back to article Bot attacks Linux and Mac but can't lock down its booty

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines. Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan. …

COMMENTS

This topic is closed for new posts.
  1. James 12
    Flame

    WOW

    That's more Mac OSX Infections that Windows 7 infections

    1. Volker Hett

      Does Win7 come with a JRE by default?

      You have to have something to run the jar file.

    2. Mark 65

      @James 12

      But not more infections than Windows infections. I'm assuming OSX Other includes Snow Leopard - the latest 10.6 version. The versions shown are the previous two releases (much like XP and Vista).

      1. Anonymous Coward
        Anonymous Coward

        Sadly inevitable.

        Consider how many Windows versus Macs there are out there. This was always likely to be the case.

        The massive XP figures shouldn't be a surprise either.

        It's a ten year old OS that didn't have great security to begin with. Combine this with a massive footprint of home and small businesses who buy a PC and allow their free 3 months Mcaffee etc expire and think they're safe.

        Worryingly, a similar lax attitude to AV is very common amongst Mac users too. As virii on Mac get more common, many of the mac community really need to grow a little healthy cynicism.

    3. Anonymous Coward
      Pint

      The fanbois don't need this sort of stirring-up first thing in the morning!

      Techincally yes, but if you compare OSX ( 16%) to Windows, as a whole, the ratio changes some what.

      If you'll pardon the expression, let's compare Apples to Apples, eh?

      After all the bluster about cross-platform infection, where's Linux in this little chart?

      1. Woodgar

        RE: The fanbois don't need this sort of stirring-up first thing in the morning!

        "After all the bluster about cross-platform infection, where's Linux in this little chart?"

        From the article...

        They didn't show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren't able to survive a reboot.

        1. A. Nervosa

          But...

          All the Linux fanbois I know continually bang on about never needing to reboot their Linux boxes, to the extent that most of them go out of their way to avoid doing so out of sheer bloody-mindedness.

          I'd say that makes the Linux infections a little more relevant.

          1. Greg J Preece

            As a Linux user...

            "All the Linux fanbois I know continually bang on about never needing to reboot their Linux boxes, to the extent that most of them go out of their way to avoid doing so out of sheer bloody-mindedness."

            We use Linux on the majority of our machines here, but we still turn them off when we go home at night. We're not thick - electricity costs money, and business like money.

            "I'd say that makes the Linux infections a little more relevant."

            And yet again you miss the point that they were unable to find any. Maybe Linux users were savvy enough not to get infected, maybe a reboot got rid of it, but either way there were no infections to display, so they can't display them.

            1. Evil

              We don't get bit because...

              Linux users don't get bit because we're not stupid enough to believe a "You must install this codec" message given to us by the web browser, nor click through the untrusted cert warnings that come after it.

              1. JEDIDIAH
                Linux

                Don't lick the sidewalks. Don't let your browser do it for you.

                > Linux users don't get bit because we're not stupid

                > enough to believe a "You must install this codec"

                > message given to us by the web browser

                Or perhaps we're all just terribly paranoid and prone to run things like no-script that may bypass stuff like this entirely.

                1. Anonymous Coward
                  Megaphone

                  And not daft enough...

                  to fall for that sort of blatantly bollocks Arsebook link anyway.

            2. A. Nervosa
              FAIL

              @GJP

              I didn't say "recorded" infections, although perhaps I should have said "potential infections" to help your brain process the possibility of future events. See, it's called irony. Irony is when, for example, a trojan has a major weakness such as not being able to survive a reboot, yet the impact of that poential weakness is reduced due to certain penguin-heads' propensity for continually demonstrating that their Linux boxes almost never need rebooting. Irony, the point you clearly missed in my post.

              Sheesh.

          2. jcipale
            Jobs Horns

            Steve! Leave!

            Dammit Balmer, get out of here and go play with your broken windoze.

        2. The Commenter formally known as Matt
          Black Helicopters

          Linux reboot

          but surely you only reboot linux to install hardware? ::confused::

          1. vic 4
            Thumb Down

            or update the kernel or ...

            maybe just finished using the computer and don't like wasting money on electricity or using the worlds resource needlessly.

    4. Ammaross Danan
      Paris Hilton

      Title

      One must remember, these figures are from Symantec, and thus, it means that this distribution is based on THEIR software DETECTING the infection on the computer. So, only people who have Symantec installed (and have their phone-home-stats bit being allowed...) are in the mashup. Now, considering the number of OSX users running Symantec AV, having 16% of infections is a VERY concerning thing. If the virus survived a Linux reboot, I'd express the same concerns with their (non-)figures. Not that they'd stray from their ClamAV or the like anyway...

      It is striking that only 7% of Vista/Win7 machines were infected though. I guess the numpties haven't bothered buying a new computer in a while. How many unwashed mass members do you know that would be bothered to buy Win7 and install it on their current computer anyway?

      /paris, because even for the elites, protection is needed

  2. Anonymous Coward
    Stop

    I love ...

    The reek of bullshit in the morning.

    1. Doug Glass
      Go

      Carry on ...

      ... Lieutenant Colonel Kilgore.

  3. Renato
    Gates Horns

    Windows XP other

    That means Windows Embedded Standard (aka XP Embedded) used on point-of-sale terminals and bank ATMs?

    Interesting...

    1. streaky

      Probably...

      MCE and shiz, just a guess, looking at the numbers. That and the Oyster Card top up jobs they have on the DLR. Way too easy to play with the OS on those.

    2. TeeCee Gold badge
      Stop

      Re: Windows XP other

      Enterprise edition? I'm guessing bent copies rather than actual corporate installations though.

      64-bit? Also quite likely.

      I think we can probably come up with enough others in the mystifying firmament of MS OS versions to account for the size of this group without have to resort to embedded. The missing bit of information is how they are identifying the version.

    3. Anonymous Coward
      Anonymous Coward

      Err...

      XPe isn't used on ATMs, not proper ones owned by banks, at least. Bank ATMs use XP pro or are starting to use Vista.

      1. Steve Foster

        @AC

        "Bank ATMs use NT4 or are starting to use Windows 2000."

        There, fixed it for you...

        <eg>

        1. Anonymous Coward
          Anonymous Coward

          @Steve Foster

          Ok, I'll rephrase that: The bank I work for, who has one of the largest ATM networks in Europe, no longer use NT4 or W2K, instead they use XP pro and starting to move onto Vista.

          I'm not aware that any bank runs key, customer facing, systems on NT4 - MS won't even let you pay for support any more.

          1. YARR
            WTF?

            eComStation ?

            Guess I must be behind the times, as I thought most ATMs used eComStation. Why would a bank risk using the most hacked OS of them all for an application where security is paramount?

            1. Graham Dawson Silver badge

              @YARR

              Easy - they're stupid. No quibbling, banking corporations are thick as custard. You only have to look around the world today to see just how stupid banks can be.

    4. M man

      yeah

      cos i alway check my facebook on my ATM

  4. Quxy
    FAIL

    Bullshit?

    Nothing suspicious about the reported results. The Windows/OSX breakdown seems to roughly match the installed base of those machines; and I think that everybody would be surprised if Jnanabot was able to permanently install itself on a Linux machine via an ordinary user account.

    1. Anonymous Coward
      FAIL

      Its pretty easy

      Actually, if something is running within a user process, it would be pretty easy to put something in the .bashrc script. (And when's the last time you checked that?)

      Admittedly, this means it only starts when user logs in, but as this obviously only affects desktop machines. (You have to browse and run a JAR file), its pretty much the equivelent.

      It wont affect server machines, unless you let your users browse on them, but it wont affect Windows server machines for the same reason either.

      1. Peter Gathercole Silver badge

        ...and more

        There are many more places than just the .bashrc (assuming you're using bash, of course, I prefer the AT&T software toolbox ksh myself). Both KDE and Gnome (and most other X11 Window mangers as well) have user startup directories and rc files to allow attacks on systems accessed with a GUI, and you would, of course, have the normal PATH and LD_LIBRARY_PATH attack vectors that could be used to subvert commands that people use all the time, and there are many more.

        Linux is not immune from attack, it's just that an attack needs to do more things to really pwn it . For instance, if a user has iptables configured to control inbound and outbound traffic on a Linux system (assuming that the user does not run everything as root), you would have to engage in tricking the user to sudo a command, or otherwise obtain escalated privileges to alter the configuration or turn it off, unlike most windows systems.

        There is no such thing as a totally secure OS, it's just more difficult to mess with Linux.

        The OSX statistics in the article are a surprise, however.

        1. Robert E A Harvey

          re: The OSX statistics in the article are a surprise, however.

          I guess it's a more homogeneous ecosystem than linux

    2. Tim Bates

      Re: Bullplop?

      >and I think that everybody would be surprised

      >if Jnanabot was able to permanently install itself

      >on a Linux machine via an ordinary user account.

      You're assuming said user doesn't log on again after a reboot - nothing would stop malware from adding itself to the user account. It's what all the cool kids are doing to avoid UAC on Windows now anyway.

    3. Raumkraut
      Linux

      Noone is safe

      Of course it could get permanent residence on a Linux box, you don't have to be root to install software to your home directory, for example. Granted though, it would be practically impossible to hide it, except in plain sight.

      I think the real reason that it doesn't survive a restart is that the writers really don't care about infecting Linux as a desktop platform, given the (lack of) market share.

  5. Tim99 Silver badge

    @WOW

    "That's more Mac OSX Infections that Windows 7 infections"

    No, not really - OS X 10.4 was out at the same time as XP and 10.5 was out just before Vista. If you ratio them out they correspond roughly to their user bases. The user ratio of the current version of OS X (10.6) to previous versions is roughly 2:1 - So it would seem that the main lesson we learn is "Old versions of both OSs are more vulnerable that newer ones".

    As an aside, when I teach people to use OS X, I recommend that they turn Java off in Safari - They almost never seem to need it...

    1. Anonymous Coward
      Thumb Down

      @Tim99

      >No, not really - OS X 10.4 was out at the same time as XP and 10.5 was out just before Vista

      Really? XP was released in 2001, OSX 10.4 came out in 2005. Even the steaming turd that was OSX 10.0 didn't get released until several months after XP hit the streets....

      1. Tim99 Silver badge
        Stop

        @AC

        Sorry, I did not make myself clear to you. I wrote that OX 10.4 was out at the same time as XP - I did not say when they came out, or which came out first. The timeline is:

        Mac OS X Server 1.0 in Jan 1999; 10.0 Desktop (not really usable) Mar 2001; OS X 10.1 (free upgrade from 10) Sept 2001; 10.2 (paid upgrade) Aug 2002; 10.3 (paid upgrade) Oct 2003; and, as you say, 10.4 April 2005; 10.5 came out in October 2007 and 10.6 in Aug 2009.

        Windows XP RTM - August 24, 2001; XP Retail: October 25, 2001( I was a Microsoft DAAP and Developer, so I got mine early); XP SP1 (free upgrade) Sept 2002; XP SP2 (free upgrade) Aug 2004.

        Windows 2000 Retail: 17 February 2000 (Again I got mine early - We were shipping products that ran on NT 3.51 & NT 4.0).

        So we are talking about a few weeks difference between when a punter could buy usable versions of XP and OS X. Vista RTM November 8, 2006; Retail: January 30, 2007

      2. maclovinz
        Happy

        @AC: 10.0 rvs XP release

        10.0 was released (retail) BEFORE XP.

        XP was MS's RESPONSE to OS X, since they found out about it while it was in development.

        Just an FYI.

        1. JEDIDIAH
          Linux

          Silly Apple Narcissism

          > XP was MS's RESPONSE to OS X

          Nonsense. Finally ditching the rotten undercarriage of MS-DOS made moving to an NT kernel for the "consumer" version of Windows PAINFULLY OBVIOUS. Serious power users had already ditched DOS based Windows for NT of some sort by that time already.

          NT was lingering around since before the transition from 16-bit Windows.

    2. John I'm only dancing

      What's Safari

      I have a Mac and I never use it.

  6. WonkoTheSane
    FAIL

    No Facebook, no infection.

    That is all.

    1. Anonymous Coward
      Paris Hilton

      Yep, agreed. Let's 'root' this problem

      ...if we can cast aside 'mine's tougher than yours' and any other technical squabbling for a moment here, let's look at the real cause of infection.

      People.

      Attention starved, 'think later', bang-on-the-nose DESPERATE herds that will everytime, without fail, 100% guaranteed, in spite of all warning click on / install / allow anything if they think someone is giving them said attention.

      I'm sure we can all think of a least a few folk that we could make do ANYTHING online at the vaguest whiff of 'someone fancying them' etc. They simply cannot control their base urges and this cack will continue to happen, irrespective of technical origin / platform impact ad infinitum. It's comically easy to engineer people, it takes almost no savvy at all. People can and will adandon all common sense at the behest of their ego.

      Paris, because she never hides her directories.

      1. Doug Glass
        Go

        And ...

        .. they call privacy old fashioned. But once their checking account is cleaned out because they can't resist using their debit card ("it's so easy and convenient") they sing a different tune. And also ask for help. Pathetic. I have no sympathy for them and just give them my assembled list of sites to visit to learn about security and privacy. Doesn't take; they get cleaned out again and change banks because the bank let it happen. Typical, blame others and always expect someone else to watch out for you. Suits me, flaming crashes get to be quite interesting a spontaneous human combustion of the tantrum variety get to be funny rather quickly.

      2. Anonymous Coward
        Dead Vulture

        Yeah! That's it!

        If we get rid of all the PEOPLE, we can get rid of all the computer viruses!

        Why didn't I think of that before?!

  7. xxlyyk

    @Tim99

    I think @wow is referring more to the absolute percentages, 16% is more then 9%.

    What strikes me more is that given market share I would expect OSX to be infected something like 5-10% instead of 16%. Maybe that's to do with the fact that it is Java based, which is one of the plugins, pieces of software that I try to void most on a Windows machine.

    1. Tim99 Silver badge

      @xxlyyk

      Possibly. I don't think we can project too much from the original stats other than we should suggest that home users consider updating to newer versions of their operating systems (or new machines for Windows XP Home users).

      If we look at market share by OS type/version:

      http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10

      The numbers for Windows Vista and 7 show a 9% Infection rate for 33% distribution (good @ ~1/3 of expected infection) XP has 75% infection for 57% distribution (~1.3 times infection rate).

      "OS X Other" (Presumably OS 10.6 plus all previous versions of OS X other than 10.58 and 10.11.4) has 3% for Infection for 3% distribution (corresponding infection?). OS 10.5.6 has 9% Infection for 1.5% distribution rate (6 times infection rate) - OS 10.4.11 has 4% infection for 0.4% distribution rate (10 times infection rate).

      What I do find surprising is the numer of XP Professional infections. Generally, we could think that XP Professional is managed by "professionals" whilst the perception is that OS X is often managed by "users". If the Windows XP "professionals" were doing their job properly, the rate of infection should be lower.

      If we believe Symantec (and I personally haven't used any of their products for the last 6 years), the original Windows versions of the Trojan.Jnanabot infection had 0-49 infections on October 26, 2010. The article says that the number of infections is now "in the thousands" (maybe 10,000?) so we are looking at maybe a few hundred Windows 7/Vista infections with a few more hundred OS X infections of which the substantial majority are on old systems.

      I help run (as a volunteer) classes for retirees. We use Windows XP, Vista & 7, OS X and Linux. We get pupils to set up separate 'admin' accounts and 'user' accounts for their systems. The advice that we give is "Only use the 'user' account for normal tasks - If you get a message asking you to install something, be suspicious."

      I note that the MacBook Air no longer ships with Java and that it now can be downloaded from Oracle - I, like you, try to avoid Java on client machines.

      So in conclusion: Unless we know the breakdown of "OS X Other", I might suspect that Symantec are trying to whip up interest in their Apple producs to a growing Apple "Home User" market as their Windows Home market share is threatened by the free Microsoft Securty Essentials product.

      1. John I'm only dancing

        Use Sophos

        It's far better. Symantec, I wouldn't have any of their worthless pile of [insert expletive of choice here] anywhere near my dog, let alone on any computer of mine.

  8. ratfox

    Mac infections

    It might well be that Mac users are less careful about what they click on... With some reasons. Though we can see that they should be careful too.

  9. Chemist

    Even using Linux exclusively..

    .. I don't browse without NoScript

  10. elderlybloke
    Linux

    I feel left out

    Nothing showing in the graph about Linux.

    Even though some sites show that there are about twice as many Linux machines operating as Apple/Mac.

    It is a puzzlement .

  11. Pascal Monett Silver badge

    Not able to survive a reboot ?

    But it's a well-known fact that Linux users never reboot their machines - which gives this crap a lot of time for acting out its nefarious duties.

    1. Chemist

      "..that Linux users never reboot their machines.."

      Oh really. I leave my ultra-low power fileserver on all the time. But if I left the other 6 on I'd pay a fortune for electricity. As someone said it's hardly likely the fileserver is going to go off browsing on its own

  12. twunt

    Percentages? What about the numbers

    According to the link below these figures are based on less the 50 known infections.

    http://www.symantec.com/security_response/writeup.jsp?docid=2010-102616-4246-99

    So that we are looking at probably 9 or 10 known OSX infections at most.

  13. amanfromMars 1 Silver badge

    Shhh .... Not a Word to a Soul now. This is AI State Secret

    "Now, Symantec researchers have uncovered weaknesses in the bot's peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim's hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses."

    It is not a weakness, it is a SMARTer Network Facility and Virtual Utility. The status quo and establishment markets might think drivers are all about selfish, exclusive competition for advantageous leading position, whereas other may practise and provide selfless, stealthy cooperation for greater mutual benefit.

    And you do yourselves a grave disservice to not realise that what is being recoded/hacked and cracked wide open for new transparent servering of SMARTer IntelAIgent Services, are not just Open Source and proprietary Operating Systems, but rather more the Global Internetworking Grid with its Intranets and Extranets exchanging soft pawn information and hard core intelligence across World Wide Web Infrastructure Models.

    The Enemy of Ideas thinks Foe, whereas Masters of the Genre think Friends .... which is what Semantic Web dDevelopment in NEUKlearer HyperRadioProActive IT is into in the Bigger Picture Show which hosts Truly Great Game Players ..... which might be an Alien Concept to Many but Perfectly Normal to More than just a Few, and increasing in number with the betaTesting and Passing of every ZerodDay.

  14. Ole Juul
    FAIL

    Why is Linux mentioned?

    I must be blind, but I don't see Linux on the chart and it just seems to be added to the list of operating systems as an afterthought.

  15. N2

    Yet another reason

    To avoid Facefuck

  16. Sharpy86
    Stop

    Not surprised

    I am not surprised Mac users would get a higher infection rate. Mac users are told over and over that macs CAN'T get a virus. Us in tech circles know this isn't true but the average Joe has to use what they are told. They are told Macs are safe so they buy a mac and are misled into believing they can click on anything and have no risk of getting infected so they do. The same goes for a lot of Linux users to be honest, that being said Linux tends to be more robust and a lot harder to infect properly but it is still possible. The rules of being careful what you click on still apply.

  17. LawLessLessLaw
    Boffin

    Lunix

    Getting Java running is hard enough!!

    1. Greg J Preece
      FAIL

      Are you high?

      Just picking a common distro - Ubuntu, for example - how the hell is it hard to run Java? The open JRE is installed by default, and getting the Oracle binaries running is as hard as enabling the partner repo and typing:

      sudo apt-get install sun-java6-jre

      Yet more anti-Tux FUD.

      1. Doug Glass
        Go

        Oh Yeah!

        You expect Grandma to do that?

        1. Greg J Preece

          OK, use KPackagekit

          That's got a GUI, you can just click on it, if it wasn't already installed by default. Or did you miss that bit?

          This is obviously so much harder than the Windows way - go to Oracle's site, find the right package for your operating system and architecture, download, install, put up with yet another update program.

  18. Anonymous Coward
    Anonymous Coward

    My Mac won't get a virus...

    Because it has anti-virus.

  19. Bear Features
    WTF?

    but... but

    I thought Macs just can't get a virus because they're magic?

  20. Citizen99
    Linux

    A Linux client viewpoint

    "But it's a well-known fact that Linux users never reboot their machines - which gives this crap a lot of time for acting out its nefarious duties."

    "fact" ? "never" ? ;-) I would have thought that this is more likely to apply to server type users, which according to some posts above are less susceptible targets. For what it's worth I always close down overnight.

    Lots of useful points in the thread anyway - I'm grateful for the pointer to NoScript :-) .

  21. Anonymous Coward
    Anonymous Coward

    I just have a simple question..

    I use all 3 main platforms (OSX 10.6 on Mac, Linux in whatever form, Debian, Ubuntu, CentOS, Windows although less and less), and there is one little nagging question:

    How do I know (and anyone else) that OSX and Linux are infection free? With Windows you have an enormous collection of software that checks, for the other platforms there isn't that much (I think Kaspersky does something for Mac) so you can't actually base a "free from infection" statement on any proof other than 3rd party observation..

    1. copsewood
      Boffin

      On trusting trust

      You can't be sure any complex system built upon trust in multiple layers of previous systems is infection or malware free. The only way you could really guarantee this would be by not going beyond early 1950ies technology at the point this ceased to be capable of being fully verified by a single engineer.

      All the antivirus programs tell you is that they don't detect anything they _currently know_ about. For an interesting and classic perspective on this, read Ken Thomson's paper, "On Trusting Trust": http://cm.bell-labs.com/who/ken/trust.html .

    2. Sharpy86
      Linux

      Eset have some offerings

      At the moment Eset are doing free Beta software for Linux. I believe it will be paid for after release but it seems to work from the testing I did on a ubuntu based system. It can be downloaded from http://beta.eset.com/linux

      They also do Mac software which you could use a trial to check, but after 30 days again its paid for software.

      I think a few other AV companies do Linux/Mac software but as much as I like the idea of ClamAV it isn't very effective according to reviews and AV tests.

    3. Graham Anderson
      Jobs Halo

      Clam X AV free anti-virus for Mac

      Clam AV has a version available for free for Mac OS X. As you mentioned, there are paid products such as Kaspersky out there if you don't trust the open source freebie. The core Clam software is used in a number of server based anti-virus solutions and usually holds its own against paid packages.

      Clam is included as standard in Mac OS X Server editions.

      http://www.clamxav.com/

    4. Ubuntu Is a Better Slide Rule
      Stop

      @Linux infection check

      As competent Linux admins never have to deal with rootkits, there are no ready-made tools. But a good Linux admin or security consultant would simply:

      1.) Mount a suspicious Linux disk in a diagnostic machine, but not boot from it or run programs from it from the suspicious disk. That's what experts also do with Windows disks, btw.

      2.) Do md5 sums of all executables and executable library files. Maybe also standard config files.

      3.) Compare these md5s against a known good Linux disk of the same OS version and patch state.

      4.) Maybe write a script which will download RPMs from e.g.

      http://rhn.redhat.com/errata/RHBA-2002-055.html

      ,unpack RPMs and calculate md5s to compare with 2.)

      5.) write a tiny script to list all scripts on the system and look at them. If they have not been tweaked (only the case for complex servers), just compare md5 against the package source (as in 4.))

      The places where a virus could still, theoretically (!!) hide are

      A) application files of applications which have a zero-day hole (PDFs / Acrobat Reader for example). But these would be user-level only, no full pwning.

      B) in a file-system-based exploit directly hiding in file system structures. I have never heard of that kind of exploit on any operating system.

      I suggest everybody uses the brain and deinstalls Java, Acrobat Reader and Flash. And/Or use a different, non-priviliged user to view youtube and the porn sites. That works for Windows, Linux and MacOS. NoScript does not hurt either.

      1. Anonymous Coward
        Anonymous Coward

        re: no ready-made tools

        Funny thing that, because when I type "rootkit" in Synaptic it offers three tools in the standard repositories: chkrootkit, rkhunter & unhide. Google/Wikipedia suggests that Zeppoo and OSSEC will do the job too, I expect there are others.

      2. Renato
        Big Brother

        @Ubuntu Is a Better Slide Rule

        and on

        C) on a hypervisor <http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html>;

        D) on firmware <http://www.phrack.com/issues.html?issue=65&id=7> and <http://www.phrack.com/issues.html?issue=66&id=11> for starters;

        E) on CPU microcode.

        Anywhere else I forgot?

        Ahh, the low level stuff... Being wonderful as ever.

    5. Anonymous Coward
      Anonymous Coward

      Java-based malware is not the point of the story

      I would advise adding BetterPrivacy on top of NoScript. There are things such as tripwire for sanity checks on the system -- some OSes have signatures attached to all system binaries -- but that will not usually detect infected home accounts.

      The MyOS-versus-YourOS hysteria aside, Java-based malware is not new and not the point of the story.

    6. John I'm only dancing

      Also available for the Mac

      Sophos: http://www.sophos.com/products/free-tools/free-mac-anti-virus/

    7. kirovs
      Thumb Down

      Network activity

      One can see where DDOS attacks come from or what machine is "calling home". Duuh!

  22. Spicy McMarsbar
    Linux

    No need for AV on Linux

    AV software is *always* playing catchup with the bad guys, it just can't be trusted.

    Install AIDE or Tripwire. Setup a simple script to check for system changes before applying any updates, if any startup scripts have changed you can manually check them and remove any viral additions - seeeemplez.

  23. Evil
    Thumb Down

    It asks you to install from the web browser.

    #1) If this is the boonana variant that I think it is (which seems to be the case from the name), This is old news. Seriously - this was reported elsewhere with a video in October of last year. Google it.

    #2) It asks you to install, and you have to click through multiple warnings/certs, FROM YOUR WEB BROWSER. Show me anyone on Linux that would fall for that, and I'll show you someone that's not been using Linux for more than a few days (hint to Win users: You don't install anything on Linux directly from within the web browser - excepting FF/chrome plugins which you specifically have to ask to install).

    1. Anonymous Coward
      Anonymous Coward

      re: This is old news

      Maybe you missed the bit that said "the bot made waves in October". The /news/ is that the trojan has a vulnerability.

  24. Ubuntu Is a Better Slide Rule
    Go

    The Big Linux Insecticide

    Are of course

    Linux Security Modules

    SE Linux

    and

    AppArmor.

    Even a completely broken browser would be contained by LSM. Windows only has Sandboxie, which is a strange, third-party tool.

  25. Neil Gardner
    FAIL

    Market Share

    If Mac and Linux viruses didn't exist, Symantec would have to invent them.... If you don't pay your antivirus tax, Symantec et al. won't be able to invest in new security software...... Never experienced a virus on Mac or Linux in 5 years of intensive Internet use.....

    1. No, I will not fix your computer
      Thumb Up

      Gosh

      >>Never experienced a virus on Mac or Linux in 5 years of intensive Internet use

      Haven't had a virus since my Amiga, I've installed and used DOS/Win3.0/3.1/95/98/NT/XP/2K/2K3/2K8/Vista/7/Slackware/Debian/RedHat/Ubuntu/OSX/DRSNX SVR4/Solaris2.3/2.4/2.5/6/7/8/9/10/AIX5.2/5.3/6/HPUX10/11

      Good practices (using trusted sources, clean builds, firewalls, min privs etc.) means you *shouldn't* need virus protection, but remember where words like "rootkit" come from - it didn't start as a Windows term, complacency is just as dangerous as ignorance.

      These days I have a VM for surfing and email, when I've finished using it I roll it back to the orginal state, apply patches and updates and do another clean snapshot, if I ever did get a virus, chances are I'd never know and it would evaporate in the rollback.

      1. Anonymous Coward
        Terminator

        Re: Gosh

        "These days I have a VM for surfing and email, when I've finished using it I roll it back to the orginal state, apply patches and updates and do another clean snapshot"

        That's a nice idea, but a massively over-engineered one I can't help but feel. Are you suggesting that you really need all those added layers of protection before you're comfortable to check your emails? You must never get any work done.

        Also kinda weird when you consider that emails get shat out onto the web pretty much unprotected. It's amazing that people trust them at all.

        1. No, I will not fix your computer
          Thumb Up

          Re: Re: Gosh

          >>That's a nice idea, but a massively over-engineered one I can't help but feel. Are you suggesting that you really need all those added layers of protection before you're comfortable to check your emails? You must never get any work done.

          It works for me, I have three icons, StartVM, SaveVM, RollbackVM when I shutdown the host PC the guest is automatically rolled back (unless I have done a SaveVM before shutdown), the VM starts nearly as quickly as IE used to, filesystem space is cheap, if you think of the guest OS as merely an application in a sandbox then it makes sense, also if you want to try out a new app/plugin/patch it's really easy to undo with a rollback (great when the uninstall doesn't).

          To be fair, my machine is dual quad 3.33Ghz with 24Gb so I can run a few VMs at the same time with no real problem, but the more procs and power we have, the more that this is practical.

  26. doperative
    Linux

    Java-based malware

    Point me to a link where my computer can get infected by this java-based malware, without any user action apart from clicking on a URL or opening an email attachment.

  27. Matthew Collier
    Linux

    AppAmour

    As has been said, but it's worth pointing out, that anyone on a Debain based Linux distro, can use AppAmour. (K)Ubuntu comes out of the box with it installed, and profiles already created for the common Internet facing applications.

    You can lock down these further, which I would do for Firefox (or any other web browser you might be using.

    Of course, if you're this paranoid (nothing wrong with that! ;) ), then you'll probably be using NoScript, so the Java won't run yet anyway, and you'd also probably spot the oddity of why it wants to run a JAR in the first place...

    Simples.

    1. Ubuntu Is a Better Slide Rule
      Paris Hilton

      AppARmor

      Yeah, AppAmour would sound a bit more romantic :-)

      She knows a lot about romantic situations...

  28. Anonymous Coward
    WTF?

    An invisible folder?

    Oh , you mean it has a dot at the start of the filename. Wow , thats like totally l337 dude! That'll fool em!

    I remember that HP-UX 9 allowed actual invisible folders (chmod +H or something) but I think that functionality got dumped once they realised what a security risk it was. Linux certainly doesn't have that sort of functionality , or at least nothing that could be accessed from within a JRE running as a normal user.

  29. Anonymous Coward
    Happy

    Popping the last pill

    As you are on my Register comments list, I thought I would let you know I have decided to end my life.

    :D

    I don't mind them plastering my FB account with something like this. It would amuse all my friends.

  30. Rhod
    FAIL

    the botnet is itself vulnerable?

    So therefore why does it still exist? If the article is to be believed it should be relatively easy to install software remotely onto these machines. So why is the software being installed remotely not anti-virus and anti-spyware which should solve the problem for good, or at least a removal tool which patches the vulnerability and removes the virus/spyware once done?

    No, let's just study it and watch it continue to proliferate around the internet. That'll be far more rewarding.

  31. Rhod

    Thanks for the e-mail Dan...

    You provide me with a suitable salary, or point me at some reasonable form of research grant funding ending in a Ph.D. and I'll happily follow through and "do the above".

    Surely that's what Dan Turner should be funding or what Billy Rios should be aiming for as the result of his research. But no, actually it would do the likes of Symantec and McAfee the world of harm to actually take out the botnets as, your article proves, they are perfectly capable of doing. Clean up all the botnets, securing machines behind them and they could effectively reduce spam to close to nothing (compared to current levels). But that wouldn't be in their interests as it'd reduce the sales of their software or in Billy Rios case cut off the source of his funding.

    It's a case of don't kill the Goose that's laying the Golden Egg, isn't it?

  32. Anonymous Coward
    Stop

    JAVA from the web ?

    You have to be kidding me ?

    If I need to run a JAVA app, it's run in VBOX.

This topic is closed for new posts.

Other stories you might like