Loading ...
Sorry, an error occurred while loading the content.

31153Re: New Hand of Thief trojan does Linux but not windows!

Expand Messages
  • LinuxDucks
    Aug 16, 2013
    • 0 Attachment
      One last security mention here and I will back off a does not seem to
      grab much interest, responses. Here is an example of what I was
      mentioning about inaccessible Root of the Linux system by a user. .....

      Fw: US-CERT Current Activity - Linux Root Access Vulnerabilities
      IN FULL:
      http://linuxducks.free-forums.org/viewtopic.php?f=10&t=195

      JUMP TO:
      QUOTED
      The first of these vulnerabilities is due to a flaw in the
      implementation of the Reliable Datagram Sockets (RDS) protocol in Linux
      kernel versions 2.6.30 through 2.6.36-rc8. By sending a specially
      crafted socket function call, an attacker may be able to write
      arbitrary values into kernel memory and escalate privileges to
      root.
      UNQUOTE

      Now in Windows and several years ago I did an Amateur Forensics write up
      of an actual Botnet Infection Payload executed on my Windows XP desktop.
      I disected about all of it and had reported and kept logs at a forum etc
      toi finally just leaving it as a webpage for posterity as a sort of
      Anatomy of a Botnet Infection.

      What I discovered in this massive, massive malware payload was several
      Windows media icon files. In actually they were .DAT files which is data
      being stored in media format files. Now this was in Date of Infection
      approx December 2008 - before today as when you see a movie file in like
      Videos folder they have a thumbnail snapshot from the movie.

      So what I discovered were these several .DAT files that were not media
      (movies) at all but engineered apparently as Datagrams.....

      From http://bluecollarpc.us/forensics/ ......
      JUMP TO.....


      Below you will understand the importance. There is incidence of data
      files or .DAT translated into media image files to hide by crimeware.
      -

      NON SAMPLE DAT file manipulation Reading and writing Isis image
      buffers. The objects defined below may be used to read and write images
      to and from two-dimensional DAT files. …
      http://web.media.mit.edu/~stefan/isis/software/dat-files.html
      <http://web.media.mit.edu/%7Estefan/isis/software/dat-files.html>
      TWO high qulaity players were unaffected which too legitmately guard
      particular .dat files.

      REFERENCE (Symantec above) "….Blubster is a peer-to-peer
      filesharing client which is based on MP2P – a propietary UDP
      transport protocol…."

      User Datagram Protocol
      http://en.wikipedia.org/wiki/User_Datagram_Protocol
      <http://en.wikipedia.org/wiki/User_Datagram_Protocol> User Datagram
      Protocol (UDP) is one of the core members of the Internet Protocol
      Suite, the set of network protocols used for the Internet. With UDP,
      computer applications can send messages, in this case referred to as
      datagrams, to other hosts on an Internet Protocol (IP) network without
      requiring prior communications to set up special transmission channels
      or data paths. UDP is sometimes called the Universal Datagram Protocol.
      [sidebar - IP Spoofing, piping and PS.. IRCChat Relay is Pergamos -
      busted ! See IRC in IRS]
      UDP uses a simple transmission model without implicit hand-shaking
      dialogues for guaranteeing reliability, ordering, or data integrity.
      Thus, UDP provides an unreliable service and datagrams may arrive out of
      order, appear duplicated, or go missing without notice. UDP assumes
      that error checking and correction is either not necessary or performed
      in the application, avoiding the overhead of such processing at the
      network interface level. Time-sensitive applications often use UDP
      because dropping packets is preferable to waiting for delayed packets,
      which may not be an option in a real-time system. If error correction
      facilities are needed at the network interface level, an application
      may use the Transmission Control Protocol (TCP) or Stream Control
      Transmission Protocol (SCTP) which are designed for this purpose.

      Now this deals a lot with the BOTNETS and they hijack the computer
      spoofing internet connectivity to fool ISP and Law and use it for
      storage and sharing of illegal pirated copies of movies and software
      etc. You see they installed the P2P (peer to peer file swapping
      software) program as part of this massive payload called Blubster and
      much more including illicit malware transmission and that nine yards.
      (Of course they fell just short of re-connectivity and I had the entire
      machine diqagnosed and cleaned and running in about 58 minutes later!)

      INFO http://www.ehow.com/about_5031424_blubster.html
      Technology
      *
      Blubster uses a protocol called MP2P, which stands for Manolito Peer to
      Peer. This is an offshoot of the P2P, or Peer to Peer protocol. MP2P is
      based on the User Datagram Protocol, or UDP. Basing MP2P on UDP allows
      the Blubster service to remain anonymous. This means that users can
      upload or download files anonymously and cannot be tracked down and
      prosecuted for copyright infringement.


      Now go back up top and see and understand the hole found in Linux and
      equals apparently that Linux was fully open to botnet infection which
      would have been easily stopped by any real quality antimalware such as
      ESET NOD32 now.

      THIS is what I mentioned and meant about SECURITY in Linux that there
      are parts of Linux the user can not access for inspection as manually
      aiding antimalware in manual hunts for infections and really is
      disturbing to myself. Linux prides itself as Open Code and booos Windows
      for being Micro$oft Closed Code but there is virtually nothing Closed in
      Windows except for some crytopgraphic stuff such as Administrator
      Password etc etc etc. you just cant walk up and read in the Windows
      Registry.

      Oh well, just wanted to clarify my comments with some intelligent
      dialouge so that no one walked away with the impression that I was
      simply ranting and raving mindlessly, or trolling, or Linux-Bashing at
      all. I hope this post hit the mark!

      gerald philly pa usa
      Owner/Webmaster proudly of the BlueCollarPC.US
      http://bluecollarpc.us/
      (Over 8.5 million Visitors/Users since 2005,
      Completely non-commercial Free Community Help Site)


      --- In LINUX_Newbies@yahoogroups.com, "LinuxDucks" wrote:
      >
      > Follow Up..... ( if bored with security just delete this)
      >
      > Questions Linger About New Linux 'Hand of Thief' Trojan
      > Threatpost
      >
      http://threatpost.com/questions-linger-about-new-linux-hand-of-thief-tro\
      jan
      >
      > In reviewing this informative press release it is apparent or really
      seems this piece of malware is actually checking security and
      prosecution involved in Linux. I say that because being in Windows
      security going back to the very first adware infections/infestations -
      much of that was actually testing the system.
      >
      > Originally, a good portion of adware infection payloads actually
      included Uninstall packages with it, whereby you could navigate to the
      uninstallation of software (Add/Remove Programs - XP) and uninstall it
      like other normal legit softwares. Some even went to court saying they
      were not breaking laws, that the user gave permission and etc etc etc.
      None of that held water.
      >
      > This was also the birth of spyware for Windows about year 2001 forward
      with A LOT of adware packages proceeding it. Once spyware and
      antispyware companies (such as Webroot) and laws were being born. it
      became quite apparent the adware was just the clever way of testing the
      waters to now bombard with spyware - the actual real threats to personal
      information (ID Thefts) and introducing brute force instability into the
      system and even damage. Of course it really took a lot of persuading and
      petitioning and complaints to get todays modern laws in effect against
      spyware and in all states in the USA and most all of the world. One
      place that sprung up and really evolved into otherwise was
      https://www.stopbadware.org/ - originally helping to get laws passed
      turned into clearing peoples websites from bad reports in search engines
      from Google blah blah blah.
      >
      > THIS looks so eerily familiar now with this first-days piece of Linux
      malware. I will bet this is nothing more than cyber criminals testing
      the waters in Linux, but nevertheless is apparently waiting to become
      fully active.
      >
      > What I had also posted about Linux having unaccessible areas kind of
      leaves a head scratch. With windows some areas were restricted as Hidden
      Files - the operating system files etc. However, a simple permissions
      click allowed complete access which was extremely necessary to access
      \system32 in Windows and the Downloaded Program Files (active x items)
      to discover malware infestation. Linux has no access to Root and seems
      some antivirus can not scan either.
      >
      > So like I said I am far from an Advanced User on Linux but not in
      windows malware. That's why I made this post and my opinion about this
      particular piece of Linux malware. I think its just an expendable
      offered dummy load like a criminal stake out op. ThAT was very prevalent
      in numbers and growing numbers in the birth of adware/spyware days on
      Windows. Perhaps towards the end of this decade will their be any real
      concern by virtually all users of Linux over malware because it will be
      there. Just opinions.
      >
      > Some pieces are like POST Data seems more the server side of things as
      improper sanitation areas of data transferred from the desktop and as a
      Data Scraping type area function. The absense apparent of their
      Injection process claimed as not making it fully functional and more
      dangerous may possibly be achieved at a bad infected website running a
      buffer overflow attack perhaps to grab the private database contents and
      even destroy the website application leaving it in a DOS denial of
      service state? If they are toying with researchers.
      >
      > All just opinion.
      >
      >
      > gerald philly pa usa
      > http://bluecollarpc.us/
      >
      > --- In LINUX_Newbies@yahoogroups.com, "Joe PM" jpmcsale@ wrote:
      > >
      > > goto
      > >
      http://arstechnica.com/security/2013/08/hand-of-thief-banking-trojan-doe\
      snt-do-windows-but-it-does-linux/?goback=%2Egde_65688_member_264365271
      > >
      >



      [Non-text portions of this message have been removed]
    • Show all 13 messages in this topic