User topics

Article topics

Log in Sign up

Bot attacks Linux and Mac but can't lock down its booty

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines. Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan. …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Page:

1. Thursday 20th January 2011 13:03 GMT Chemist
  
  "..that Linux users never reboot their machines.."
  
  Oh really. I leave my ultra-low power fileserver on all the time. But if I left the other 6 on I'd pay a fortune for electricity. As someone said it's hardly likely the fileserver is going to go off browsing on its own
  
  1 0
Thursday 20th January 2011 09:59 GMT twunt

Percentages? What about the numbers

According to the link below these figures are based on less the 50 known infections.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-102616-4246-99

So that we are looking at probably 9 or 10 known OSX infections at most.

1 0
Thursday 20th January 2011 09:59 GMT amanfromMars 1

Shhh .... Not a Word to a Soul now. This is AI State Secret

"Now, Symantec researchers have uncovered weaknesses in the bot's peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim's hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses."

It is not a weakness, it is a SMARTer Network Facility and Virtual Utility. The status quo and establishment markets might think drivers are all about selfish, exclusive competition for advantageous leading position, whereas other may practise and provide selfless, stealthy cooperation for greater mutual benefit.

And you do yourselves a grave disservice to not realise that what is being recoded/hacked and cracked wide open for new transparent servering of SMARTer IntelAIgent Services, are not just Open Source and proprietary Operating Systems, but rather more the Global Internetworking Grid with its Intranets and Extranets exchanging soft pawn information and hard core intelligence across World Wide Web Infrastructure Models.

The Enemy of Ideas thinks Foe, whereas Masters of the Genre think Friends .... which is what Semantic Web dDevelopment in NEUKlearer HyperRadioProActive IT is into in the Bigger Picture Show which hosts Truly Great Game Players ..... which might be an Alien Concept to Many but Perfectly Normal to More than just a Few, and increasing in number with the betaTesting and Passing of every ZerodDay.

4 2
Thursday 20th January 2011 10:01 GMT Ole Juul

Why is Linux mentioned?

I must be blind, but I don't see Linux on the chart and it just seems to be added to the list of operating systems as an afterthought.

3 0
Thursday 20th January 2011 10:03 GMT N2

Yet another reason

To avoid Facefuck

5 0
Thursday 20th January 2011 10:03 GMT Sharpy86

Not surprised

I am not surprised Mac users would get a higher infection rate. Mac users are told over and over that macs CAN'T get a virus. Us in tech circles know this isn't true but the average Joe has to use what they are told. They are told Macs are safe so they buy a mac and are misled into believing they can click on anything and have no risk of getting infected so they do. The same goes for a lot of Linux users to be honest, that being said Linux tends to be more robust and a lot harder to infect properly but it is still possible. The rules of being careful what you click on still apply.

4 2
Thursday 20th January 2011 10:15 GMT LawLessLessLaw

Lunix

Getting Java running is hard enough!!

1 4
1. Thursday 20th January 2011 13:07 GMT Greg J Preece
  
  Are you high?
  
  Just picking a common distro - Ubuntu, for example - how the hell is it hard to run Java? The open JRE is installed by default, and getting the Oracle binaries running is as hard as enabling the partner repo and typing:
  
  sudo apt-get install sun-java6-jre
  
  Yet more anti-Tux FUD.
  
  4 1
  1. Thursday 20th January 2011 14:05 GMT Doug Glass
    
    Oh Yeah!
    
    You expect Grandma to do that?
    
    0 4
    1. Thursday 20th January 2011 14:31 GMT Greg J Preece
      
      OK, use KPackagekit
      
      That's got a GUI, you can just click on it, if it wasn't already installed by default. Or did you miss that bit?
      
      This is obviously so much harder than the Windows way - go to Oracle's site, find the right package for your operating system and architecture, download, install, put up with yet another update program.
      
      2 0
Thursday 20th January 2011 10:48 GMT Anonymous Coward

My Mac won't get a virus...

Because it has anti-virus.

1 2
Thursday 20th January 2011 11:50 GMT Bear Features

but... but

I thought Macs just can't get a virus because they're magic?

6 2
Thursday 20th January 2011 11:50 GMT Citizen99

A Linux client viewpoint

"But it's a well-known fact that Linux users never reboot their machines - which gives this crap a lot of time for acting out its nefarious duties."

"fact" ? "never" ? ;-) I would have thought that this is more likely to apply to server type users, which according to some posts above are less susceptible targets. For what it's worth I always close down overnight.

Lots of useful points in the thread anyway - I'm grateful for the pointer to NoScript :-) .

1 0
Thursday 20th January 2011 11:53 GMT Anonymous Coward

I just have a simple question..

I use all 3 main platforms (OSX 10.6 on Mac, Linux in whatever form, Debian, Ubuntu, CentOS, Windows although less and less), and there is one little nagging question:

How do I know (and anyone else) that OSX and Linux are infection free? With Windows you have an enormous collection of software that checks, for the other platforms there isn't that much (I think Kaspersky does something for Mac) so you can't actually base a "free from infection" statement on any proof other than 3rd party observation..

1 4
1. Thursday 20th January 2011 13:03 GMT copsewood
  
  On trusting trust
  
  You can't be sure any complex system built upon trust in multiple layers of previous systems is infection or malware free. The only way you could really guarantee this would be by not going beyond early 1950ies technology at the point this ceased to be capable of being fully verified by a single engineer.
  
  All the antivirus programs tell you is that they don't detect anything they _currently know_ about. For an interesting and classic perspective on this, read Ken Thomson's paper, "On Trusting Trust": http://cm.bell-labs.com/who/ken/trust.html .
  
  2 0
2. Thursday 20th January 2011 13:03 GMT Sharpy86
  
  Eset have some offerings
  
  At the moment Eset are doing free Beta software for Linux. I believe it will be paid for after release but it seems to work from the testing I did on a ubuntu based system. It can be downloaded from http://beta.eset.com/linux
  
  They also do Mac software which you could use a trial to check, but after 30 days again its paid for software.
  
  I think a few other AV companies do Linux/Mac software but as much as I like the idea of ClamAV it isn't very effective according to reviews and AV tests.
  
  0 0
3. Thursday 20th January 2011 13:07 GMT Graham Anderson
  
  Clam X AV free anti-virus for Mac
  
  Clam AV has a version available for free for Mac OS X. As you mentioned, there are paid products such as Kaspersky out there if you don't trust the open source freebie. The core Clam software is used in a number of server based anti-virus solutions and usually holds its own against paid packages.
  
  Clam is included as standard in Mac OS X Server editions.
  
  http://www.clamxav.com/
  
  0 0
4. Thursday 20th January 2011 13:32 GMT Ubuntu Is a Better Slide Rule
  
  @Linux infection check
  
  As competent Linux admins never have to deal with rootkits, there are no ready-made tools. But a good Linux admin or security consultant would simply:
  
  1.) Mount a suspicious Linux disk in a diagnostic machine, but not boot from it or run programs from it from the suspicious disk. That's what experts also do with Windows disks, btw.
  
  2.) Do md5 sums of all executables and executable library files. Maybe also standard config files.
  
  3.) Compare these md5s against a known good Linux disk of the same OS version and patch state.
  
  4.) Maybe write a script which will download RPMs from e.g.
  
  http://rhn.redhat.com/errata/RHBA-2002-055.html
  
  ,unpack RPMs and calculate md5s to compare with 2.)
  
  5.) write a tiny script to list all scripts on the system and look at them. If they have not been tweaked (only the case for complex servers), just compare md5 against the package source (as in 4.))
  
  The places where a virus could still, theoretically (!!) hide are
  
  A) application files of applications which have a zero-day hole (PDFs / Acrobat Reader for example). But these would be user-level only, no full pwning.
  
  B) in a file-system-based exploit directly hiding in file system structures. I have never heard of that kind of exploit on any operating system.
  
  I suggest everybody uses the brain and deinstalls Java, Acrobat Reader and Flash. And/Or use a different, non-priviliged user to view youtube and the porn sites. That works for Windows, Linux and MacOS. NoScript does not hurt either.
  
  0 1
  1. Thursday 20th January 2011 14:31 GMT Anonymous Coward
    
    re: no ready-made tools
    
    Funny thing that, because when I type "rootkit" in Synaptic it offers three tools in the standard repositories: chkrootkit, rkhunter & unhide. Google/Wikipedia suggests that Zeppoo and OSSEC will do the job too, I expect there are others.
    
    0 0
  2. Friday 21st January 2011 09:49 GMT Renato
    
    @Ubuntu Is a Better Slide Rule
    
    and on
    
    C) on a hypervisor <http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html>;
    
    D) on firmware <http://www.phrack.com/issues.html?issue=65&id=7> and <http://www.phrack.com/issues.html?issue=66&id=11> for starters;
    
    E) on CPU microcode.
    
    Anywhere else I forgot?
    
    Ahh, the low level stuff... Being wonderful as ever.
    
    1 0
5. Thursday 20th January 2011 14:32 GMT Anonymous Coward
  
  Java-based malware is not the point of the story
  
  I would advise adding BetterPrivacy on top of NoScript. There are things such as tripwire for sanity checks on the system -- some OSes have signatures attached to all system binaries -- but that will not usually detect infected home accounts.
  
  The MyOS-versus-YourOS hysteria aside, Java-based malware is not new and not the point of the story.
  
  0 0
6. Thursday 20th January 2011 16:37 GMT John I'm only dancing
  
  Also available for the Mac
  
  Sophos: http://www.sophos.com/products/free-tools/free-mac-anti-virus/
  
  0 0
7. Friday 21st January 2011 20:16 GMT kirovs
  
  Network activity
  
  One can see where DDOS attacks come from or what machine is "calling home". Duuh!
  
  0 0
Thursday 20th January 2011 13:43 GMT Spicy McMarsbar

No need for AV on Linux

AV software is *always* playing catchup with the bad guys, it just can't be trusted.

Install AIDE or Tripwire. Setup a simple script to check for system changes before applying any updates, if any startup scripts have changed you can manually check them and remove any viral additions - seeeemplez.

0 0
Thursday 20th January 2011 13:44 GMT Evil

It asks you to install from the web browser.

#1) If this is the boonana variant that I think it is (which seems to be the case from the name), This is old news. Seriously - this was reported elsewhere with a video in October of last year. Google it.

#2) It asks you to install, and you have to click through multiple warnings/certs, FROM YOUR WEB BROWSER. Show me anyone on Linux that would fall for that, and I'll show you someone that's not been using Linux for more than a few days (hint to Win users: You don't install anything on Linux directly from within the web browser - excepting FF/chrome plugins which you specifically have to ask to install).

0 0
1. Thursday 20th January 2011 14:31 GMT Anonymous Coward
  
  re: This is old news
  
  Maybe you missed the bit that said "the bot made waves in October". The /news/ is that the trojan has a vulnerability.
  
  0 0
Thursday 20th January 2011 15:35 GMT Ubuntu Is a Better Slide Rule

The Big Linux Insecticide

Are of course

Linux Security Modules

SE Linux

and

AppArmor.

Even a completely broken browser would be contained by LSM. Windows only has Sandboxie, which is a strange, third-party tool.

0 0
Thursday 20th January 2011 15:35 GMT Neil Gardner

Market Share

If Mac and Linux viruses didn't exist, Symantec would have to invent them.... If you don't pay your antivirus tax, Symantec et al. won't be able to invest in new security software...... Never experienced a virus on Mac or Linux in 5 years of intensive Internet use.....

4 0
1. Thursday 20th January 2011 17:18 GMT No, I will not fix your computer
  
  Gosh
  
  >>Never experienced a virus on Mac or Linux in 5 years of intensive Internet use
  
  Haven't had a virus since my Amiga, I've installed and used DOS/Win3.0/3.1/95/98/NT/XP/2K/2K3/2K8/Vista/7/Slackware/Debian/RedHat/Ubuntu/OSX/DRSNX SVR4/Solaris2.3/2.4/2.5/6/7/8/9/10/AIX5.2/5.3/6/HPUX10/11
  
  Good practices (using trusted sources, clean builds, firewalls, min privs etc.) means you *shouldn't* need virus protection, but remember where words like "rootkit" come from - it didn't start as a Windows term, complacency is just as dangerous as ignorance.
  
  These days I have a VM for surfing and email, when I've finished using it I roll it back to the orginal state, apply patches and updates and do another clean snapshot, if I ever did get a virus, chances are I'd never know and it would evaporate in the rollback.
  
  1 1
  1. Thursday 20th January 2011 19:35 GMT Anonymous Coward
    
    Re: Gosh
    
    "These days I have a VM for surfing and email, when I've finished using it I roll it back to the orginal state, apply patches and updates and do another clean snapshot"
    
    That's a nice idea, but a massively over-engineered one I can't help but feel. Are you suggesting that you really need all those added layers of protection before you're comfortable to check your emails? You must never get any work done.
    
    Also kinda weird when you consider that emails get shat out onto the web pretty much unprotected. It's amazing that people trust them at all.
    
    0 2
    1. Friday 28th January 2011 16:18 GMT No, I will not fix your computer
      
      Re: Re: Gosh
      
      >>That's a nice idea, but a massively over-engineered one I can't help but feel. Are you suggesting that you really need all those added layers of protection before you're comfortable to check your emails? You must never get any work done.
      
      It works for me, I have three icons, StartVM, SaveVM, RollbackVM when I shutdown the host PC the guest is automatically rolled back (unless I have done a SaveVM before shutdown), the VM starts nearly as quickly as IE used to, filesystem space is cheap, if you think of the guest OS as merely an application in a sandbox then it makes sense, also if you want to try out a new app/plugin/patch it's really easy to undo with a rollback (great when the uninstall doesn't).
      
      To be fair, my machine is dual quad 3.33Ghz with 24Gb so I can run a few VMs at the same time with no real problem, but the more procs and power we have, the more that this is practical.
      
      0 0
Thursday 20th January 2011 16:37 GMT doperative

Java-based malware

Point me to a link where my computer can get infected by this java-based malware, without any user action apart from clicking on a URL or opening an email attachment.

1 0
Thursday 20th January 2011 19:04 GMT Matthew Collier

AppAmour

As has been said, but it's worth pointing out, that anyone on a Debain based Linux distro, can use AppAmour. (K)Ubuntu comes out of the box with it installed, and profiles already created for the common Internet facing applications.

You can lock down these further, which I would do for Firefox (or any other web browser you might be using.

Of course, if you're this paranoid (nothing wrong with that! ;) ), then you'll probably be using NoScript, so the Java won't run yet anyway, and you'd also probably spot the oddity of why it wants to run a JAR in the first place...

Simples.

1 0
1. Saturday 29th January 2011 22:39 GMT Ubuntu Is a Better Slide Rule
  
  AppARmor
  
  Yeah, AppAmour would sound a bit more romantic :-)
  
  She knows a lot about romantic situations...
  
  0 0
Friday 21st January 2011 12:08 GMT Anonymous Coward

An invisible folder?

Oh , you mean it has a dot at the start of the filename. Wow , thats like totally l337 dude! That'll fool em!

I remember that HP-UX 9 allowed actual invisible folders (chmod +H or something) but I think that functionality got dumped once they realised what a security risk it was. Linux certainly doesn't have that sort of functionality , or at least nothing that could be accessed from within a JRE running as a normal user.

0 0
Friday 21st January 2011 12:11 GMT Anonymous Coward

Popping the last pill

As you are on my Register comments list, I thought I would let you know I have decided to end my life.

:D

I don't mind them plastering my FB account with something like this. It would amuse all my friends.

0 0
Friday 21st January 2011 18:06 GMT Rhod

the botnet is itself vulnerable?

So therefore why does it still exist? If the article is to be believed it should be relatively easy to install software remotely onto these machines. So why is the software being installed remotely not anti-virus and anti-spyware which should solve the problem for good, or at least a removal tool which patches the vulnerability and removes the virus/spyware once done?

No, let's just study it and watch it continue to proliferate around the internet. That'll be far more rewarding.

0 0
Sunday 23rd January 2011 04:35 GMT Rhod

Thanks for the e-mail Dan...

You provide me with a suitable salary, or point me at some reasonable form of research grant funding ending in a Ph.D. and I'll happily follow through and "do the above".

Surely that's what Dan Turner should be funding or what Billy Rios should be aiming for as the result of his research. But no, actually it would do the likes of Symantec and McAfee the world of harm to actually take out the botnets as, your article proves, they are perfectly capable of doing. Clean up all the botnets, securing machines behind them and they could effectively reduce spam to close to nothing (compared to current levels). But that wouldn't be in their interests as it'd reduce the sales of their software or in Billy Rios case cut off the source of his funding.

It's a case of don't kill the Goose that's laying the Golden Egg, isn't it?

0 0
Monday 24th January 2011 09:56 GMT Anonymous Coward

JAVA from the web ?

You have to be kidding me ?

If I need to run a JAVA app, it's run in VBOX.

0 0

Page:

This topic is closed for new posts.

Other stories you might like

The most important experimental distro you've never heard of gets new project lead

Plus a fresh version ... nine years after its last

OSes 11 Apr 2025 | 72

Zorin OS 17.3 takes the Brave step of changing its default browser from Firefox

Comment To be fair, it sounds like the team has ironed out the more controversial features

Applications 3 Apr 2025 | 41

Ubuntu 25.04 beta takes flight – but this Plucky Puffin is still molting

'Pudgy' might be more apt given the download size

OSes 4 Apr 2025 | 27

Both Haiku and Linux get new FOSS Nvidia drivers

Thanks to Collabora's work on Zink and NVK… and indirectly to GPU-maker's FOSS release, too

Software 28 Mar 2025 | 25

Credible nerd says stop using atop, doesn't say why, everyone panics

Updated Bad news about the Linux system monitor may be on the way

Security 26 Mar 2025 | 52

Panic averted: It was just a bug in Atop after all

Warning of possible problems sparks controversy: Was it OverDAtop?

Software 27 Mar 2025 | 11

EU OS drafts a locked-down Linux blueprint for Eurocrats

Thoughtful and considered … even if it is based on an American distro

OSes 25 Mar 2025 | 59

Linus Torvalds forgot to release Linux 6.14 for a whole day

‘It's just pure incompetence’ confesses penguin emperor

OSes 25 Mar 2025 | 36

Asahi Linux loses another prominent dev as GPU guru calls it quits

Fedora Asahi Remix 42 still scheduled for release in about a month

OSes 20 Mar 2025 | 50

Fedora 42 beta has so many spins, it'll make your head whirl

The answer to the ultimate question of Linux, the Universe, and Everything?

OSes 24 Mar 2025 | 13

GNOME 48 lands with performance boosts, new fonts, better accessibility

Tweaks mean smoother operation even on low-end kit

OSes 24 Mar 2025 | 44

Chimera Linux ghosts RISC-V because there's no time for sluggish hardware

Updated Dev behind the GNU-free distro says boards too slow for serious work

Systems 19 Mar 2025 | 31

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2025