Sign in / up

back to article AT&T Alien Labs warns of 'zero or low detection' for TeamTNT's latest malware bundle

AT&T's Alien Labs security division has sounded the alarm on a malware campaign from TeamTNT which, it claims, has gone almost entirely undetected by anti-virus systems - and which is turning target devices into cryptocurrency miners. Described by Alien Labs researcher Ofer Caspi as "one of the most active threat groups since …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Nate Amsden

    monitor CPU usage too

    Several years ago I was called in to help with another team's compromised Wordpress website. At the time it was infected with a bitcoin mining thing. The only reason it was detected was because it shot cpu usage through the roof, which then tripped some alarms I think. Of course the system was lacking many updates which led to the compromise, but the point being crypto miners being installed I would expect CPU usage to go way up.

    On all of my ~800 VMs I have monitors that say if CPU usage(as measured by vCenter, monitored by Logic Monitor) is greater than 75% for an hour then send an WARNING alert, if greater than 90% for an hour send a CRITICAL alert (neither alert goes to pagers just to pager duty alert dashboard and email). Not to track crypto currency miners of course just general usage indicating something could be wrong with the software running on the system if it is using CPU for that long.

    It's pretty rare on my systems at least that the CPU would be pegged for more than an hour for a normally functioning application(I guess if that was normal then it would signal to me that the system needs more CPU resources), though it does happen from time to time.

    2 0 Reply
  2. bombastic bob Silver badge
    Linux

    Do they have more details on Linux?

    if Linux is (or can be) affected, are there MORE DETAILS on this?

    I am mostly curious how it got there, but I suspect that my Fail2Ban logs would indicate a likely source.

    (since 4:00 AM this morning, i.e. about 5 hours, there were 11 attempts on ssh blocked by Fail2Ban)

    I will gladly forward this information someplace if it will help stop it. Unfortunately sending complaints takes time. if I could (easiiy) automate the complaint process I'd probably do that, too. I bet that most of the victims' IP addresses are infected Linux machines trying to crack in via ssh.

    (my 'root' mail gets re-directed to an IMAP directory that I can view and clean up whenever i want/need, so it might be trivial to write a Perl script to deconstruct the reports and figure out who to complain and forward info to; however de-ciphering the correct complaint mail address could be tricky)

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Do they have more details on Linux?

      Not everyone's cup of tea......but my linux sshd servers are all on non-standard port numbers higher than 10000. So far (!) no sign of Chinese login attempts!

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like