Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
On Sat, 1 May 2021 17:11:48 +0200 Didier Kryn wrote: > Le 30/04/2021 à 15:05, Arnt Karlsen a écrit : > > On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message > > <20210430143720.7311bc82@d44>: > > > > > >> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/ > >> > > ..how it works: > > https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ > > > This backdoor is targetting systemd and gvfs. > > It is not very surprising that systemd is targetted, since it is > present (by force) in most installed Linux systems. > > Gvfs is not expected to be installed on servers, but is required > by some desktop goodies - even in Xfce4, for example if you install > the tool to mount/unmount hotplug disks; it is primarily to avoid it > that I developped hopman. Hallo Didier, why do you think it's targeting only systems with systemd or gvfs installed? At a first glance, I don't see any hints towards this conclusion besides the fact that the installer / dropper of this very sample did name the executables accordingly and provides a systemd "service" file. It should be easily realizable to automatically choose other names, depending on the targeted environment. The Netlab blog post even states: || Depending on the Linux distribution, create the corresponding || self-starting script /etc/init/systemd-agent.conf || or /lib/systemd/system/sys-temd-agent.service. AFAIK, the directory '/etc/init/' is only created/used by resp. for the 'upstart' init system, thus I assume that also (at least) those systems are covered as well. libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Le 01/05/2021 à 17:38, Tomasz Torcz a écrit : > Dnia Sat, May 01, 2021 at 05:11:48PM +0200, Didier Kryn napisał(a): >> Le 30/04/2021 à 15:05, Arnt Karlsen a écrit : >>> On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message >>> <20210430143720.7311bc82@d44>: >>> >>> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/ >>> ..how it works: >>> https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ >> >> This backdoor is targetting systemd and gvfs. > Can you prove that? The analysis you linked shows nothing like that: > - gvfsd is only used as a part of name of backdoor binary, there seem to be no > interaction with real gvfsd at all > - first file described in analysis is an _upstart_ configuration file > Then I misread. Or overlooked. Not my mothertongue (~: -- Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Dnia Sat, May 01, 2021 at 05:11:48PM +0200, Didier Kryn napisał(a): > Le 30/04/2021 à 15:05, Arnt Karlsen a écrit : > > On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message > > <20210430143720.7311bc82@d44>: > > > > > >> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/ > >> > > ..how it works: > > https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ > > > This backdoor is targetting systemd and gvfs. Can you prove that? The analysis you linked shows nothing like that: - gvfsd is only used as a part of name of backdoor binary, there seem to be no interaction with real gvfsd at all - first file described in analysis is an _upstart_ configuration file -- Tomasz Torcz “(…) today's high-end is tomorrow's embedded processor.” to...@pipebreaker.pl — Mitchell Blank on LKML ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Le 30/04/2021 à 15:05, Arnt Karlsen a écrit : > On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message > <20210430143720.7311bc82@d44>: > > >> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/ >> > ..how it works: > https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ This backdoor is targetting systemd and gvfs. It is not very surprising that systemd is targetted, since it is present (by force) in most installed Linux systems. Gvfs is not expected to be installed on servers, but is required by some desktop goodies - even in Xfce4, for example if you install the tool to mount/unmount hotplug disks; it is primarily to avoid it that I developped hopman. -- Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
