back to article Microsoft uses its expertise in malware to help with fileless attack detection on Linux

Hey, Linux fans! Microsoft has got your back over fileless threats. Assuming you've bought into the whole Azure Security Center thing. Hot on the heels of a similar release for Windows (if by "hot" you mean "nearly 18 months after") comes a preview aimed at detecting that breed of malware that inserts itself into memory before …

  1. Warm Braw Silver badge

    Its expertise in malware

    It's not fair to shoot at an open goal...

    1. Blackjack Silver badge

      Re: Its expertise in malware

      Spyware is a type of malware and Windows is indeed malware because even editing the registry doesn't do much to stop the spying.

      1. MJB7
        FAIL

        Re: Its expertise in malware

        Yes, yes. We *all* know that argument. That is what the subhead was referring to, and the comment to which you replied. There was no need to spell it out in laborious detail.

      2. Captain Scarlet Silver badge
        Trollface

        Re: Its expertise in malware

        Pfft, I can easily edit the registry rendering the machine unbootable, try spying when it won't even load Windows!

      3. NoneSuch Silver badge
        Devil

        Re: Its expertise in malware

        Formatting the drive with your distro of choice is a great first step.

      4. Anonymous Coward
        Anonymous Coward

        Re: Its expertise in malware

        I noticed something strange while logged onto a user's computer today with my credentials .My account has no internet access so you can imagine my surprise when a test page search in IE brought back pages of results. The machine had defaulted to Bing Search in the browser and even though I have NO internet access, Bing was still able to search the internet and bring back results.

        So not only does Microsoft collect telemetry and all the rest, it ignores security settings when pushing its own products.

        1. Snake Silver badge
          Holmes

          Re: searching the internet

          Either your computer has internet access or it doesn't, it is rather binary. You may have told Windows to deactivate some user internet functionality but that doesn't mean that your computer had "NO internet access" - for, quite apparently, it did.

          1. Captain Scarlet Silver badge

            Re: searching the internet

            Sounds like the browser found an auto config file for your proxy

          2. Anonymous Coward
            Anonymous Coward

            Re: searching the internet

            No - I said I have no internet access. It is a secure network and only authorised users are allowed out to the internet.

            1. Snake Silver badge

              Re: "No internet"

              What you are, trying, to claim is completely impossible. If the box had "no internet" then Bing could not have returned a result.

              Period.

              It would be like disconnecting your Cat5 - no signal. That's not what happened.

              Bing, somehow, got a result. That means that, somehow, your box FOUND the internet. No other possibility even exists. Bing cannot create a search result from dead air.

              Like it or not, that box has HTTP access. Somehow. You may believe otherwise, but HTTP replies don't lie.

          3. ATraveller

            Re: searching the internet

            I had a similar experience, where a windows machine with no cable and wifi disabled still seemed to be happily chatting away with IP addresses registered to Microsoft and subsidiaries of Microsoft when you checked with netstat.

            Further digging showed that the machine was somehow tunneling out via virtualbox, although how on earth it could do that with no active internet connection is beyond me.

  2. sw guy

    detection feature scans the memory of all processes

    Once that said, I have enough for my answer.

    Which is : «No» (or, «No, thanks», let us be polite after all)

    1. iron Silver badge

      Re: detection feature scans the memory of all processes

      Go on then, explain how you detect fileless malware in memory without scanning memory?

      1. CrazyOldCatMan Silver badge

        Re: detection feature scans the memory of all processes

        how you detect fileless malware in memory without scanning memory

        You watch what processes are trying to do - most malware follows a similar pattern of actions so something trying to do the pattern (or smething close to it) might be malware. So, at the very least, you can pop up a prompt for the users saying that "process xxx is doing odd things, shall I terminate it?"

        I'm working here on the assumption that most linux users are vaguely tech-savvy..

    2. sw guy

      Re: detection feature scans the memory of all processes

      I cannot, but I do not want any not controlled by me program to perform such a scan

      1. IGotOut Silver badge

        Re: detection feature scans the memory of all processes

        You control EVERY process running on your system.

        Wow, you are talented.

        1. jake Silver badge

          Re: detection feature scans the memory of all processes

          Not talented so much as a good admin.

          It's not exactly rocket surgery.

      2. Becca

        Re: detection feature scans the memory of all processes

        Let's just say I don't want any program from Microsoft running on my Linux system. Their reputation for "embrace, enhance, extinguish" is far too well deserved.

  3. nagyeger

    Fixed it for them

    # strings < /proc/kcore | fgrep -f bad_strings.txt

  4. herman Silver badge

    I doubt whether all the false positives will be worth the tiny risk of an actual problem.

  5. Anonymous Coward
    Holmes

    I'd rather have Inspector Clouseau guarding my Linux servers.

    1. Robert Helpmann?? Silver badge
      Coat

      Peter Sellers Lives!

      I'd rather have Inspector Clouseau guarding my Linux servers.

      I can just hear his voice...

      Clouseau: Could you sudo and run these Microsoft tools on your server?

      PFY: Yes.

      Clouseau: Well then, what are you waiting for?

      PFY: This is not my server.

      Mine comes with a slightly foxed fedora.

      1. Dan 55 Silver badge

        Re: Peter Sellers Lives!

        I said ceaud yeau seaudeau.

        What?

        Ceaud... yeau... seau... deau...

        1. Woza
          Joke

          Re: Peter Sellers Lives!

          Do you have a licaunce for that minkey server?!

  6. Robert Carnegie Silver badge

    Didn't Microsoft SQL Server suffer one of these attacks about 20 years ago? Ah - 2003 - https://en.wikipedia.org/wiki/SQL_Slammer

    And if your system had current patching installed, you were OK.

  7. Dr. Vagmeister
    Linux

    Perhaps this is a silly question - do we get to see the source code for the Microsoft program running on a Linux system ?

    Isn't that the entire point of Linux and open source, the source code is open ?

    1. Pascal Monett Silver badge

      No. Linux is open source, yes, but there is no obligation to open source applications on Linux.

      If Adobe has a Linux version of PhotoShop, you can bet your last dollar that the code is not open source. Adobe can, however, sell a Linux version of its product. The fact that the OS is open source has nothing to do with that.

      Identically, Windows is not open source, but there is nothing to prevent you from creating open source software on Windows.

    2. Grogan

      Probably not, and the entire point is that you should not use it. (Because of the stated philosophy that we like)

      I take that one step further. If I can't compile it, I'm not using it. This includes software that is open source, but is just too onerous to build.

    3. Paul Stimpson

      "Perhaps this is a silly question - do we get to see the source code for the Microsoft program running on a Linux system ?"

      That all depends on where they got the source code from. Pascal is right.

      Example one: You write a piece of code that is all your own work on a Linux system - You are free to license that code under whatever license, open or closed source, you like.

      Example two: You write a piece of code that is all your own work but calls to one or more external programs (say the program "grep" to search a log file for lines containing the string "Error".) Now grep is open-source licensed under the GPL but you are just running it as an external program (AKA "running it at arms length") so you are still free to license your code under any open or closed source license you choose.

      Example three: You write a program and you incorporate code from a GPL-licensed program into your code. Say, you take part of the source code of grep and cut and paste it into your code or link to an open-source library and use its functions like they were your own. Now, you must open-source your code under the GPL as you're incorporating someone else's work that requires that into it. Note that compiler libraries are specifically exempt from this so using say the open source "gcc" C compiler doesn't automatically make anything you compile with it open source.

    4. CrazyOldCatMan Silver badge

      do we get to see the source code for the Microsoft program

      Given that a lot of their linux stuff is in Github/lab I suspect the answer is 'maybe'..

  8. This post has been deleted by a moderator

  9. JohnFen Silver badge

    Nope

    > Assuming you've bought into the whole Azure Security Center thing.

    Which I'm not going to do. I simply don't trust Microsoft.

  10. The Steven

    I can't believe they typed that with a straight face.

  11. Aussie Doc Bronze badge
    Paris Hilton

    Fileless?

    Clueless?

    I need a drink.

  12. jake Silver badge

    Since when was a running process ...

    ... not a file on a un*x system?

    "Fileless" ... They keep using that word. I don't think it means what they think it means.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020