Powerful, highly stealthy Linux trojan may have infected victims for years

Discussion in 'malware problems & news' started by Minimalist, Dec 8, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,087
  2. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
  3. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    This is disturbing news. It's a wakeup call. Workable defense against unknown and potentially devastating attacks requires a layered, multifactor approach for security and privacy. Professionals know that. And we can all implement at least the basics. System hardening is important, of course. But it's also essential to compartmentalize and isolate workspaces, both machines and their network access, and to segregate activity to avoid cross contamination and progressive compromise. VMs isolate somewhat, and multiple host machines isolate more effectively, but only if there's network isolation with firewalled LANs, and prudent sharing of removable media. It's also crucial to compartmentalize and isolate Internet access, using nested chains of VPNs, JonDonym and Tor as ad hoc anonymity mixes. That limits damage from compromise, as well as protecting privacy and anonymity. Indeed, firewalling potential damage from compromise is a key aspect of protecting security, privacy and anonymity.

    That could have been an article. For now it's a dense (run on) paragraph. Son las cosas de la vida ;)
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Mirimir, your post is almost like an echo from inside my thoughts before I even read to the bottom of the thread/your post!! That should scare you. LOL!!
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    In a strange way, I think this is good news from a number of perspectives:
    • it will encourage more attention on security in Linux, and less complacency
    • it will uncover more of the real situation we are facing - I'd rather know my threats better than not
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Well, it is dogma, no?

    And yes, there are several of us here who say similar things :)
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    So that Turla campaign has infected more machines than analysts initially thought.
    I think security and privacy/anonymity is different thing and sometimes they conflicts, though still drawing clear line btwn them is difficult.

    Also, surely what you described is near bullet-proof for common attacks, however never sufficient for APT like this, or more advanced one.
    Just take an example of Hidden Lynx, they failed to attack a military industry first time due to Bit9's protection. Then they targeted Bit9, infiltrated their certificate infrastructure and abused it to 'properly' sign many of their malware. Now security software is cyberweapon.
    Another way they used is to infect the PC which is to be supplied to targeted company, i.e. infect new PCs just before the victim buy & put them.
    So company have to care about not only their security but all their connection! This is part of reason why fairly fighting against state-sponsored attack is almost impossible for individual person or company.
    Also those APT often bypass strict firewalling and log analysis by e.g. embed C&C communication into necessary browser web traffic (of course by invisible way). I thought Windows version of Turla used similar technique and MRG effitas' test malware BABO too.
    If you really want to protect against such attack, you have to direct your eyes on beyond computer and network.
    But practical answer is, just giving up 100% protection and spend fair resource to post-infection detection, and carry insurance.

    I'm not saying you're wrong, actually that is very good to limit potential damage, but am just poiting out that's not enough against APT.
     
    Last edited: Dec 10, 2014
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
  11. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
  12. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    That Schneier quote is interesting:
    By the time any gov-grade stuff gets added to the virus definitions of all the major vendors, it's already a dead piece of malware or exploit. A part of me wants to believe that justifies having some form of AV, Linux or Windows, to at least hope that if you are infected by whatever that it'll send the sample to the AV provider (as opposed to having no AV, and it staying active for years). Reality though, is that's such an imperfect system for even everyday malware. There's just too many things to watch, even by automation, to keep up.

    Mirimir could run the security grid of any first world country. :thumb: "The people love 'em, those in power fear him!" "We hold these security truths to be self-evident!"

    If I can keep the 5 some computers at my place running- I consider it a good day.
     
  13. tlu

    tlu Guest

    I think we should not get too panicky yet. Many details of that malware are still unknown. And we should also differentiate between Linux servers and desktop systems. Vulnerabilities in Linux servers are often caused by lousy configuration (loose permissions, bad passwords etc.) and by systems not updated in months, sometimes even years ("never touch a running system"). Granted - that's bad enough. But it doesn't necessarily mean that Linux desktop systems are in immediate danger.
     
Loading...