Security News Malware Authors Switch Focus from Windows to Linux, Thousands of PCs Infected

[Exterminator]

Linux has always been considered a more secure operating system, but malware writers are now trying to take advantage of this premise with new forms of infections spreading across the web as we speak.

Security firm Dr. Web warns that it has already discovered thousands of Linux computers infected with a malware called Linux.Proxy.10, which is used by cybercriminals to remain anonymous online.

What this malware does is run a SOCKS5 proxy server on the infected device allowing attackers to connect to the machine to hide their identity while performing other illegal activities on the Internet.

According to researchers, this infection is specifically targeting computers with the default settings or machines that have already been compromised by other forms of malware. This way, attackers can easily obtain access to the target computer and install Linux.Proxy.10.

“To distribute Linux.Proxy.10, cybercriminals log in to the vulnerable devices via the SSH protocol, and at the same time the list of devices, as well as the logins and passwords that go with them, are stored on their server. The list looks like this: «IP address:loginassword»,” the security firm explains.

Change your passwords
Once a system is infected with Linux.Proxy.10, the cybercriminal can easily connect using just its IP address, plus the port that they originally configured when starting spreading the malware.

During the investigation, Dr. Web also discovered other infections on cybercriminals’ servers, including a piece of malware that was developed for Windows computers.

“The server belonging to the cybercriminals who distribute Linux.Proxy.10 has been found to contain not only the lists of vulnerable devices. Doctor Web security researchers also detected a Spy-Agent administrator panel and a build of Windows malware from a known family of Trojan spyware, BackDoor.TeamViewer,” the firm says.

The best way to remain secure is to change the default settings and use passwords that are more complex and harder to decrypt. In this new wave of attacks, the cybercriminals do not attempt to brute force the systems, but to break in using the default passwords and the typical credentials that some people might still be using.

 

[Myriad]

And here comes yet another one !

Every time I read this type of FUD news item it makes me feel tired , all over .

No disrespect to Dr Web but it is vital to distinguish between a " proof-of-concept" and a real-world threat .
Brute forcing of pitifully weak passwords , or attacks on unchanged default logins do not count in my book .

What makes Linux inherently more secure than other operating systems is the near impossibility of any
would-be attacker gaining root privileges .

..... just my 2 Escudos worth

 

[uncle bill]

What makes Linux inherently more secure than other operating systems is the near impossibility of any
would-be attacker gaining root privileges .

..unless someone forgot about old apis or don't check what happens if someone press the return key and keep it pressed (like recent history states).

 

[Like a Western!]

Doctor Web detects Trojan for Windows that infects Linux devices

Linux.Mirai is currently the most widespread Trojan for Linux. The first version of this malware was added to the Dr.Web virus databases under the name Linux.DDoS.87 back in May 2016. Since then, it has become very popular among virus makers as its source codes have been made public. Moreover, in February 2017 Doctor Web security researchers examined the Trojan for Windows that contributed to the distribution of Linux.Mirai.

The new malicious program was dubbed Trojan.Mirai.1. When launched, the Trojan connects to its command and control server, downloads the configuration file, and extracts the list of IP addresses. Then Trojan.Mirai.1 launches a scanner that addresses the network nodes listed in the configuration file and attempts to log in using the login and password combination indicated in the same file. Trojan.Mirai.1’s scanner can check several TCP ports simultaneously.

If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands. The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.

In addition, Trojan.Mirai.1 can execute on remote machines commands that rely on inter-process communication (IPC) technology. The Trojan can launch new processes and create different files, e.g., Windows package files containing a certain set of instructions. If the attacked remote computer has Microsoft SQL Server, a management system for relational databases, working on it, Trojan.Mirai.1 creates within it the user Mssqla with the password Bus3456#qwein and sysadmin privileges. Acting under the name of this user and with the help of the SQL server event service, the Trojan executes various malicious tasks. Thus, the Trojan, for example, launches executable files with administrator privileges, deletes files, or plants icons in the system folder for automatic launch (or creates the corresponding logs in the Windows registry). After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals.

Trojan.Mirai.1 has been added to the Dr.Web virus databases, and, therefore, it poses no threat to our users.

More about this Trojan

 

[Aleeyen]

I think universal malware is the future. A malware will be designed in such a way that it will be able to work on all types of OSes just by doing little tweaks. Malware creators are some of the most intelligent coders in the world and they will surely try go this way.

 

[Like a Western!]

future IMO is the malwares created by Governments hands ! we seen such these malwares before. they would be dangerous much more than these malwares, thats why i notice this in most of my topics ) you need to go with an anti-virus/cybersecurity solution which have your back if that time comes.

i seen a topic about this subject in some forums, like wildersecurity,or another one i can't remember its name at the moment,
that would be great if someone open a topic like that in MT too ! research about those times when Flame,Stuxnet,Flask.. seen for the first time, how long later Av Vendors , CyberSecurity companies detect that? how long later added those governmental malwares to their database?

i really hope someone do that.

 

[Wave]

I think universal malware is the future. A malware will be designed in such a way that it will be able to work on all types of OSes just by doing little tweaks. Malware creators are some of the most intelligent coders in the world and they will surely try go this way.

No, because each OS has different OS APIs and therefore they won't be compatible with "little tweaks". You cannot write malware for Win32 in C++ and just port it over to Linux because on Linux there is no NT API, unless you were working with WINE but even then it won't work right probably.

It's more complicated than that.

 

[JM Safe]

Interesting thread. So, I think in the near future an AV, also on Linux OS, is really recommended.

Malware creators are some of the most intelligent coders in the world and they will surely try go this way.

It is not always true. I analyzed a Jigsaw Ransomware sample and it was very very easy to decompile it and analyze deeply its source code. Sometimes malcoders are very good at programming, also because they manage to evade AV detection, but it depends on several factors: programming language used to develop the malware sample, the type of attack of the malware, the ability of the malware to damage your files, sensitive data and so on.
Instead, sometimes, malcoders are not very good at programming and they make samples easily detected by almost all AVs or antimalware softwares, and they let the source code open and easy to decompile and analyze.

 

[Wave]

Malware creators are some of the most intelligent coders in the world and they will surely try go this way.

Well the majority of malicious software in the wild says different... More often than not for ransomware you'll find crappy samples which can be reversed (not done properly), or just basic .NET apps based on copy pasted code. Most of the intelligent people move to the good side to help improve security, and the ones who don't often end up in prison for attacks; you'll find people selling RAT source codes and the such on the dark web, but they'll just me crappy expensive sources based in C#.NET a lot of the time.

9/10 the process hollowing was based on copy paste code, for example.

Whereas, 7 years ago, you'd find many bootkits, rootkits and PE infection - not common anymore.

 

[bluemind7x]

All i know about Malware is that it attacked more Windows OS than others because is more used than other OS-es.I have been using Ubuntu months ago in Windows machine Dual Booting just for curiosity and i liked that OS really

 

[ForgottenSeer 55778]

Is Linux less vulnerable than Windows or was the false sense of security just that it was less common than Windows and therefore a less likely target?