 11:07 PM

All of your comments were cut off, to the right.

But, as far as I can tell, they were all based on completely incorrect assumptions.

You found one 8 month old vulnerability...that was patched over a week before any exploits appeard. Show me real-world hurt. show me something equivalent to the windows exploits that went unpatched for two years.

Thanks.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 500 Contributor
Posts 309
Points 2,695
Joined: Aug 2010
JDiaz replied on Sun, Sep 2 2012 12:51 AM

"All of your comments were cut off, to the right."

You need a better browser then!  I'm not having that issue...

 

"But, as far as I can tell, they were all based on completely incorrect assumptions."

No, I'm pointing out the obvious flaws in the system that security experts have been pointing out for years.

Just because those vulnerabilities aren't constantly being exploited doesn't mean they never will be!

 

"You found one 8 month old vulnerability..."

If you actually kept track of security you would know that was just one of many that have been discovered over the years, and if you weren't so stubborn you'd realize it was obviously given as an example! I even stated "example" for the link!

I could post the hundreds that have been discovered over the years but that isn't necessary to prove the point!

Known vulnerabilities get patched but there's always new ones! Security is a never ending endeavor!

All it takes is for the malware makers to discover the vulnerability first and take advantage of it before it can be patched!

Never mind you should never underestimate how easy it is to trick people into bypassing security. Even those who know better can never say they never made a mistake.

 

"Show me real-world hurt. show me something equivalent to the windows exploits that went unpatched for two years.

Thanks."

This is like saying prove to you that you can be mugged if you've never been mugged before. OSX users believed the same thing before more and more attacks finally drove the point home that no OS is immune to malware.

There were times that there have been very serious security breaches discovered, fortunately those vulnerabilities were discovered before anyone could exploit them but even then it's a fact malware exists for Linux.

Just because it's not as constant or as massive a threat as on other platforms doesn't mean you should just ignore it.

And not all vulnerabilities have been dealt with quickly, an example, http://it.slashdot.org/story/11/06/20/2257229/13-year-old-password-security-bug-fixed

 

Along with other examples,

http://www.theregister.co.uk/2009/08/14/critical_linux_bug/

http://www.networkworld.com/community/blog/linux-finally-fixes-six-year-old-critical-bug

 

The point being to address your desire for examples, Linux may have had to deal with a lot less threats but it has never been perfect.

Like other platforms, things have improved over the years but progress isn't always linear!

While the increase of cross platform threats are increasing and that's a concern for users of all OS platforms.

 

Only thing we can be sure of is eventually everything changes.

Trust is fine to a point, but it's better to be careful regardless of how good security may or may not be.

  • | Post Points: 35
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sun, Sep 2 2012 10:11 AM

>> "All of your comments were cut off, to the right."

>>You need a better browser then! I'm not having that issue...

Actually, you are. I just checked it with IE on Windows 8, and they're just as cut off as they were in Chrome on Linux: http://img145.imageshack.us/img145/1617/win8snapshot3runningora.png

Also, you have huge spacing issues in your latest reply, which I'll respond to as soon as I get a chance to read that tome.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sun, Sep 2 2012 10:50 AM

>> And not all vulnerabilities have been dealt with quickly, an example,

>> http://it.slashdot.org/story/11/06/20/2257229/13-year-old-password-security-bug-fixed

Okay, say you're in a foreign country with a weird keyboard and therefore you use 8-bit characters in your password, and apparently you have the one sysadmin in the world that's changed the default algorithm to blowfish. This issue would have... ignored a couple of characters in the password and made it therefore slightly less secure. If I were to bet my house on the number of exploits using this bug over the years, I'd go with zero.

The beauty of Linux is that this could be fixed the instant it was first found. There are a lot more white-hats like this guy finding the exploits and fixing them than there are black-hats looking for them.

>>http://www.theregister.co.uk/2009/08/14/critical_linux_bug/

That's actually a good example! And you only had to go back 3 years to find it. And, it was fixed the instant it was found - no known exploits ever appeared in the wild.

>> http://www.networkworld.com/community/blog/linux-finally-fixes-six-year-old-critical-bug

So you're telling me that if I run a particularly crafted GUI app, it could have done bad things? Why am I running this app again? If you tricked me into running it, why doesn't it just ask me for the root password? Again... fixed without any know exploits ever appearing in the wild.

These examples don't exactly make me fear for the security of my Linux systems.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sun, Sep 2 2012 10:53 AM

Wow... I just noticed something: ImageShack must OCR all their images (unless Shutter did it automagically when I uploaded it)... it put text from the titlebar in image as the image name.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 5
Top 500 Contributor
Posts 309
Points 2,695
Joined: Aug 2010
JDiaz replied on Sun, Sep 2 2012 4:32 PM

"Actually, you are. I just checked it with IE on Windows 8, and they're just as cut off as they were in Chrome on Linux"

Interesting but it's just you as I'm not having that issue with any of my computers and I tried Chrome, IE, and FF.

  • | Post Points: 5
Top 500 Contributor
Posts 309
Points 2,695
Joined: Aug 2010
JDiaz replied on Sun, Sep 2 2012 4:47 PM

"The beauty of Linux is that this could be fixed the instant it was first found. There are a lot more white-hats like this guy finding the exploits and fixing them than there are black-hats looking for them."

Yes, it can be fixed fast but don't say instantly and don't assume all bugs and vulnerabilities can be easily fixed. Some do take time, while again it only helps if they know about it!

If the malware makers find it first then it's a different story!

While also wouldn't change the probability of user error!

"That's actually a good example! And you only had to go back 3 years to find it. And, it was fixed the instant it was found - no known exploits ever appeared in the wild."

Again, just one of many. Stop trying to play it down!

And no, it wasn't fixed instantly!

It was part of security research and they had to figure out the various ways it could be used first!

While it doesn't change that it took years to fix!

If they hadn't known about it then it could of taken more years to fix!

All of which could have given malware makers lots of time to exploit users!

"So you're telling me that if I run a particularly crafted GUI app, it could have done bad things? Why am I running this app again? If you tricked me into running it, why doesn't it just ask me for the root password? Again... fixed without any know exploits ever appearing in the wild."

Not all exploits need you to knowingly give the root, keyloggers and such can just steal it.

While if they did have a exploit then they can modify the trojan to act more like a virus.

That is what happened with the OSX botnet that infected over 600,000 macs.

And that wasn't even that sophisticated of an attack.

Point is it's possible, I'm not saying you need to be in a panic just be careful.

Really, no system is impervious so being careful is just common sense!

What's safe one day might not be tomorrow.

So again, better to be a little paranoid than sorry later.

It's not about having to live in fear, it's about being sensibly cautious!

  • | Post Points: 20
Page 1 of 1 (18 items) | RSS