[sf-lug] Linux attacked by root kit!

Rick Moen rick at linuxmafia.com
Mon Nov 26 09:26:35 PST 2012 

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> On 11/22/2012 08:37 PM, Rick Moen wrote:
> >Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> >
> >> From BitTwister on Usenet.
> >>
> >>Linux malware is getting better
> >>
> >>Evildoers can now turn all sites on a Linux server into silent hell-pits
> >>http://www.theregister.co.uk/2012/11/21/powerful_linux_rootkit/
> >Bobbie, I have two immediate recommendations.
> >
> >1.  Please look up what a 'rootkit' is, so you can understand why
> >inherently such a thing cannot attack anything or anyone.
> 
>     Sorry I should have said that some one with root access however
> gained is attacking Linux servers using a root-kit.

Just to clarify for readers:  A rootkit is a set of substitutes for
common administrative utilities that can be installed on a system _if_
you can (through other means entirely) enter the system and gain root
authority.  Metaphorically speaking, it's a camouflage cloak.  You
cannot attack anything with a camouflage cloak, and are not rendered
vulnerable or threatened by its existence.

One of the sure sign of either incompetent or dishonest IT reporting is
to claim software useless for such purposes is being used to 'attack'
or 'threaten' or 'break into' Linux systems -- e.g., rootkits, ELF
infectors, locally installed worms that an intruder who's stolen root
through other means uses for further operations.

As I've pointed out on
http://linuxmafia.com/~rick/faq/?page=virus#virus5 for decades, such
things are _after-effects_ of real security problems.

Remember the Monty Python self-defense skit that featured the immortal
line 'Come at me with that banana'?  Ah, here:
https://www.youtube.com/watch?v=piWCBOsJr-w
Well, rootkits are about as useful as bananas for attacking anything.

Saying (as the nitwit _Register_ reporter did) that 'Evildoers can now
turn all sites on a Linux server into silent hell-pits' just because
someone using _other means entirely_ might break into a supposedly
secure Web server and install a rootkit is like finding a burglar in the
middle of Fort Knox clutching a banana and saying 'Well, of course he
was able to threaten the nation's gold supply.  He had a banana!'


> >2.  Please don't be so quick to take seriously what trolling yoyos
> >at _The Register_ write (nor what antimalware firms' spokescritters
> >say to drum up business, either).
> 
>     I don't know if those groups are involved in these reports.

Um, they were _quoted_, Bobbie.

>     Here is another reference to the same topic,
> 
> Linux News
> Linux attacked by malware Root Kit
>
> You may have heard of this already but a neat
> summary of the story can be found at:
> 
> <http://www.h-online.com/open/news/item/Rootkit-infects-Linux-web-servers-1753969.html>

Same error.  Same bad reporting.

The rootkit (as always) cannot be installed without using other means
entirely to break into a Web server.  If random strangers have the
ability to break into your Web server and steal root-user authority,
then you have _much_ bigger problems than rootkits.

Article notes that any Web server broken into by such criminals --
through means other than the rootkit -- tend to install Web pages that 
probe visiting Web-browsing users' Web browsers for the usual grab-bag
of canned exploits against notoriously buggy helper apps (Adobe Flash
and Oracle Java being listed).

If in 2012 you are still running a Web browser willing to run arbitrary
Javascript, Java applets, and Flash animations off the Internet,
especially using the aforementioned bugware helper apps, you have huge
problems and ought to stop doing that.

I covered such matters in my Feb. 2011 lecture 'The Wild, Wild Web: Web
Browser Security, Performance, and Privacy', whose lecture notes and
slides you'll find linked from http://www.svlug.org/ .  About the only 
thing that's happened since then is that Adobe Flash, Adobe Acroread,
and Sun/Oracle Java have been even more clearly exposed as unsafe to 
handle general Internet content, and NoScript has become even more
essential.

More information about the sf-lug mailing list