1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Pokemon themed umbreon rootkit targets Linux systems...

Discussion in 'Random Nonsense' started by cloasters, Sep 7, 2016.

  1. cloasters

    cloasters Well-Known Member

    Joined:
    Jul 3, 2013
    Messages:
    4,257
    Likes Received:
    55
    Trophy Points:
    48
  2. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,088
    Likes Received:
    119
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    I'm a little confused by the furor being created around this exploit.

    1. The system in question has to have already been compromised some other way in order to get this rootkit installed. You can't just e.g. point at port 80 and use it to compromise the web server; you have to have already compromise the web server and at least gained the ability to upload and run arbitrary scripts.
    2. In order to install this rootkit, you have to be able to create a file in the /etc directory. On every system I've looked at (I currently admin over 450 linux-based servers, ranging from kernel 2.6.32 up to 4.4.8, including a range of servers on varying versions of RHEL, Ubuntu, CentOS, and Gentoo), NOT ONE of them has the /etc directory writable by anyone other than root.
    In short, I'm mystified as to how this rootkit gets installed on a system that hasn't ALREADY been rooted by some other means, in which case, 'all your base are belong to us' ANYWAY.

    Now, I'll grant that there are a LOT of appliances out there running outdated and unmaintained Linux installations, provided by companies who barely understood their hardware, much less the Linux OS they were putting on them, and who have made no attempt to provide ANY updates since. However, those appliances are at risk from all MANNER of nasty compromises, not just this one. (Now THERE'S a comforting thought.)

    So, yeah, I'm a little confused, and can't help but feel that I'm missing something?
  3. cloasters

    cloasters Well-Known Member

    Joined:
    Jul 3, 2013
    Messages:
    4,257
    Likes Received:
    55
    Trophy Points:
    48
    Thank you very much for your explanation, Gizmo! The article in Slashdot grabbed my attention. Tbh, I don't know what "appliances" means. Does it refer to the Iot, or other things as well?

    Sysadmin for more than 450 Linux Servers, wow!
  4. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,088
    Likes Received:
    119
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    There's a surprising amount of kit out there running an embedded Linux, and most of it is for stuff you wouldn't think of. Home routers and wifi access points are pretty obvious, but most computer monitors and TVs also, DVD/BluRay players, stereos, MP3 players, internet-enabled refrigerators, stoves, home power meters, programmable thermostats, network accessible cameras, security systems, the list goes on and on. If it has the ability to be accessed via a network connection (or even USB), then it has an operating system, and odds are that operating system is running some version of Linux.
    cloasters likes this.
  5. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    7,715
    Likes Received:
    550
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    Its always good to hear that another threat in Linux is mostly targeted to WEB servers and not desktops. I know desktops are susceptible to these threats as well, but most of these seem to be looking for always on, open to the public servers.

    My desktops are only on a few hours a day and only connect to the internet during those times. The rest of the day they are off or in sleep mode. Nothing is broadcasted to the internet... not even games.
    As Gizmo said... systems that are susceptible to these type of threats need to already be compromised in the first place.

    You can also protect yourself by keeping your distro updated, never login as root and install an anti-virus/anti-malware program.
  6. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,088
    Likes Received:
    119
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    Even devices that are asleep can be potentially hacked, if they have the 'wake on lan' feature enabled.
  7. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    7,715
    Likes Received:
    550
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    Yes true, thank you Gizmo!
    I always turn off wake-on-lan features in my BIOS/UEFI
  8. cloasters

    cloasters Well-Known Member

    Joined:
    Jul 3, 2013
    Messages:
    4,257
    Likes Received:
    55
    Trophy Points:
    48
    So we really need to run anti-virus and anti-malware software? Is it the end of the good old days?
  9. cloasters

    cloasters Well-Known Member

    Joined:
    Jul 3, 2013
    Messages:
    4,257
    Likes Received:
    55
    Trophy Points:
    48

    Ouch, I didn't think about monitors, tv's, DVD and Blu-Ray players. Plus stereos and MP3 players. Ah for the "good ole' days" of krank generator powered short-wave sets.
  10. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    7,715
    Likes Received:
    550
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    Probably not, but if you want the extra layer of security... you can.
    Other Linux gamers have used an anti-virus in Linux because they share files with Windows gamers. So you don't want to accidentally send them an infected file.
  11. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,088
    Likes Received:
    119
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    Linux isn't immune to virii, it's just more difficult to get them because we don't run day-to-day applications as the administrative ('root') user, they way many Windows systems do. In addition, painful as it is to admit, Linux just isn't a worthwhile target for virus writers; there are just WAY more stupid people out there running Windows than Linux, which makes Windows a 'target rich environment' compared to Linux.

    Once Linux becomes popular enough to start getting the attention of virus writers in a concerted way on the desktop, you'll start seeing more Linux attacks.
    booman likes this.
  12. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    7,715
    Likes Received:
    550
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    This is what I'm afraid of. As Linux develops into a widely used gaming/home PC, more threats will head our way.
  13. cloasters

    cloasters Well-Known Member

    Joined:
    Jul 3, 2013
    Messages:
    4,257
    Likes Received:
    55
    Trophy Points:
    48
    Oh, the embarrassment. I was a more or less trusting MS user for too long. I always ran a paid for good AV prog and anti-rootkit software but I bet I was virussed and hacked a lot more than I realized.

    Assuming that you have the knowledge and can afford the equipment is it possible to monitor for virii and all other security attacks? In near real time?
    Or would you have to have far too much gear and too many people on the job all of the time?

    I guess I'm asking about just your own PC.
  14. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,088
    Likes Received:
    119
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    You can monitor, but the thing is, if you depend solely on reactive technologies then you are always behind the curve; threats are always evolving, and the ways of detecting them are always going to be playing catch up.

    The best way to prevent virii and account compromises is through good system security policy; don't share passwords between accounts, use complex passwords, use 2-factor authentication where possible, don't click on links that you don't know, don't open attachments that you aren't expecting, don't run programs from sources you don't trust, don't open e-mails from people you aren't expecting e-mail from, use encrypted connections wherever possible (HTTPS, IMAPS, POP3S, SMTPS, SSH, VPN), don't share sensitive data over unencrypted connections, don't run anything as administrator that you don't absolutely have to.

    That's a lot of rules, I know, but until we come up with a better way, it'll have to do.
  15. cloasters

    cloasters Well-Known Member

    Joined:
    Jul 3, 2013
    Messages:
    4,257
    Likes Received:
    55
    Trophy Points:
    48
    Thank you very much for your advice on these security how-to's, Gizmo!
  16. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,028
    Likes Received:
    122
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    I'm wondering...
    Given my on-line presence as an AOA admin and now in GOL, I expected my first Virus
    long long time gone by!

    So my question is how many of you have been hit? Am I just lucky...or did Norton actually do something besides ask me to update Norton.
  17. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,088
    Likes Received:
    119
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    I have never been unexpectedly hit by a virus.

    What I mean by that is that I have had viri on my system, but only because I opened a file, attachment, or web site of which I was already suspicious, so made sure I had my defenses in place and then examined the suspicious content in a sandbox.

    I have over the years had numerous opportunities though. I get several zip files or PDFs every day. Of course, I also routinely receive over 1,000 spams a day.

Share This Page