new malware that targets Linux

newbiesforever · 09-01-2012, 02:47 PM

http://www.forbes.com/sites/anthonyk...nd-keystrokes/

I guess I have not been infected with this malware: my home directory does not contain the offending file. I was just wondering: since we apparently know what server the malware file communicates with, will someone trace the geographical location of that server and arrest the owner?

273 · 09-01-2012, 02:59 PM

Wow. Is it me or is that a Phishing scam on Forbes?

newbiesforever · 09-01-2012, 03:01 PM

Quote:

Originally Posted by 273

Wow. Is it me or is that a Phishing scam on Forbes?

I assume a reputable business magazine wouldn't publish a phishing scam.

273 · 09-01-2012, 03:05 PM

It has all the hallmarks of it. The file you're supposed to look for isn't even a hidden file, and the steps to "remove the trojan" are "delete the file" and "download this software". Sounds like a phishing scam to me.
If there is a real trojan out there I would expect a respected source to tell me which files to remove, not whose "free trial" software to download.
The article writer does add some scepticism at the start but seems to just pass the rest on unchanged.

newbiesforever · 09-01-2012, 03:17 PM

So he got suckered?

273 · 09-01-2012, 03:27 PM

Quote:

Originally Posted by newbiesforever

So he got suckered?

I honestly do not know.
It looks like a "security firm" pushing product -- whether or not the threat is real I wouldn't like to guess.

sycamorex · 09-01-2012, 03:28 PM

It does look like a scam. All the urls point to that website selling the sofware (and bob knows what kind of malicious software it can be)

dugan · 09-01-2012, 05:47 PM

I commented.

Quote:

Your only source is a company that I’ve never heard of? The last step is to go to their website and download their “free trial”? Why does am I just not feeling the credibility here?

And yes, I also expected better from Forbes.

John VV · 09-01-2012, 09:25 PM

I thought i read that forbes was among the sites HACKED ad serving up software for the java crack that oracle just pushed a BROKEN patch out for

rokytnji · 09-02-2012, 12:15 AM

BackDoor.Wirenet.1 Keylogger is a backdoor trojan that can run on Linux and MacOSX, stealing personal information, passwords, and banking credentials! It copies itself to the user's home directory at /home/WIFIADAPT

It then creates a connection to a remote IP, currently 212.7.208.65

Defence and Removal:

Block that IP with your router / firewall.
Delete the above directory/files.

and

My understanding is the wirenet-1 has to create a file in the directory ~/ WIFIADAPT Since Linux sees directories and files as the same (you can't have a file and directory by the same name) I believe that creating an empty file by the name of WIFIADAPT in your home directory would keep your from getting the Trojan since It would not be able to create the Directory WIFIADAPT the location it stores the infection. Just for extra measures I would set the permissions on the created file read only. This is just my suggestion but I believe this would work. It also wold be a good idea to block the above mentioned IP address.

from

http://askubuntu.com/questions/18193...door-wirenet-1

and also

http://www.linuxforums.org/forum/cof...tml#post903002

sounds like a viable solution also.

Quote:

I thought i read that forbes was among the sites HACKED ad serving up software for the java crack that oracle just pushed a BROKEN patch out for

lol

Code:

$ java -version
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) Client VM (build 23.3-b01, mixed mode)

suckered again. http://isc.sans.edu/diary.html?storyid=14017&rss

So java is disabled in addons till itis needed or fixed again (I bet nothing on that)

John VV · 09-02-2012, 12:31 AM

Quote:

suckered again. http://isc.sans.edu/diary.html?storyid=14017&rss

the reporting on that has been all over /. and ars tech and wired

but that is the Oracle java , not OpenJDK .

aus9 · 09-02-2012, 12:49 AM

rokytnji

good tip on blocking site. 212.7.208.65

my router now blocks incoming and outgoing

dugan · 09-03-2012, 04:31 PM

Another thread has been started on this:

http://www.linuxquestions.org/questi...an-4175425425/

SemiBeard · 09-08-2012, 10:14 AM

My guess is that since it creates a directory called WIFIADAPT to be inconspicuous to the regular user, this trojan might have originally come in the form of some WIFI or some other network utility program (APP).

frieza · 09-08-2012, 10:47 AM

meh, the lesson here is Linux isn't invulnerable to malware (especially those written in Java), however assuming the user doesn't go out of their way to go against the Linux security model, then it should be much easier to detect and clean up after a malware infection (because said malware can't spread beyond said user's home directory, or install itself in a way that the user can't simply rm -rf.