Thanks to dayglored for the article!
Posted on 04/30/2021 8:55:20 AM PDT by ShadowAce
Chinese security outfit Qihoo 360 Netlab on Wednesday said it has identified Linux backdoor malware that has remained undetected for a number of years.
The firm said its bot monitoring system spotted on March 25 a suspicious ELF program that interacted with four command-and-control (C2) domains over the TCP HTTPS port 443 even though the protocol used isn't actually TLS/SSL.
"A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least three years," Netlab researchers Alex Turing and Hui Wang said in an advisory.
An MD5 signature for the file systemd-daemon first showed up in VirusTotal back on May 16, 2018 without the detection of any known malware. Two other files named systemd-daemon and gvfsd-helper were spotted over the next three years.
The association with systemd, a widely used system and session manager for Linux, may have been chosen by the malware authors to make the malicious code less likely to be noticed by administrators reviewing logs and process lists.
Netlab has dubbed the malware family RotaJakiro because it uses encryption with a rotate function and has different behavior depending on whether it's running on a root or non-root account. Jakiro is a reference to a character from the game Dota 2.
The malware makes an effort to conceal itself by using multiple encryption algorithms. It relies on AES to protect its own resources and a combination of AES, XOR, and rotate encryption alongside ZLIB compression to obscure its server communication.
The C2 domains with which the malware communicates were registered through Web4Africa in December 2015 and rely on hosting provided by Deltahost PTR, in Kiev, Ukraine.
The malware is not an exploit; rather it's a payload that opens a backdoor on the targeted machine. It might be installed by an unsuspecting user, an intruder, or through a dropper Trojan. How RotaJakiro has been distributed remains unanswered.
According to Netlab, RotaJakiro supports 12 commands, including "Steal Sensitive Info," "Upload Device Info," "Deliver File/Plugin," and three "Run Plugin" variants. The security firm is presently unaware of what the malware's plugins do.
The security firm sees some similarities between RotaJakiro and the Torii botnet spotted by Avast, another security company, in September, 2018. They two have some similar commands and traffic patterns, as well as functional similarities.
At least the malware is starting to get noticed by antivirus software. ®
Thanks to dayglored for the article!
I studied Oracle 9 for a year. Its platform is a form of Linux
Was written by a Chinese “Backdoor man”?................
“Chinese security outfit”
Isn’t that an oxymoron?
Something keeps sneaking in and stealing my desktop icons on Linux Mint Cinnamon 18.3. I have to reboot to get them back.
[That seems to be a persistent problem with several versions of Linux.]
Isn’t “A Chinese security outfit” an oxymoron?
Ha! Beat me by 2 minutes!
“a suspicious ELF program that interacted with four command-and-control (C2) domains over the TCP HTTPS port 443 even though the protocol used isn’t actually TLS/SSL.”
Anyone could’ve told them that.
Oh, yeah, everybody knows that!?!
A dude named “Mr. Wu”.... he was a window cleaner and then an air raid warden back in WWII. Just kidding- first came to mind.
George Formby (the Queen’s favourite morale booster in the Blitz):...”... if there’s a chink in your window, you’ll have another one at the door....” “ the girls all cover their laundry mark...” risque stuff for WWII.
https://www.youtube.com/watch?v=vnvgpeGxzak
Is the “backdoor” risk now closed by Linux updates? Since this came out? That is-— what is to be done? Read the details can’t figure out what a rotating trapdoor drop functionality— well, what is it. Says it is used for targeting individual machines.
Linux experts on FR— any suggestions?
Yup. Oracle is based off of Red Hat.
I’ve never seen that happen before.
bookmark
According to Netlab, RotaJakiro supports 12 commands, including “Steal Sensitive Info,” “Upload Device Info,” “Deliver File/Plugin,” and three “Run Plugin” variants.
—
This article sounds like FUD designed to pitch security software.
For one, I seriously doubt any malware is going to have a function so obviously labeled “Steal Sensitive Info”. Secondly, what would constitute “sensitive info”?
I believe that your chosen distro maintainer(s) should be able to filter it out.
Just so long as you don’t get a chink in your armor.................
Or your window manager is crashing for some reason.
But it's probably definitely the first one.
OK- thanks will check it out on their boards, maintenance etc.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.