[sf-lug] Linux malware bushwah from ARRL

Rick Moen rick at linuxmafia.com
Sat Sep 14 14:25:40 PDT 2019


I made a couple of points about prevalent malware bushwah.  

1.  It's pretty much always copied/pasted from an antivirus/security
firm's press release / white paper.  Those firms' entire business 
model relied on training people to -not- think clearly about security, 
and instead be easily spooked and pay money to outsource to them.

2.  The only truly interesting questions about malware are 'How does it
get run?' and (if applicable) 'How does it escalate authority to take
over systems?'


Bruce Perens on his blog
(https://www.bbc.com/news/uk-england-oxfordshire-49700620) called
attention to the American Radio Relay League (ARRL) the American ham
radio league, putting their foot in it, which they do here:
http://www.arrl.org/news/new-campaign-exploiting-linux-servers-to-insert-backdoor-speakup-trojan

  New Campaign Exploiting Linux Servers to Insert Backdoor “SpeakUp” Trojan

  A new backdoor Linux-based operating system trojan dubbed “SpeakUp”
  is on the loose, although so far it does not appear to have propagated
  to North America or Europe.  Research team Check Point Research recently
  reported the discovery and said SpeakUp exploits known vulnerabilities
  in six separate Linux distributions and is able to evade all security
  vendors. [...]

Perens makes one obvious point:

  ARRL should not be publishing this sort of notice,  because ARRL does
  not have the expertise to determine its legitimacy or correctness. 

And _boy_ do they not.

  [...] The company that published the virus warning has a commercial
  interest, in that it produces commercial virus and security programs
  and services, and these notices have the purpose of promoting their
  expertise (if they are right) and thus selling their products and
  services.  The Open Source developer community provides these products
  and services at no cost, and the providers of your Linux distribution
  generally use the Open Source ones.  They will update their systems as
  necessary to remove the threat, and will publish their own warnings as
  appropriate.

Exactly.  Companies like Check Point Research are lastingly annoyed at
entire software communities (e.g., the Linux and *BSD) world deciding
'Hey, we don't have any use for you.'


But on the theme of 'ARRL does not have the expertise', ask yourself: 
_What is a trojan_?

A trojan is any kind of software routine whose thrust is to trick users
about its intent, and con them into running it against their interests.
A classic example would be an attachment to an e-mail trying to pretend
to be something harmless and hoping the (almost invariably MS-Windows)
user will double-click it and run a deeply ill-advised program whereby
the user does himself/herself harm -- or a bit of Javascript the user is
conned into running on a Web site that then queries the user's computer
using the user's own credentials to abuse Javascript's infamously
excessive capabilities and do mischief or, e.g., continually pop up more
and more windows with sirens running in background saying 'Your system
is infected!' and conning the user into buying someiuseless or actively
harmful 'antivirus software'.  We've all seen this.

The main point to note, in the above, is that a trojan does not (by
itself) 'attack' or 'infect' anything.

A trojan is merely a fast-talking come-on that, if run, attempts to
manipulate the user into doing something dumb and self-destructive.


Looking up the particulars of the SpeakUp trojan reveals that it is not
just a pure trojan, however, but a trojan fastened to a canned
PHP vulnerability exploit that launches a PHP shell on vulnerable
servers and then causes that to run the trojan Perl script.  This
vulnerability:

https://www.cvedetails.com/cve/CVE-2018-20062/

  An issue was discovered in NoneCms V1.3.
  thinkphp/library/think/App.php allows remote attackers to execute
  arbitrary PHP code via crafted use of the filter parameter, as
  demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1
  query string.    

Right.  So, for this to happen, you must be running publicly exposed PHP 
(which has infamously bad security generally) and be running a very old,
particularly buggy version of an obscure Chinese Content Management
System, NomeCms.

I cannot find even a single distro that packages NomeCms, so an admin
running it would have to be taking the dangerous step of instaling it
locally from a tarball.  (This is danagerous specifically because 
all of the security maintenance is then on you, and you could rather too
easily forget to do it.)

I don't read Mandarin, so I can't tell even whether the NomeCms devs
ever fixed their gaffe or not -- but my best surmise (from the parts
that aren't just in Mandarin)  is that they just created a GitHub 'bug'
issue and haven't yet taken action.


Anyway, in the incredibly far-fetched scenario where you have gone far
out of your way to locally install a dreadful and poorly maintained,
buggy PHP app, and then left it sitting with a known-exploitable remote
vulnerability nine months after the CVE publication date, you could see
someone leverage that vulnerability to upload the SpeakUp Perl trojan
code onto your server and run it.

So, now you have a Perl daemon waking up from time to time on your
server, apparently running with the user authority of your PHP
interpreter (_not_ root authority), and carrying out sundry mischief.

Shock!  Horror!  Perl scripts running amok!  Mass hysteria!

Antivirus/security outfits like Check Point Research (and knuckleheads
like ARRL that quote them) would like us to recoil in fear about how
potentially horrific the aftereffects of letting such things loose on
our servers would be (and buy contracts with them to 'protect' us), and
not stop to think 'Hey, how does this alleged thing work, anyhow?'  If
you do the latter, you realise that SpeakUp is not the problem, but
rather a minor consequence of a _real_ problem, which in its case would
be extremely carelessness with Web apps, i.e., handing the keys to your
house to arsonists and making sure they have an adequate supply of
matches.





More information about the sf-lug mailing list