Linux users targeted by password-stealing 'Wirenet' Trojan
Open source gets some attention
By John E Dunn | Techworld | Published: 12:58, 31 August 2012
Malware writers are interested in Linux after all. Russian security firm Dr Web has reported finding a shadowy Trojan that sets out to steal passwords on the open source platform as well as OS X.
Technical details of Wirenet.1’s operation and technique for spreading are sparse for now, but the company reports that the backdoor program targets browser passwords for Opera, Firefox, Chrome, Chromium, and as well as applications such as Thunderbird, SeaMonkey, Pidgin.
Under Linux it copies itself to the ~ / WIFIADAPT directory before attempting to connect to a command and control server hosted at 212.7.208.65 using an AES encrypted channel. That at least offers a simple way of blocking communication and any further payloads.
Related Articles on Techworld
Dr Web made a name for itself earlier this year reporting on the infamous Flashback Trojan that hit Mac users on an unprecedented scale.
It’s not clear whether Wirenet’s cross-platform capabilities extend to targeting Windows systems but it is possible that avoiding Microsoft’s OS is a way of keeping off the radar of security firms.
Cross platform malware is rare but not unheard of, the usual technique being to hook into Java in search of victims using OS X.
Malware specifically designed to steal credentials from Linux systems is almost unheard of but might, on the basis of this new discovery, become a little less so in future.
Should Linux users be worried? Probably not. the details of how this malware might grab root mode on a Linux system are unknown. Atacking Linux users would also be a pretty rarified activity unless it was part of a highly-targeted attack.
"We do not have explicit evidence that it uses Java. To my knowledge it does not. This file was received from Virustotal," Dr Web analyst Igor Zdobnov told Techworld.
Comments
YetAnotherBob said: You may not be able to attack the kernel space but the User is still at risk The sad fact is that anything that will run a script from the web and that can save content is a potential liability That includes Java and JavaScript It also includes Python Perl and all the other scripting languages If it runs locally it can be a problemThe problem isnt Linux Its what Linux can run I dont see that going away
deep_dish said: Had to laugh at your last line When our distro tells us Only use repositories you trust WE LISTEN looks like what a newbie would writeImplying that youre a Linux user who doesnt bother to listen to sound advice For you anti-virus is probably a good idea seeing as how you cant take basic security advice
deep_dish said: Every few weeksmonths along comes a Linux isnt immune to viruses story These stories never contain any kind of explanation about the security or stability of Linux they just trot out the same probably OK but you never know type remarks These are always followed by people explaining how they know that Linux is weak and vulnerable and how its only a matter of timeFUDOnly one company benefits from this and thats the company thats spent the last 17 years releasing insecure dross after insecure dross - loaded with cash and developers they still will NOT make their product genuinely secure and robustIn order to infect a Linux system provided the user has used a default setup you would need to hack into and change the code in the source repos a lot harder than you might think and have it go unnoticed and then have it installed widely and it still go unnoticed This chain relies on too many things going unnoticed and given that the average Linux user is miles ahead of Windows and OSX users such behaviour would almost certainly be noticed within hours
okubax said: Typical Linux know-it-all user Im a linux user for 7 years now and this articles not condescending to Linux usersHad to laugh at your last line When our distro tells us Only use repositories you trust WE LISTEN looks like what a newbie would write
Mike_Acker said: you cannot attack a properly constructed system through a user application programthe concern we should examine is this however if you receive a maliscious document via your browser -- in a restricted user account -- the script running from the document cannot modify anything other than the restricted user account home directory filesbut if you share one of those directories out -- and then extract an infected document into another account that has higher privilege you could create a riskbut why would you do that anything sensitive you are going to verify where it is coming from -- using a VPN or PGP
dourscot said: The storys significance is that someone is targeting Linux not that the attack is likely to succeed I agree its unlikely but going into denial mode especially when the full details of this attack are unknown strikes me as the mentality of the Mac user
Mike_Acker said: My U-box is built on an old Dell and doesnt have WiFi But the WiFi directory will owned by root if it contains the drivers for the wifi card As such a scriptkiddie running in a user logon cant touch it If its just a user file then it doesnt matterwe use a separate logon for general browsing and another for sensitive stuff so as to prevent scripts from getting across
jose said: the malware creator clearly doesnt know about dot files and folders
Guest said: Do you know anything about linux Nevermind the fact that almost NOBODY strays from offical repos that are trusted and the fact that EVERYTHING needs root to run and programs that arent installing themselves need to be chmod xd to run Nevermind that fact could you possibly give more information Just because some script kiddie wrote a bit of malware doesnt mean anyone is just going to be infected automatically We linux users arent idiots like on other platforms When our distro tells us Only use repositories you trust WE LISTEN Wow
Jym said: I have said for years Linux needs better virus protection It is not Linux itself but as the article points out third party software Browsers plug ins and social networking sites across platforms are all threats that really have nothing to do with Linux itself but still leaves you vulnerable