Posted on 02/25/2020 8:32:01 AM PST by dayglored
Aw, how generous
Hey, Linux fans! Microsoft has got your back over fileless threats. Assuming you've bought into the whole Azure Security Center thing.
Hot on the heels of a similar release for Windows (if by "hot" you mean "nearly 18 months after") comes a preview aimed at detecting that breed of malware that inserts itself into memory before attempting to hide its tracks.
A fileless attack tends to hit via a software vulnerability, inject a stinky payload into an otherwise fragrant system process and then lurk in memory. The malware also attempts to remove any trace of itself on disk, which makes disk-based detection tricky.
Since the malware hides in RAM, a reboot generally gets rid of the thing. However, Linux servers tend to not to be rebooted as frequently as certain other operating systems and so, once infected, the malware can linger in memory, performing its nefarious activities.
An example of such an infection would be an attacker spotting a vulnerable service on an exposed port, copying a malware package and executing it. A few hops, skips and jumps later, and the malware could be listening for TCP instructions, having ensured any trace of itself in the file system has been removed.
A properly locked-down server would, of course, also mitigate things somewhat.
Microsoft's detection feature scans the memory of all processes for the tell-tale footprint of a fileless toolkit, shrieking a warning in the Azure Security Center along with some details of the nasty. An admin can then decide what action to take (and what further investigation is needed).
The scan, according to the Windows giant, is not invasive and the "vast majority" take less than five seconds to run. More importantly for the those fearful of slurpage, memory analysis is performed on the host itself and the results only contain "security-relevant metadata and details of suspicious payloads".
Unsurprisingly, once signed up for the preview, you'll need the Log Analytics Agent for Linux installed, along with a supported distribution (the usual suspects: Red Hat Enterprise Server, SUSE, Ubuntu and Debian are all included in the list). You will also need to be in Standard or Standard Trial Pricing tier to play.
Microsoft isn't the only outfit squaring up to fileless threats. Kaspersky has been quick to trumpet its effectiveness and Trend Micro points to some alarming statistics concerning the surge in threats as criminals seek different means to compromise systems.
However, as its continued love-in with Linux continues (heck, a large chunk of Azure is running the OS), Microsoft has decided that maybe, just maybe, the lessons learned monitoring its proprietary OS could be extended elsewhere. ®
I’m sure it’s probably ok- but i just feel a bit funny abotu goign that route- I downloaded the fale from sourceforge, and checked the checksum # which proved to be the right one, then installed it from there by rightclicking and choosing the gdebi package installer from the list- I also installed firetools, which is the graphical interface for firejail, and it’s all working now-
At least i think so- I run the command firejail —list - and it shows firefox running in the list, so i assume my firefox is now running in firejail-
[[I know just enough about linux to get into trouble,]]
Yup me too- Do you use “TimeShift” (it’s installed automatically i think if you run linux mint) to back up your system before you try stuff? It’s a pretty good safety measure- if everything works fine for a week or so, I’ll go and delete the backup file because they are quite large- around 12 gig-
I love timeshift. It’s saved me a few times!
Nowadays we have evil programs that get in and wait, some that quietly eat away programs meant to fight them and now crap like this bastard. Why these people don't use their talent to write better software than what's currently available mystifies me. It has to be as Alfred told Bruce: "Some men just want to see the world burn".
Thought about your tagline.
The policy set under the SHODDY MASTER Bill Gates had Microsoft have product security which was terrible — FOR DECADES and
used their monopoly status to be able to ignore any significant correction — a truly disgraceful business practice.
If the software was done correctly, from the start, there would be no such vulnerabilities. Bad practices up and down the levels of employees/management.
SO MicroShoddy is NOT the one who should be touting their ‘security’ accomplishments, nor helping anyone else.
Might want to do a little research. Azure is not platformed on Linux.
I was going by the final sentence in the Register article:
"However, as its continued love-in with Linux continues (heck, a large chunk of Azure is running the OS),..."Are you saying El Reg needs to do some research?
The only for-sure knowledge I have is a few years old, when the Windows Update server network overloaded, went down in flames, and was switched over to Akamai's CDN, which was understood at that time to be Linux-based -- that irony generated a lot of snickering from the Linux folks here and elsewhere.
Microsoft still offers Akamai as one of its Azure CDN options, AFAIK. I rather doubt that it's being done with Windows Server instances, but whether it's Linux per-se, or some *IX variant that Akamai has developed and customized, I don't know.
The large multi-national bank I work for has a substantial footprint on Azure now, RedHat Linux being the predominant OS we deploy there. Personally, I have two Ubuntu Linux Servers running on Azure. This is the first I'm reading of this capability, thank you so much for posting about it. I'm curious to know from our Cloud Engineering Team today if they've enabled this capability in our environment on Azure. :-)
I don't know of a single Linux Admin who'd deploy a browser or email package on a Linux Server. (At least not a single Linux Admin who's worth their salt.)
I just installed Timeshift, created a new external file system for backups and ran Timeshift on my Ubuntu 19.10 desktop ... wow! That was so much easier than anything I used to do under Windows.
I just installed Timeshift, created a new external file system for backups and ran Timeshift on my Ubuntu 19.10 desktop ... wow! That was so much easier than anything I used to do under Windows.
ROFL! I just timeshifted a post, hahahahahha! (bad joke, sorry!)
Azure hosts a LOT of Linux. Not as much as AWS, but Linux runs exceptionally well. The article wasnt referring to the hyper visor.
I went back and re-parsed the Reg sentence, and indeed, that probably does refer to the client, not the hypervisor.
Enlighten me -- what hypervisor is Azure using, standalone Windows Hyper-V Server I'd guess?
Microsofts data center platform is based around SCVMM (System Center Virtual Machine Manager). Its a specialized hyper visor for cloud that manages HyperV as the host hypervisor.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.