This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew. Uncle Sam explicitly said on Thursday the miscreants – formally known as the 85th Main Special Service Center (GTsSS) – operate within the Russian intelligence …
"So Soup de Jure is a legally mandated starter?"
In much the same way that English-speakers steered clear of the poisson on the menu.
Then there is the Canadian beer which might not sell well in New Zealand.
Mars have announced a limited retro edition of their Snickers bar to be sold in the UK. It will carry the original UK-only bowdlerised name of Marathon.
the Proper pronunciation is 'Merican.
The A is Silent..
We used this knowledge when we were helping (pre 9/11 days) people across the US/Mexican border when they were not in possession of the appropriate travel documents.
We would shave their heads... put them in 'Merican civies... give them megaliters of tequila... Cross the border (we had a friendly marine as a driver from Camp Pendelton... ) At the border they used to ask your citizenship.. We simply taught out charges to spew the words 'MERICAN... "Semper Fi, Oorah..."
Never a problem.. Many successful customers...
Anonymous for a good reason.... ;)
In Russia, I think the they are known as "Military Unit 26165" and according to their Rusprofile listing, they are engaged in "military security activities" and "other unspecified activities". The address given is the HQ of the GRU.
https://www.rusprofile.ru/id/7337085
Except that they don't mention the most important thing, how the nastyware gets installed on the server. Yeah, spearfishing sure! I don't know many people who are checking their email on a Linux production server. Let me see if I get this. First they use spearfishing to infect a Windows PC, praying that the hapless user be a Linux admin who then will have to use SCP or something to get the malware on the server where they will have to execute it manually. God damn those Russians, they are so smart.
I've been reading this for decades now, it is called a rootkit so I don't see anything special about it. Also, it you're running Linux kernel v3 you clearly demonstrate you have no clue about IT.
Really, nothing new to see here and I don't know why those two TLAs are wasting their resources.
I would have liked to know how it gets installed as well. The article says "When deployed on a victim machine" and stops there.
How does the nasty get deployed ? Phishing ? Targeted email ? USB carried by a sleeper agent ?
Is this a plot of The Americans ?
I would have liked to know how it gets installed as well.
Hold on ... Let me check and see what today's party line is. ... Ah, yes ... It's either the Chinese. Or the Democrats. Or the fake news people. Or Iran. One thing is certain. Putin has nothing to do with it.
Seriously. If I were trying to root a Linux server and couldn't find open ports and externally accessible accounts with no/default/trivial passwords, I'd quite likely go after Windows or smartphone users on the same network with legitimate access, then try every privilege escalation exploit known to man. Keep in mind that Unix security was designed to keep users from screwing up each others' work (which it does quite well), not to provide ironclad protection against sophisticated attackers with massive resources. Someplace out in the garage I have a copy of a BTL paper by (as I recall) Ken Thompson explaining that Unix was not designed to be a perfectly secure system. I looked for a current web link to the paper, but couldn't find one.
Via a webserver running a fingerprintable CMS with unknown/unpatched vulnerabilities, and with known folders which are writable by the webserver (eg, for CMS users to use to upload images for the website) is sadly far too common a way for malware to be able to find its way aboard a server.
"Also, it you're running Linux kernel v3 you clearly demonstrate you have no clue about IT."
Slackware (14.0 & 14.1 have no EOL at the moment) and Debian (Wheezy) still have maintained 3.x kernels. There is a need for old code on old machines. People with a clue about IT understand the realities of working with an installed base and take steps to see that it is as safe and as secure as practical. Including maintaining old kernels.
HTH, HAND
This post has been deleted by its author
"What are these "high value" targets doing, using a Linux kernel with modules?"
My understanding -- which could be wrong -- is that a unix module is pretty much what we old time MSDOS folks used to call a "loadable device driver". All incorporating it into the kernel accomplishes is to make it a permanently loaded device driver. If it contains malicious/exploitable code before building into the kernel, it'll still contain malicious/exploitable code after incorporation?
Correct, but it is possible to turn off support for loadable modules entirely, if you have compiled everything you will ever need into the kernel executable image in the first place.
Distributions never do that, because either the kernel would be huge, or it would not work on most systems.
A module is a bit of code that hooks into the kernel to provide added functionality as needed. It can be hardware drivers, yes. Also support for file systems, extensions to the kernel API, and etc. They can mostly be loaded and unloaded on the fly, so no need for a reboot after some changes to the kernel in a running system (see "modular kernel" vs "static kernel"). Most modern OSes have support for this in one form or another.
As with most such thingies, there are advantages and disadvantages. I like the flexibility of modules on my working desktop machines, but prefer a static kernel in the servers (for example).
I haven't read all the document so it might be in there. Do the TLAs say exactly how this thing gains root access to be loading kernel modules and 'executing arbitrary commands'?
That is, of course, after a clueless luser has downloaded the 'implant', made it executable and run it!
Not that I can see, which makes this whole thing a panic over nothing. Yes, if you run malicious code as root it *can* persist itself. This is nothing new. Don't run malicious code as root. (And keep your machine as safe as possible from holes that allow unprivileged users or network daemons to escalate to root.)
(Secure Boot only saves the boot process and firmware, anyway -- it won't save you from things that persist in network card firmware, disk controller firmware etc. Like, oh, the NSA uses, and since they do I'm sure the Russians can deploy that real soon now as well. Again, just don't run it as root and you're safe.)
On page 35 of the report, after pages and pages and pages of stuff about Linux, we have this little, er, gem:
"Using a keyword list of the terms described in this advisory, a search can be conducted on the strings in the memory capture. Using the Sysinternals® “strings.exe” utility, a file can be created that contains all of the strings in the image:
Strings.exe –o –n 4 –nobanner mem.img > mem_strings.txt"
Whats this ".exe" thingy? :o
Doesn't matter what TLA they may or may not have, nor what country they come from. I try to keep them all out of my business equally. What is on my computers is none of their damn business until a Judge legally tells me otherwise. At which point, I'll happily let them bore themselves to death, looking for stuff that isn't there.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
