Tag: Linux

ESET discovers 21 new Linux malware families

Although Linux is a much more secure operating system compared to the more widely used Windows, it is not impervious to misconfigurations and malware infections. Over the past decade, the number of malware families targeting Linux has grown.

In a report published yesterday by cyber-security firm ESET, the company details 21 “new” Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. They are developed as second-stage tools to be deployed in more complex “botnet” schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

Read more about the newly discovered Linux malware families on ZDNet.

Samba Trojan becomes the bread and butter of fresh attack campaign

The Butter attack campaign has been bolstered through the deployment of the Samba Trojan, a recent change to the stealthy criminal operation.

Researchers from cybersecurity firm GuardiCore have been tracking the Butter campaign since 2015 and while attacks originating from the criminals behind it have been generally limited — specifically, only from four IPs — a new payload has now been implemented which “has gone undetected by many security products.” The new payload is Samba, a remote access Trojan (RAT) which appeared on stage in 2018.

Read more about the evolution of the Butter attack campaign on ZDNet.

New Linux crypto-miner steals your root password and disables your antivirus

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by.

The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn’t have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes.

Read more about the sophisticated new Linux malware on ZDNet.

Mirai Evolves From IoT Devices to Linux Servers

Researchers from Netscout Alert have discovered what they believe are the first non-IoT versions of Mirai malware in the wild. The new versions are very similar in behavior to the original version of Mirai written for Internet of Things devices, but they are tailored to run on Linux servers instead. Unlike the original Mirai, the new versions do not try and propagate in a worm-like fashion. Instead, attackers are delivering them via exploits in a more targeted manner.

Netscout researchers say they have observed what appears to be a relatively small number of threat actors attempting to deliver the malware on Linux servers by exploiting a recently disclosed vulnerability in Hadoop YARN.

Read more about the Mirai variants targeting Linux servers on DarkReading.

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

As the popularity of cryptocurrency rises, so does the amount of cryptominer Trojans that are being created and distributed to unsuspecting victims. One problem for cryptominers, though, is that the offending process is easily detectable due to their heavy CPU utilization. To make it harder to spot a cryptominer process that is utilizing all of the CPU, a newly discovered Linux variant attempts to hide its presence by utilizing a rootkit.

According to a new report by TrendMicro, this new cryptominer+rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.

Read more about the new cryptominer Trojan on BleepingComputer.

Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack

Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit.

The warning comes from Carnegie Mellon University’s CERT/CC, which lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected. Given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL.

Read more about the Linux bug, dubbed ‘SegmentSmack’, that gives a remote attacker the means to knock out a system with minimal traffic, on TechRepublic.

Why Linux is better than Windows 10 and Mac OS for security

Most gadgets that you can think of except your laptop or PC run on some Linux distro. Linux is an open source operating system based on Unix. Linux is basically the name of the Kernel and was developed in 1991. The Linux kernel is developed by the community and Linus Torvalds oversees things. In addition to the command line interface, Linux has a graphical user interface like Windows operating system and applications to make it a complete operating system.

The Linux OS has both Graphical User Interface (GUI) as well as Command Line Interface (CLI). Linux comes with KDE and Gnome as its GUI environment. The Command Line Interface is optional in Linux.

Linux can be freely distributed, downloaded freely, distributed through magazines, Books etc. There are priced distros for Linux like Red Hat Linux also, but they are normally cheaper than Windows.

Now we hear many times from most of the people around us claiming that Linux is much more secure than Windows or Linux is very secure.

But what are the things in Linux that makes it secure than Windows or any other operating system?

1. ExecshieldExecShield is designed to prevent security breaches caused by software programs written to crawl
through the Internet looking for systems with common vulnerabilities such as worms and viruses. It is enabled in the kernel and works in a way that is non-invasive to the user.

Its primary goal is to prevent against intruders using scripts that look for vulnerabilities in the way a program running with root privileges is written. But it cant defend against the expert hacker who has broken into your local network or an employee inside the company who already has access to parts of the network.

2. SElinux (Security Enhanced Linux)SELinux is an implementation of a flexible mandatory access control architecture in the Linux operating system.  The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement(R), Role- Based Access Control and Multi-Level Security.

SELinux is basically App permission tool which controls which activities a system allows each user, process, and daemon, with very precise specifications. However, it is mostly used to confine daemons like database engines or web servers that have more clearly-defined data access and activity rights. This limits potential harm from a confined daemon that becomes compromised. Ordinary user-processes often run in the unconfined domain, not restricted by SELinux but still restricted by the classic Linux access rights.

3. IPtablesWith the enhanced features available with the IPtables you can implement a greater level of security for your Linux machine.

IPtables can maintain and inspect the tables of IP packet filter rules in the Linux kernel.  Several different tables may be defined.  Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.

4. PAM (Pluggable Authentication Modules)Linux-PAM is a system of libraries that handle the authentication tasks of applications (services) on the system.  The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service-providing applications will authenticate users.

Linux-PAM separates the tasks of authentication into four independent management groups: account management; authentication management; password management; and session management.

account – provide account verification types of service: has the user’s password expired?; is this user permitted access to the requested service?

authentication – authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password.

password – this group’s responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the auth group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password.

session – this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user’s home directory. The session management group is important as it provides both an opening and closing hook for modules to affect the services available to a user.

5. AuditThe 2.6 Linux kernel is a log keeper in Linux. It logs events such as system calls and file access. These logs can then be reviewed by the user to determine possible security breaches such as failed login attempts or a user failing to access system files. This functionality, called the Linux Auditing System.

auditd is also responsible for writing audit records to the disk. You can easily check out vulnerabilities using the ausearch or aureport utilities. Configuring the audit rules is also done with the auditctl utility. 

During Linux boot, the rules in  /etc/audit/audit.rules are read and executed by auditctl.

Privilege Escalation Vulnerability Found in Linux Kernel

A researcher has identified a serious vulnerability in the Linux kernel that can be exploited by a local attacker to escalate privileges on affected systems. The issue, discovered by AMA Capital Management co-founder Andrew Lutomirski, is related to CVE-2014-9090, a Linux kernel denial-of-service (DoS) vulnerability reported recently by Lutomirski.

CVE-2014-9090 is caused by the improper handling of faults associated with the Stack Segment (SS) register on the x86 architecture. Lutomirski discovered the new kernel vulnerability, CVE-2014-9322, after Borislav Petkov asked some questions about CVE-2014-9090.

Read more about the privilege escalation vulnerability found in Linux kernel on Security Week.

Grinch Bug Could be worse than Shellshock, Says Experts

Researchers discover a vulnerability in Linux operating systems dubbed Grinch Bug, which be exploited to give malicious hackers Root access to a computer system.The flaw resides in the authorization system in Linux which allows privilege escalation through the wheel.

A new privilege escalation bug similar to shellshock is giving Linux administrators sleepless nights just days after the Poodle, another deadly bug of 2014 resurfaced. The Grinch vulnerability, affecting all Linux based operating system potentially gives an attacker root access to a system according to Alert Logic who announced the Bug on Tuesday.

Read more about the vulnerability that affects almost all platforms running on Linux including Android devices on Security Affairs.

Impact of Linux bug ‘grinch’ spans servers, workstations, Android devices and more

A security firm has disclosed details on a grievous bug, called “grinch,” which impacts all Linux platforms potentially allowing an attacker administrative access to systems where they can go on to remotely install malicious applications, steal data, or perform other malicious acts of their choosing.

Disclosed by Alert Logic the week before Christmas, grinch has apparently earned its name, as approximately 65 percent of all web servers on the internet use a Unix/Linux based operating system,

Read more about the Linux bug ‘grinch’ on SC Magazine.