LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - News (http://www.linuxquestions.org/questions/linux-news-59/)
-   -   new malware that targets Linux (http://www.linuxquestions.org/questions/linux-news-59/new-malware-that-targets-linux-4175425165/)

newbiesforever 09-01-2012 03:47 PM

new malware that targets Linux
 
http://www.forbes.com/sites/anthonyk...nd-keystrokes/

I guess I have not been infected with this malware: my home directory does not contain the offending file. I was just wondering: since we apparently know what server the malware file communicates with, will someone trace the geographical location of that server and arrest the owner?

273 09-01-2012 03:59 PM

Wow. Is it me or is that a Phishing scam on Forbes?

newbiesforever 09-01-2012 04:01 PM

Quote:

Originally Posted by 273 (Post 4770129)
Wow. Is it me or is that a Phishing scam on Forbes?

I assume a reputable business magazine wouldn't publish a phishing scam.

273 09-01-2012 04:05 PM

It has all the hallmarks of it. The file you're supposed to look for isn't even a hidden file, and the steps to "remove the trojan" are "delete the file" and "download this software". Sounds like a phishing scam to me.
If there is a real trojan out there I would expect a respected source to tell me which files to remove, not whose "free trial" software to download.
The article writer does add some scepticism at the start but seems to just pass the rest on unchanged.

newbiesforever 09-01-2012 04:17 PM

So he got suckered?

273 09-01-2012 04:27 PM

Quote:

Originally Posted by newbiesforever (Post 4770144)
So he got suckered?

I honestly do not know.
It looks like a "security firm" pushing product -- whether or not the threat is real I wouldn't like to guess.

sycamorex 09-01-2012 04:28 PM

It does look like a scam. All the urls point to that website selling the sofware (and bob knows what kind of malicious software it can be)

dugan 09-01-2012 06:47 PM

I commented.

Quote:

Your only source is a company that I’ve never heard of? The last step is to go to their website and download their “free trial”? Why does am I just not feeling the credibility here?
And yes, I also expected better from Forbes.

John VV 09-01-2012 10:25 PM

I thought i read that forbes was among the sites HACKED ad serving up software for the java crack that oracle just pushed a BROKEN patch out for

rokytnji 09-02-2012 01:15 AM

BackDoor.Wirenet.1 Keylogger is a backdoor trojan that can run on Linux and MacOSX, stealing personal information, passwords, and banking credentials! It copies itself to the user's home directory at /home/WIFIADAPT

It then creates a connection to a remote IP, currently 212.7.208.65

Defence and Removal:

Block that IP with your router / firewall.
Delete the above directory/files.

and




My understanding is the wirenet-1 has to create a file in the directory ~/ WIFIADAPT Since Linux sees directories and files as the same (you can't have a file and directory by the same name) I believe that creating an empty file by the name of WIFIADAPT in your home directory would keep your from getting the Trojan since It would not be able to create the Directory WIFIADAPT the location it stores the infection. Just for extra measures I would set the permissions on the created file read only. This is just my suggestion but I believe this would work. It also wold be a good idea to block the above mentioned IP address.

from

http://askubuntu.com/questions/18193...door-wirenet-1

and also

http://www.linuxforums.org/forum/cof...tml#post903002

sounds like a viable solution also.

Quote:

I thought i read that forbes was among the sites HACKED ad serving up software for the java crack that oracle just pushed a BROKEN patch out for
lol

Code:

$ java -version
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) Client VM (build 23.3-b01, mixed mode)

:doh: suckered again. http://isc.sans.edu/diary.html?storyid=14017&rss

So java is disabled in addons till itis needed or fixed again (I bet nothing on that)

John VV 09-02-2012 01:31 AM

the reporting on that has been all over /. and ars tech and wired

but that is the Oracle java , not OpenJDK .

aus9 09-02-2012 01:49 AM

rokytnji

good tip on blocking site. 212.7.208.65

my router now blocks incoming and outgoing

dugan 09-03-2012 05:31 PM

Another thread has been started on this:

http://www.linuxquestions.org/questi...an-4175425425/

SemiBeard 09-08-2012 11:14 AM

My guess is that since it creates a directory called WIFIADAPT to be inconspicuous to the regular user, this trojan might have originally come in the form of some WIFI or some other network utility program (APP).

frieza 09-08-2012 11:47 AM

meh, the lesson here is Linux isn't invulnerable to malware (especially those written in Java), however assuming the user doesn't go out of their way to go against the Linux security model, then it should be much easier to detect and clean up after a malware infection (because said malware can't spread beyond said user's home directory, or install itself in a way that the user can't simply rm -rf.


All times are GMT -5. The time now is 04:53 PM.