LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > LinuxQuestions.org > Linux - News
User Name
Password
Linux - News This forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.

Notices

Reply
 
Search this Thread
Old 09-01-2012, 02:47 PM   #1
newbiesforever
Senior Member
 
Registered: Apr 2006
Location: Glendale, AZ
Distribution: Distro-homeless. Lost.
Posts: 1,875

Rep: Reputation: 62
new malware that targets Linux


http://www.forbes.com/sites/anthonyk...nd-keystrokes/

I guess I have not been infected with this malware: my home directory does not contain the offending file. I was just wondering: since we apparently know what server the malware file communicates with, will someone trace the geographical location of that server and arrest the owner?
 
Old 09-01-2012, 02:59 PM   #2
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,432

Rep: Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796
Wow. Is it me or is that a Phishing scam on Forbes?
 
Old 09-01-2012, 03:01 PM   #3
newbiesforever
Senior Member
 
Registered: Apr 2006
Location: Glendale, AZ
Distribution: Distro-homeless. Lost.
Posts: 1,875

Original Poster
Rep: Reputation: 62
Quote:
Originally Posted by 273 View Post
Wow. Is it me or is that a Phishing scam on Forbes?
I assume a reputable business magazine wouldn't publish a phishing scam.
 
Old 09-01-2012, 03:05 PM   #4
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,432

Rep: Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796
It has all the hallmarks of it. The file you're supposed to look for isn't even a hidden file, and the steps to "remove the trojan" are "delete the file" and "download this software". Sounds like a phishing scam to me.
If there is a real trojan out there I would expect a respected source to tell me which files to remove, not whose "free trial" software to download.
The article writer does add some scepticism at the start but seems to just pass the rest on unchanged.
 
Old 09-01-2012, 03:17 PM   #5
newbiesforever
Senior Member
 
Registered: Apr 2006
Location: Glendale, AZ
Distribution: Distro-homeless. Lost.
Posts: 1,875

Original Poster
Rep: Reputation: 62
So he got suckered?
 
Old 09-01-2012, 03:27 PM   #6
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,432

Rep: Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796Reputation: 796
Quote:
Originally Posted by newbiesforever View Post
So he got suckered?
I honestly do not know.
It looks like a "security firm" pushing product -- whether or not the threat is real I wouldn't like to guess.
 
Old 09-01-2012, 03:28 PM   #7
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,572
Blog Entries: 1

Rep: Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027
It does look like a scam. All the urls point to that website selling the sofware (and bob knows what kind of malicious software it can be)
 
Old 09-01-2012, 05:47 PM   #8
dugan
Senior Member
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 4,790

Rep: Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486
I commented.

Quote:
Your only source is a company that I’ve never heard of? The last step is to go to their website and download their “free trial”? Why does am I just not feeling the credibility here?
And yes, I also expected better from Forbes.

Last edited by dugan; 09-01-2012 at 05:48 PM.
 
Old 09-01-2012, 09:25 PM   #9
John VV
Guru
 
Registered: Aug 2005
Posts: 13,083

Rep: Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747
I thought i read that forbes was among the sites HACKED ad serving up software for the java crack that oracle just pushed a BROKEN patch out for
 
Old 09-02-2012, 12:15 AM   #10
rokytnji
Senior Member
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 13 , MacPup,Linux-Lite 2.0, SaliX
Posts: 2,750
Blog Entries: 18

Rep: Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875
BackDoor.Wirenet.1 Keylogger is a backdoor trojan that can run on Linux and MacOSX, stealing personal information, passwords, and banking credentials! It copies itself to the user's home directory at /home/WIFIADAPT

It then creates a connection to a remote IP, currently 212.7.208.65

Defence and Removal:

Block that IP with your router / firewall.
Delete the above directory/files.

and




My understanding is the wirenet-1 has to create a file in the directory ~/ WIFIADAPT Since Linux sees directories and files as the same (you can't have a file and directory by the same name) I believe that creating an empty file by the name of WIFIADAPT in your home directory would keep your from getting the Trojan since It would not be able to create the Directory WIFIADAPT the location it stores the infection. Just for extra measures I would set the permissions on the created file read only. This is just my suggestion but I believe this would work. It also wold be a good idea to block the above mentioned IP address.

from

http://askubuntu.com/questions/18193...door-wirenet-1

and also

http://www.linuxforums.org/forum/cof...tml#post903002

sounds like a viable solution also.

Quote:
I thought i read that forbes was among the sites HACKED ad serving up software for the java crack that oracle just pushed a BROKEN patch out for
lol

Code:
$ java -version
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) Client VM (build 23.3-b01, mixed mode)
suckered again. http://isc.sans.edu/diary.html?storyid=14017&rss

So java is disabled in addons till itis needed or fixed again (I bet nothing on that)

Last edited by rokytnji; 09-02-2012 at 12:25 AM.
 
Old 09-02-2012, 12:31 AM   #11
John VV
Guru
 
Registered: Aug 2005
Posts: 13,083

Rep: Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747Reputation: 1747
the reporting on that has been all over /. and ars tech and wired

but that is the Oracle java , not OpenJDK .
 
Old 09-02-2012, 12:49 AM   #12
aus9
Guru
 
Registered: Oct 2003
Posts: 5,060

Rep: Reputation: Disabled
rokytnji

good tip on blocking site. 212.7.208.65

my router now blocks incoming and outgoing
 
Old 09-03-2012, 04:31 PM   #13
dugan
Senior Member
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 4,790

Rep: Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486Reputation: 1486
Another thread has been started on this:

http://www.linuxquestions.org/questi...an-4175425425/
 
Old 09-08-2012, 10:14 AM   #14
SemiBeard
LQ Newbie
 
Registered: Mar 2010
Location: Miami
Distribution: Slackware
Posts: 24

Rep: Reputation: 2
My guess is that since it creates a directory called WIFIADAPT to be inconspicuous to the regular user, this trojan might have originally come in the form of some WIFI or some other network utility program (APP).
 
Old 09-08-2012, 10:47 AM   #15
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,104

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
meh, the lesson here is Linux isn't invulnerable to malware (especially those written in Java), however assuming the user doesn't go out of their way to go against the Linux security model, then it should be much easier to detect and clean up after a malware infection (because said malware can't spread beyond said user's home directory, or install itself in a way that the user can't simply rm -rf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware infection in Linux snatale1 Linux - Software 12 01-12-2012 02:29 PM
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 01:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
Linux malware on the go TigerOC Linux - Networking 3 11-07-2004 02:31 AM


All times are GMT -5. The time now is 06:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration