Linux News
The world is talking about GNU/Linux and Free/Open Source Software

A few inconsistencies in the threat analysis

Story: Powerful, highly stealthy Linux trojan may have infected victims for years

Total Replies: 4

Author	Content
mrider Dec 09, 2014 3:10 PM EDT	Quoting:Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. Unless I'm wrong, that means the software can listen to raw packets. Which requires root on nix systems. Quoting:To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.* According to this, root isn't required for this to be a problem. So basically on the left hand side, they tell us that it can run arbitrary commands without elevated privileges, and on the right hand side they tell us that it (presumably) listens in a way that does require elevated privileges. So what am I missing?
gus3 Dec 09, 2014 5:42 PM EDT	Capabilities CAP_NET_RAW (for capture) and CAP_NET_ADMIN (for interface enumeration) are all that's needed. Of course, root has that by default, but others can have that as well, and a program can be marked to grant them automatically. Once the initial infection is completed, using elevated privileges, that elevation would no longer be necessary.
seatex Dec 09, 2014 6:14 PM EDT	Didn't the NSA develop SELinux? And wouldn't the NSA have motive to spy on the same targets this "virus" seemed to have targeted?
number6x Dec 09, 2014 6:21 PM EDT	Nasty thing about trojans ... Like most trojans, this software will be installed when the package carrying it will be installed. That installation will happen with root privileges. The root privileges at install time can grant authority to the evil parts of malware at install time.
mrider Dec 09, 2014 6:45 PM EDT	Thanks gus3 for the clarification!

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!