
Powerful, highly stealthy Linux trojan may have infected victims for years - SoapSeller
http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years/
======
click170
I concede that it's not a panacea, but I really do feel like filtering
outbound requests is going to be one of the best defences we have against
stuff like this going forward.

It protects you against:

\- viruses / trojans that try to call out

\- ad tracking (and ads in general, if you want)

\- intrusive analytics

\- suspect consumer devices (TVs that transmit live audio, network cameras
that connect to the cloud even though the cloud feature is disabled, content
players that try to report your activity)

Edit: formatting

~~~
acdha
That's been successful enough in the past that there's a strong selective
pressure for malware to look more like legitimate traffic. How much time are
you going to spend reviewing each HTTPS request made to an EC2 IP address?

Similarly, if that works, there's zero chance that a large vendor won't use
the same endpoint for software updates, advertising and activity tracking,
etc. to make filtering impossible.

~~~
click170
I don't dispute that malware is incentivised to look like legitimate traffic.

I wanted to respond to your comment about vendors using one endpoint to
inhibit filtering. They have as much freedom to do this as I do to deny them
any internet access if they do. If the product does not operate as advertised
in light of this, it will be promptly returned to the retailer.

Also, good filtering isn't based on an IP address alone but that's splitting
hairs. Yes it is time consuming but I argue privacy isn't free, it must be
protected and defended, we all have to find the medium we are happy with.

~~~
acdha
> If the product does not operate as advertised in light of this, it will be
> promptly returned to the retailer.

I support this in principle but it really needs regulatory reform: it's hard
or impossible return opened software or a device when the manufacturer changes
their policies a year after you bought it. That latter point is becoming more
relevant as we increasingly see computers deeply integrated into expensive
devices with long service lifetimes. Just wait until a car manufacturer pushes
out one of those combined “security fixes and new terms of service / we
collect your personal data” patches and you're faced with living with
problems, suing, or clicking Accept and hoping you'll have better options in a
few years when you're looking for a new car.

> Also, good filtering isn't based on an IP address alone but that's splitting
> hairs. Yes it is time consuming but I argue privacy isn't free, it must be
> protected and defended, we all have to find the medium we are happy with.

That's a worthy sentiment but I think it's a losing game because at its root
it's a social problem. It's going to be a tough battle as long as companies
have very limited regulation for collecting personal information, the ability
to unilaterally change service terms after purchase with no right to
compensation, and – particularly critical – no penalty for security failures
except in rare cases where an expensive lawsuit succeeds.

(That wouldn't directly affect outright malware but corporate responsibility
would increase the incentives to take security more seriously than most
companies have in the past)

------
jrochkind1
> Even a regular user with limited privileges can launch it, allowing it to
> intercept traffic and run commands on infected machines.

Huh, how do they do that?

> The underlying executable file is written in the C and C++ languages and
> contains code from previously written libraries, a property that gives the
> malicious file self-reliance.

Does that mean something? I don't get it.

I thought arstechnica usually was written for a technical audience.

~~~
gizmo686
> The underlying executable file is written in the C and C++ languages and
> contains code from previously written libraries, a property that gives the
> malicious file self-reliance.

I think they mean that the executable is statically linked.

~~~
usefulcat
If they're going to use a description that probably sounds cryptic to average
readers, they should at least use a description that's meaningful for the more
technically knowledgeable.

------
semenko
Details via: [https://securelist.com/blog/research/67962/the-penquin-
turla...](https://securelist.com/blog/research/67962/the-penquin-turla-2/)

Notably, the C&C domain has been sinkholed by Kaspersky.

This has been linked to the complex "Turla" industrial espionage malware, as
it shares a C&C server. (Turla:
[http://securelist.com/analysis/publications/65545/the-
epic-t...](http://securelist.com/analysis/publications/65545/the-epic-turla-
operation/) )

~~~
dsl
The Turla malware sends data back using PHP proxies running on hacked servers.
The same PHP proxy script is used by MiniDuke.

MiniDuke in turn screams Russia in its target selection and spear phishing
related to the Ukrainian bid to join NATO.

~~~
orbifold
The Ukraine is trying to join NATO? That seems like a recipe for disaster, why
not let Russia have a buffer zone of countries it controls..

~~~
dsl
[http://en.wikipedia.org/wiki/Ukraine%E2%80%93NATO_relations](http://en.wikipedia.org/wiki/Ukraine%E2%80%93NATO_relations)

------
tptacek
It's a userland trojan and it's "one of the most complex APTs in the world"?

One wonders what these people would think if they found MosDef in the wild.

~~~
dmix
I believe they mentioned the fact it couldn't be detected by netstat as an
example of it's sophistication.

idk how this got 127 upvotes.

~~~
acdha
I share your snarky reaction but a more depressing way of looking at it is to
remember that these are using ancient techniques and are still infecting large
numbers of systems. It's not true that the last couple decades have made _no_
progress but it's somewhat sobering that the bar for successful attacker is
still set this low…

~~~
dmix
> last couple decades have made no progress

Who has made no progress?

Malware forensic experts are not using netcat to detect malware nor are
sysadmins. There are plenty of more modern techniques.

The problem is no one has cared about security (especially gov, many big
corps) until recently...not that the toolsets have been weak. Which is why all
the news this year is coming out because they decided to finally check if
they've been compromised for the first time.

~~~
acdha
Note that I actually said it's _not_ true that there's been no progress.

My point, rather, was that progress has been unevenly distributed so there's a
disturbingly large range in practice: it's certainly true that actual experts
are not using netstat to detect malware but it's also true that most system
administration is not performed by security experts. The same places which
waited until this spring to upgrade from Windows XP or where security updates
are blocked behind long review processes also tend to be the places where
someone learned how to use netstat 20 years ago and doesn't want to learn a
new skill.

------
annnnd
I can't shake the feeling that current security measures are designed in the
wrong way. Antiviruses are fundamentally flawed (blacklist instead of
whitelist; mostly curing instead of preventing). Filtering traffic is
difficult (it is relatively easy to hide information in heavy legitimate
traffic).

Maybe the way ahead is in ensuring that files (and images in memory,
flash,...) don't get changed. Maybe we should have some external device which
monitors computer components for change? It should have access to all the
computer parts and should be without any interfaces except for physical ones
(typing directly on its touch screen). Just an idea...

~~~
ori_b
The problem is that we currently rely on user discretion. Users are really bad
at preventing malware from infecting their system.

We can do some things, sure -- sandboxing by default, etc. But when it comes
down to it, if the user is able to click an 'allow access to my banking
information' button, then that user will be getting screwed.

The only response I can think of is taking that power out of the hands of the
user, and putting everyone in a walled garden. That is something that I find
distasteful.

Is there a solution that leaves users in power over their own computers? I
don't know.

~~~
tim333
In practice I have power over my computer but there is no 'allow access to my
banking information' button for most of my bank stuff because the banks don't
allow it. The info is on their servers and in the most extreme case I have to
use a physical security device to generate a code to access it. Dunno if
that's the way forward?

------
codezero
Is there a quick and dirty script/one liner I can run to check my VPS right
now?

~~~
etcet
This may take a while depending on the amount of data you have and the speed
of your disk(s):

    
    
      grep -R -e 'TREX_PID=%u' -e 'Remote VS is empty !' /
    

Alternatively you could create ClamAV signatures based on those strings.

~~~
foxylad
Thanks.

Being able to provide simple easily verified command on a public forum to
detect the most stealthy malware is testament to the brilliant design of unix-
style systems. If someone offered a Widows utility to do the same thing on a
forum, only fools would run it.

~~~
tedunangst
Because you can't type a search string into the search box in explorer on
windows?

~~~
gaadd33
The search box in explorer searches binaries these days? Honest question, I
haven't used it in years.

That seems like it would be pretty counterintuitive for users though. Someone
tries to search for the string 'program' and it returns all binaries that have
'This program cannot be run in DOS mode' in them. (Which I think is pretty
much all PE binaries)

~~~
tedunangst
I recall "search all files" looking inside pretty much everything, including
exe and unknown file types. (it's been a while for me, too.)

~~~
gizmo686
I recall "search all files" only searching indexed folders, which by default
leaves a lot of room for the virus to install itself somewhere that is not
being search without even trying.

~~~
tedunangst
And then you click "search all folders (may be slow)".

------
wjoe
"It can't be detected using the common netstat command."

How is this possible? I thought netstat would show any program which is
listening for connections on a port, regardless of whether it's actively doing
anything.

~~~
gizmo686
Assuming the trojan has a rootkit, it can patch the kernel so that netstat
does not report it.

~~~
tptacek
Is there any evidence that it patches the kernel? If it infiltrates the
kernel, you'd think that'd be the most important detail Kaspersky could
reveal; forget about whether the authors ran "strip" on the binary or not.

~~~
gizmo686
You're right. I misread the article where it said that the Windows malware had
a rootkit. Checking the linked technical description [0] it looks like the
Linux version does not require privlage escalation.

[0] [https://securelist.com/blog/research/67962/the-penquin-
turla...](https://securelist.com/blog/research/67962/the-penquin-turla-2/)

------
0x0
How can it run packet dumping as a non-root user?

~~~
tedunangst
LD_PRELOAD? ptrace?

Updated: Actually, I have no idea. The securelist link says "It uses
techniques that don't require root access" but then later says "The module
statically links PCAP libraries, and uses this code to get a raw socket".

I have no idea how one gets a raw socket without root, but I'm not in the
business of creating raw sockets on linux...

~~~
0x0
Not sure I follow, can a non-root user observe raw packets (like SYN packets
and sequence numbers) through these facilities?

Edit: well, a statically linked pcap is still just a bunch of user-mode
assembly code. I didn't think linux kernel security hinged on keeping
libraries secret :P

~~~
tedunangst
I tried interpreting the ars article (rookie mistake) and assumed it was
stealing traffic from other programs running as the same user.

~~~
0x0
Aha, now I see why you brought up ptrace.

But they were talking about magic syn packets etc (in the securelist post
linked from another comment, I got the sources mixed up)

------
zvrba
Does there not yet exist a debugger which runs as a hypervisor?

------
touristtam
would the attacker not need to have access to the target machine to install
this?

------
icantthinkofone
"The malware may have sat unnoticed on at least one victim computer for years,
although Kaspersky Lab researchers still have not confirmed that suspicion."

So it might not have? And they're not sure? And "at least one" means it might
only be one.

All this makes me highly suspicious of the article.

------
iamleppert
What a worthless article.

~~~
vernie
With a comment to match

