back to article Inside Adwind: A DIY malware toolkit used by 1,800 crooks to spy on 443k victims

Security researchers have lifted the lid on Adwind – a malware-as-a-service platform which has hit more than 400,000 users and organisations across the globe. The Adwind RAT (remote access tool) is a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, which is …

  1. Rol Silver badge

    Worryingly

    I have just searched for Adwind on several Linux discussion forums and found no mention.

    There was I, smugly about to pronounce Linux safe for all but the most idiotic of users and, ahem, the silence is deatheningly ominous.

    I know for a fact several Linux aficionados post on ElReg, could you please confirm my belief, that only an utter fool running Linux would be open to an Adwind derived attack.

    1. Electron Shepherd

      Re: Worryingly

      From the linked FAQ:

      "It relies on user interaction: double-clicking the .JAR attachment in the email"

      From many posts on El Reg

      "I set up my husband / wife / partner / S.O. with Ubuntu / Mint / Cinnamon"

      I think you can only be smug if you believe that none of that group of people would ever double-click an enticing attachment in an e-mail.

      1. Rol Silver badge

        Re: Worryingly

        Yeah, I read the FAQ, but it didn't convince me that a drive by attack was out of the question, as many people run Java in their browser and could easily click on a malicious app.

        I just assume, Linux is crafted to mitigate such privilege escalations and therefore the whole attack is mute, but I still know too little to be absolutely sure.

        1. edge_e
          Boffin

          Re: Worryingly

          I'm pretty sure that most recent linux distributions don't install a java browser plugin by default so the risk of driveby to husband / wife / partner / S.O. who are unlikely to change this is non-existent.

          1. Wensleydale Cheese
            Stop

            Re: Worryingly

            "I'm pretty sure that most recent linux distributions don't install a java browser plugin by default..."

            That's something you should check. I know that a couple of my Linux instances have some kind of java browser plugin because I installed a particular Java based software package which uses the browser.

            I don't honestly know whether those plugins came with the linux distro or the software package involved, so need to check that myself.

        2. Doctor Syntax Silver badge

          Re: Worryingly

          "I just assume, Linux is crafted to mitigate such privilege escalations."

          That would depend on whether anything involved in this runs with root setuid permissions. On a quick rootle round my jvm and browser files I can't see anything but (a) it was a quick look and (b) YMMV.

      2. edge_e
        Facepalm

        Re: Worryingly

        I've no doubt that there are people stupid enough to run an unexpected/unknown attachment despite the hoops that would be placed in their way though

    2. Mark 85 Silver badge

      Re: Worryingly

      In some ways, you Linux types (and myself included) are like the Apple folks.. "we can't get a virus". Once upon a time, that was very true since the malware writers were ignoring anything other than Windows. They've now set their sights on the non-windows platforms and rely on social engineering. The key is going to be a change of mindset for both Apple and Linux users from "The OS won't let me get a nasty" to "the odds are in my favor but I shouldn't be stupid".

      So I think what the "worrying" part is, isn't the OS, but the person using the keyboard.

    3. Doctor Syntax Silver badge

      Re: Worryingly

      A quick look at my .mozilla/plugins (in Debian 7) revealed a number of links placed to a Java plugin by Crossover Office. Despite Crossover Office supposedly being removed long ago there was a .cxoffice directory containing the library. In addition there was a .netscape/plugins directory containing similar links; the dates suggest that Crossover Office created that entire path. Wine doesn't seem to have set such links.

      There was also a dead link to Java in a long removed LibreOffice 4.2 installation. Subsequent LibreOffice versions don't seem to have set a link.

      With those links removed the relevant Java plugin disappeared from the browser. There's still an Iced Tea plugin but that's set as ask to activate. Iced Tea Java in installed from the Debian repository.

      Of these I only expected Iced Tea. Clearly applications can casually install Java in the browser even if you don't expect it. Vigilance is needed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021