
Linux ransomware in the wild - beefhash
https://forums.gentoo.org/viewtopic-t-1060828.html
======
Sir_Cmpwn
It doesn't seem to have been mentioned on the forums, which is alarming, but
the correct response to finding out your machine has been owned is to _shut it
the fuck down_. Right away. Then boot up a rescue CD, which will have a known
working system (read: not compromised), from which you can do some forensic
work to find out how you were owned and what data is recoverable.

Take the data you can recover offline and then reinstall from scratch. Don't
try to fix it, just recover what you can and throw the rest away.

~~~
zokier
> from which you can do some forensic work to find out how you were owned

It's worth noting that if you are really serious about doing forensics and
investigating the attack, then shutting down can be pretty destructive.

> what data is recoverable.

Another point I'd make is that try to recover as little as possible from the
infected system and prefer using clean backups instead.

I agree on the overall sentiment though, attempting to recover a infected
system is unnecessarily risky. Nuke it from the orbit, it is the only way to
be sure.

~~~
jorvi
I may be wrong, but these days doesn't malware have a loader (which has a hook
in the boot cycle at some point) and a payload (which usually poses as an
innocent file tucked away on your system somewhere). Even if you wholesale
recover your data and include the payload, there is no loader hooked into your
newly-installed system, rendering the payload a digital bullet without a
corresponding gun. As far as I'm aware, infecting your MP3s or JPEGs was more
something ye olde worms did, no?

~~~
tedunangst
The loader hook could well be in your .profile. Or the infection vector could
be a naughty PDF just waiting to be thumbnailed again after a reinstall.

~~~
bogomipz
Could you elaborate are you referring to a specific PDF vulnerability? Could
you share a link to it? Thanks.

~~~
therein
This should do:

> In the first demo, I just select the PDF document with one click. This is
> enough to exploit the vulnerability, because the PDF document is implicitly
> read to gather extra information.

> In the second demo, I change the view to Thumbnails view. In a thumbnail
> view, the first page of a PDF document is rendered to be displayed in a
> thumbnail. Rendering the first page implies reading the PDF document, and
> hence triggering the vulnerability.

> In the third demo, I use my special PDF document with the malformed stream
> object in the metadata. When I hover with the mouse cursor over the document
> (I don’t click), a tooltip will appear with the file properties and
> metadata. But with my specially crafted PDF document, the vulnerability is
> triggered because the metadata is read to display the tooltip…

[https://blog.didierstevens.com/2009/03/04/quickpost-
jbig2dec...](https://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-
trigger-trio/)

------
joecool1029
Nice read but nothing particularly special here and it happened months ago.
The title is alarmist.

TL;DR: The user ran firefox as root and the attack happened through adobe-
flash. Hardly a sophisticated attack.

~~~
avian
Why does it matter if Firefox ran as root or not? I agree it's terrible
practice in principle. But most people will run Firefox as their ordinary
user, which normally has full access to the files in their home directory.

If someone gets arbitrary code execution under your user, they can
erase/encrypt your files. Who cares if the OS files are safe. All the data you
really care about will be gone.

~~~
throwmenow_0140
agree. ordinary user is absolutely sufficient. I'll now present a
sophisticated privilege escalation method that most of us won't notice (me
included, sarcasm off):

    
    
      alias sudo='/usr/bin/sudo echo something evil && /usr/bin/sudo'
    

I don't think it matters that he used his root account.

Edit: Maybe I'm wrong with my opinion, you can disable ASLR using your root
rights... [https://askubuntu.com/a/318476](https://askubuntu.com/a/318476)

Edit: Last exploit for Linux remote exploitation with Flash is from 2015
[https://www.rapid7.com/db/modules/exploit/multi/browser/adob...](https://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf)
or did I miss something here?

~~~
JTechno
I'm going to make a separate account just to run the web browser, xhost
+localhost && su -c web-browser unprivileged-user

~~~
freeloop3
If you're using xwindows they can just install a keylogger

------
abrowne
Not trying to blame the user, just trying to understand: why would someone
ever run a web browser as root? A text editor to edit system files, ok, but a
browser?

~~~
CJefferson
Seeing as the user's main problem is their home directory was encrypted, the
root doesn't seem like it would make any difference...

Better would be easier ways to run browsers (and all applications) inside
protected systems of some kind, so even if they are hacked they can't touch
anything outside their own cache directory, and creating downloaded files.

~~~
482794793792894
You're describing a sandbox. You run the security-vulnerable routine inside a
separate process and give this process the most minimal read/write-permissions
that the routine can still work with.

Flash itself has been sandboxed inside Firefox's Plugin Container since
forever and Firefox is getting a sandbox around tabs as we speak.

But you can break out of sandboxes. By either exploiting a bug in the OS that
bypasses process permissions or by finding a hole in the sandbox that allows
you to do things.

I imagine, for example, if you want to upload a file, then the tab-process has
to talk to the less restricted main-Firefox-process, which has to then open up
a file-chooser dialog and give control to the user.

But it could for example be possible to somehow malform this request to the
main-Firefox-process, so that the file-chooser crashes and just hands over a
random file, before the user has even seen the dialog. (Obviously, I'm not
going to come up with an actual security vulnerability on the spot here.)

This kind of vulnerability can't be fixed with a sandbox. You need some way to
upload files, for which you'll need filesystem access in some way and to
pretty much the entire Home-directory.

Theoretically, you could require the user to copy the file into a separate
"Upload"-directory and then only have read-permissions to that directory, but
that's hardly user-friendly and would probably end up with some users keeping
their entire Home-directory underneath that Upload-directory.

------
jaclaz
It seems like some variant of the Linux.Encoder.1 (2015):

[http://www.zdnet.com/article/crypto-ransomware-strikes-
linux...](http://www.zdnet.com/article/crypto-ransomware-strikes-linux-but-
attackers-botch-private-key/)

[https://labs.bitdefender.com/2015/11/linux-ransomware-
debut-...](https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-
on-predictable-encryption-key/)

probably "python based" and, as mentioned on the gentoo forums, the ransomware
mesage is very similar to the one in:
[https://github.com/jdsecurity/CryptoTrooper](https://github.com/jdsecurity/CryptoTrooper)

------
KGIII
Hmm... I half expected this to be a joke and the post about how they had to
compile it themselves and were trying to get the dependencies squared away.

Friends don't let friends run Flash. Does Gentoo have Firejail readily
available? That would have prevented this, I'm pretty sure.

------
segmondy
This is 7 months old. From March. Title makes it sound like breaking news.

------
pbhjpbhj
Hadn't thought of it before but it might be an idea to run my browser
(Firefox, Kubuntu 17.04) under a separate user that doesn't have access to my
main user files.

Might be simplest to just create a user through the DE, then "su -c" from my
main user to run the browser?

~~~
unkown-unknowns
Out of the box it'll probably tell you "Client is not authorized to connect to
server" if you try to run anything X11 as another user.

However it should be possible to configure your system such that it doesn't
like such:
[https://wiki.archlinux.org/index.php/xorg#X_clients_started_...](https://wiki.archlinux.org/index.php/xorg#X_clients_started_with_.22su.22_fail)

~~~
pbhjpbhj
I currently run my kids browsers under my user by doing "xhost +local:; su -l
-c /usr/bin/firefox $USERNAME" where USERNAME is the kids login. I may have
made changes to enable that, don't recall sorry.

~~~
digi_owl
An extra layer of protection may be offered by using the likes of xpra.

[https://xpra.org/](https://xpra.org/)

------
binaryapparatus
There is trend of insecurity/vulnerabilities that seems to gain in speed in
recent months. Not trying to sound ominous and nothing to really point finger
to but it seems like a thing.

Since few months ago I do almost all browsing in carefully set w3m. No
javascript at all of course and certainly no flash. I am typing this in vim
which is set as default form editor in w3m for me.

Edit: if you are wondering if w3m can work well try looking at HN using w3m,
its a real beauty.

------
hawski
That is one of the reasons I am thinking about having /home on NILFS2 ([1] a
log-structured file system) in my dabbing with my own Linux distribution. When
you have constant snapshots then ransomware can't do much, can it?

[1] [https://en.wikipedia.org/wiki/NILFS](https://en.wikipedia.org/wiki/NILFS)

~~~
detaro
Depends on what permissions it has. If it runs as root, it probably could
delete/mess up snapshots. If it's going to do so, especially for non-
mainstream filesystems, is another question.

~~~
hawski
If it runs as root you have much more to worry about, but that's of course one
of the problems.

------
xpaulbettsx
Yes, I got hit by this on two separate machines in June or so, they'll break
into one, steal all the SSH keys and look through your history looking for
more machines to break into. It sucks ass. I suspect that my breakin was
because of an outdated Wordpress installation I kept around.

This malware is super thorough and super obnoxious. Keep your machines up-to-
date.

------
czep
> "Yeah, I'm guilty of running FireFox as root."

Noooooooooooooo!

------
cisanti
I don't understand from this post why run Firefox as root and why have in
addition flash enabled on Linux.

But it's still interest that they bother with making ransomware the first
place for Linux.

~~~
pritambaral
Lots of servers run Linux. Lots of data to hold ransom on lots of servers
running Linux.

~~~
cisanti
But who runs flash on server as root?! If this was the source..

~~~
yjftsjthsd-h
It's a multi-stage thing, first stage gets into a system by browser exploit,
then it uses SSH keys to get everywhere else

------
campuscodi
Linux ransomware has been around since the fall of 2015. Nothing special,
mate.

~~~
campuscodi
Wow...voted down for speaking the truth and bringing some actual knowledge to
this fear-mongering thread. HN is turning into Slashdot, I see.

