[conspire] (forw) Re: [Hangout-NYLXS] ransomware - attacking [sic] apache

Rick Moen rick at linuxmafia.com
Sun Nov 8 08:30:39 PST 2015


[sic] added to Subject header, to avoid wasting readers time 
if they expect _real_ Apache vulnerabilities, which this isn't.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Sun, 8 Nov 2015 08:25:03 -0800
From: Rick Moen <rick at linuxmafia.com>
To: hangout at nylxs.com
Subject: Re: [Hangout-NYLXS] ransomware - attacking apache
Organization: If you lived here, you'd be $HOME already.

Quoting Ruben Safir (mrbrklyn at panix.com):

> http://techcrunch.com/2015/11/06/linux-ransomware-is-now-attacking-webmasters/
> 
> Linux Ransomware Is Now Attacking Webmasters
                          ^^^^^^^^^
> Posted yesterday by John Biggs (@johnbiggs)
> Next Story
> 
> A new bit of ransomware is now attacking Linux-based machines,
                                 ^^^^^^^^^

And the hook is set with a deliberately false statement and false
headline.  Let's see how many paragraphs before it unravels.

> specifically the folders associated with serving web pages. Called
> Linux.Encoder.1 the ransomware will encrypt your MySQL, Apache, and
> home/root folders. The system then asks for a single bitcoin to decrypt
> the files.
> 
> From Dr.Web Antivirus:
> 
> Once launched with administrator privileges, the Trojan dubbed
                                                   ^^^^^^
> Linux.Encoder.1 downloads files containing cybercriminals’ demands and a
> file with the path to a public RSA key. After that, the malicious
> program starts as a daemon and deletes the original files. Subsequently,
> the RSA key is used to store AES keys which will be employed by the
> Trojan to encrypt files on the infected computer.

_One_ paragraph to the Great Unraveling.  In the next one, author Biggs
drops this being a trojan; a bit of monkeyshines performed on a system
after it has been exploited through other means entirely.  The problem
the system administrator must be concerned about is not Linux.Encoder.1
but rather the vulnerability that gives the intruder access, after which
trojans are the least of the sysadmin's problems.

So, basically this is yet another stupid, badly written security article
targeted at gullible readers who don't understand much -- and doesn't
actually say anything of interest.

I have duly added Linux.Encoder.1 to category 'IV. The Ringers.
Post-Compromise Rootkits (Trojan, Worm) and Attack Tools (not malware at
all)' on http://linuxmafia.com/~rick/faq/#virus4 .  To quote the comment
paragraphs I wrote immediately after the long alphabetical list of
'ringer' codebases (invariably promoted by antimalware companies to line
their pocketbooks):

  Every one of those is some sort of _post-attack_ tool; all are
  erroneously claimed on sundry anti-virus companies' sites (and
  consequently in various news articles) to be "Linux viruses".  Some are
  actually "rootkits", which are kits of software to hide the intruder's
  presence from the system's owner and install "backdoor" re-entry
  mechanisms, after the intruder's broken in through other means entirely.
  Some are "worms"/"trojans" of the sort that get launched locally on the
  invaded system, by the intruder, to probe it and remote systems for
  further vulnerabilities.  Some are outright attack tools of the "DDoS"
  (distributed denial of service) variety, which overwhelm a remote target
  with garbage network traffic from all directions, to render it
  temporarily non-functional or incommunicado.

  The news reporters and anti-virus companies in question should be
  ashamed of themselves: None of the above, in itself, can break into any
  remote Linux system.  All must be imported manually and installed by an
  intruder who has cracked your system by other means.

One notes that John Biggs at least is good enough to credit 'Dr.Web
anti-virus' -- a 'Russian IT-security solutions vendor developing Dr.Web
anti-virus for businesses and personal use, as well as anti-virus as a
service since 1992' (ta-dah!) as his source for this so-called news
story.

Also, Mr. Biggs _does_ also lamely throw this in at the end:

> The malware requires administrator privileges to run and, presumably,
> a sysadmin who would allow for such a program to run unbridled.

Two thing, Mr. Biggs:  (1) Did you notice that this means
Linux.Encoder.1 is not 'attacking' Linux machines and webmasters as
claimed in your headline and lead sentence?  Or were you too busy
copying and pasting from Dr.Web?  (2) No, Mr. Biggs, typically the
sysadmin would not wake up one morning and decide 'Today I want to allow 
post-attack tools to run.'  Instead, the sysadmin would leave open some 
unrelated security weakness permitting intrusion and escalation of
privilege to root, and _that_ is the 'attack'.

Rubbish, dimwitted story, as per usual.  Practically all IT journalism
stories about Linux security are just ill-concealed PR material from
antivirus firms (Dr.Web, Avira, F-Secure, Kaspersky Lab, McAfee, Panda
Security, Sophos, and Symantec, among others) republished by tech
journalists with low standards desperate to achieve line-inches with low
effort under deadline pressure, and this was no exception.



> The team recommends backing up all data and keeping all files in place
> if you’re attacked until researchers create a decryption system.

The 'team' are a bunch of idiots.  What readers _should_ be doing is
systematic periodic backups and meaningful system security.


Ruben, why did you copy and paste this idiocy that Biggs copied and
pasted from an antivirus firm?  Do you need a hobby?

http://techcrunch.com/author/john-biggs/ says 'Biggs is the East Coast
Editor of TechCrunch. [...]  He is the former editor-in-chief of
Gizmodo.com and lives in Bay Ridge, Brooklyn.'

I'm sorry for Brooklyn.  I _like_ Brooklyn.

-- 
Cheers,                                  "If you see a snake, just kill it. 
Rick Moen                                Don't appoint a committee on snakes."
rick at linuxmafia.com                                         -- H. Ross Perot
McQ! (4x80)

----- End forwarded message -----




More information about the conspire mailing list