31153Re: New Hand of Thief trojan does Linux but not windows!
- Aug 16, 2013One last security mention here and I will back off a does not seem to
grab much interest, responses. Here is an example of what I was
mentioning about inaccessible Root of the Linux system by a user. .....
Fw: US-CERT Current Activity - Linux Root Access Vulnerabilities
The first of these vulnerabilities is due to a flaw in the
implementation of the Reliable Datagram Sockets (RDS) protocol in Linux
kernel versions 2.6.30 through 2.6.36-rc8. By sending a specially
crafted socket function call, an attacker may be able to write
arbitrary values into kernel memory and escalate privileges to
Now in Windows and several years ago I did an Amateur Forensics write up
of an actual Botnet Infection Payload executed on my Windows XP desktop.
I disected about all of it and had reported and kept logs at a forum etc
toi finally just leaving it as a webpage for posterity as a sort of
Anatomy of a Botnet Infection.
What I discovered in this massive, massive malware payload was several
Windows media icon files. In actually they were .DAT files which is data
being stored in media format files. Now this was in Date of Infection
approx December 2008 - before today as when you see a movie file in like
Videos folder they have a thumbnail snapshot from the movie.
So what I discovered were these several .DAT files that were not media
(movies) at all but engineered apparently as Datagrams.....
From http://bluecollarpc.us/forensics/ ......
Below you will understand the importance. There is incidence of data
files or .DAT translated into media image files to hide by crimeware.
NON SAMPLE DAT file manipulation Reading and writing Isis image
buffers. The objects defined below may be used to read and write images
to and from two-dimensional DAT files.
TWO high qulaity players were unaffected which too legitmately guard
particular .dat files.
REFERENCE (Symantec above) " .Blubster is a peer-to-peer
filesharing client which is based on MP2P a propietary UDP
transport protocol ."
User Datagram Protocol
<http://en.wikipedia.org/wiki/User_Datagram_Protocol> User Datagram
Protocol (UDP) is one of the core members of the Internet Protocol
Suite, the set of network protocols used for the Internet. With UDP,
computer applications can send messages, in this case referred to as
datagrams, to other hosts on an Internet Protocol (IP) network without
requiring prior communications to set up special transmission channels
or data paths. UDP is sometimes called the Universal Datagram Protocol.
[sidebar - IP Spoofing, piping and PS.. IRCChat Relay is Pergamos -
busted ! See IRC in IRS]
UDP uses a simple transmission model without implicit hand-shaking
dialogues for guaranteeing reliability, ordering, or data integrity.
Thus, UDP provides an unreliable service and datagrams may arrive out of
order, appear duplicated, or go missing without notice. UDP assumes
that error checking and correction is either not necessary or performed
in the application, avoiding the overhead of such processing at the
network interface level. Time-sensitive applications often use UDP
because dropping packets is preferable to waiting for delayed packets,
which may not be an option in a real-time system. If error correction
facilities are needed at the network interface level, an application
may use the Transmission Control Protocol (TCP) or Stream Control
Transmission Protocol (SCTP) which are designed for this purpose.
Now this deals a lot with the BOTNETS and they hijack the computer
spoofing internet connectivity to fool ISP and Law and use it for
storage and sharing of illegal pirated copies of movies and software
etc. You see they installed the P2P (peer to peer file swapping
software) program as part of this massive payload called Blubster and
much more including illicit malware transmission and that nine yards.
(Of course they fell just short of re-connectivity and I had the entire
machine diqagnosed and cleaned and running in about 58 minutes later!)
Blubster uses a protocol called MP2P, which stands for Manolito Peer to
Peer. This is an offshoot of the P2P, or Peer to Peer protocol. MP2P is
based on the User Datagram Protocol, or UDP. Basing MP2P on UDP allows
the Blubster service to remain anonymous. This means that users can
upload or download files anonymously and cannot be tracked down and
prosecuted for copyright infringement.
Now go back up top and see and understand the hole found in Linux and
equals apparently that Linux was fully open to botnet infection which
would have been easily stopped by any real quality antimalware such as
ESET NOD32 now.
THIS is what I mentioned and meant about SECURITY in Linux that there
are parts of Linux the user can not access for inspection as manually
aiding antimalware in manual hunts for infections and really is
disturbing to myself. Linux prides itself as Open Code and booos Windows
for being Micro$oft Closed Code but there is virtually nothing Closed in
Windows except for some crytopgraphic stuff such as Administrator
Password etc etc etc. you just cant walk up and read in the Windows
Oh well, just wanted to clarify my comments with some intelligent
dialouge so that no one walked away with the impression that I was
simply ranting and raving mindlessly, or trolling, or Linux-Bashing at
all. I hope this post hit the mark!
gerald philly pa usa
Owner/Webmaster proudly of the BlueCollarPC.US
(Over 8.5 million Visitors/Users since 2005,
Completely non-commercial Free Community Help Site)
--- In LINUX_Newbies@yahoogroups.com, "LinuxDucks" wrote:
> Follow Up..... ( if bored with security just delete this)
> Questions Linger About New Linux 'Hand of Thief' Trojan
> In reviewing this informative press release it is apparent or really
seems this piece of malware is actually checking security and
prosecution involved in Linux. I say that because being in Windows
security going back to the very first adware infections/infestations -
much of that was actually testing the system.
> Originally, a good portion of adware infection payloads actually
included Uninstall packages with it, whereby you could navigate to the
uninstallation of software (Add/Remove Programs - XP) and uninstall it
like other normal legit softwares. Some even went to court saying they
were not breaking laws, that the user gave permission and etc etc etc.
None of that held water.
> This was also the birth of spyware for Windows about year 2001 forward
with A LOT of adware packages proceeding it. Once spyware and
antispyware companies (such as Webroot) and laws were being born. it
became quite apparent the adware was just the clever way of testing the
waters to now bombard with spyware - the actual real threats to personal
information (ID Thefts) and introducing brute force instability into the
system and even damage. Of course it really took a lot of persuading and
petitioning and complaints to get todays modern laws in effect against
spyware and in all states in the USA and most all of the world. One
place that sprung up and really evolved into otherwise was
https://www.stopbadware.org/ - originally helping to get laws passed
turned into clearing peoples websites from bad reports in search engines
from Google blah blah blah.
> THIS looks so eerily familiar now with this first-days piece of Linux
malware. I will bet this is nothing more than cyber criminals testing
the waters in Linux, but nevertheless is apparently waiting to become
> What I had also posted about Linux having unaccessible areas kind of
leaves a head scratch. With windows some areas were restricted as Hidden
Files - the operating system files etc. However, a simple permissions
click allowed complete access which was extremely necessary to access
\system32 in Windows and the Downloaded Program Files (active x items)
to discover malware infestation. Linux has no access to Root and seems
some antivirus can not scan either.
> So like I said I am far from an Advanced User on Linux but not in
windows malware. That's why I made this post and my opinion about this
particular piece of Linux malware. I think its just an expendable
offered dummy load like a criminal stake out op. ThAT was very prevalent
in numbers and growing numbers in the birth of adware/spyware days on
Windows. Perhaps towards the end of this decade will their be any real
concern by virtually all users of Linux over malware because it will be
there. Just opinions.
> Some pieces are like POST Data seems more the server side of things as
improper sanitation areas of data transferred from the desktop and as a
Data Scraping type area function. The absense apparent of their
Injection process claimed as not making it fully functional and more
dangerous may possibly be achieved at a bad infected website running a
buffer overflow attack perhaps to grab the private database contents and
even destroy the website application leaving it in a DOS denial of
service state? If they are toying with researchers.
> All just opinion.
> gerald philly pa usa
> --- In LINUX_Newbies@yahoogroups.com, "Joe PM" jpmcsale@ wrote:
> > goto
[Non-text portions of this message have been removed]
- << Previous post in topic Next post in topic >>