Results 1 to 6 of 6

Thread: What sort of risks are involved in this linux rootkit attack? How can I protect my opensuse install?

  1. #1

    Default What sort of risks are involved in this linux rootkit attack? How can I protect my opensuse install?


  2. #2
    Join Date
    Mar 2009
    Location
    United States
    Posts
    612

    Default Re: What sort of risks are involved in this linux rootkit attack? How can I protect my opensuse inst

    We would need more information before any specific advice could be given. Though this might be a good place to start: openSUSE 12.2: Security Guide

    The best advice I can give is do not run software you do not trust. Also keep an eye on any network facing services. You might be interested in this approach to security, it is what I keep in mind when I am configuring security: https://en.wikipedia.org/wiki/Princi...east_privilege

  3. #3
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,855
    Blog Entries
    14

    Default Re: What sort of risks are involved in this linux rootkit attack? How can I protect my opensuse inst

    I'm not saying it will never happen, but I'd have rather seen some comments from a linux kernel developper than another somebody from Kaspersky Labs. I still remember their message about a working linux virus: to be downloaded first, to be installed as root, started as root, ineffective at next boot.

    Perfect security doesn't exist. On a linux machine with defaults installed, you're pretty secure.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  4. #4

    Default Re: What sort of risks are involved in this linux rootkit attack?How can I protect my opensuse install?

    6tr6tr wrote:

    > What sort of risks are involved in this linux rootkit attack? How can
    > I protect my opensuse install?
    >
    > https://threatpost.com/en_us/blogs/n...emerges-112012


    Good to know about this threat. Thanks for posting the link. If you look
    at the links contained within the article, you will find that the threat
    is to a specific version of debian, via a corrupt kernel module.

    So the answer to your question is that you don't need to do anything to
    protect your openSUSE.

    In general though, only download software from sources that you trust!


  5. #5

    Default Re: What sort of risks are involved in this linux rootkit attack?How can I protect my opensuse insta

    Hmmm. I'd already read the 'Crowd Strike' post, and

    • this looks like an early stage in a rootkit development; if whoever did this didn't just do this for fun, it would be reasonable to expect a more sophisticated version to come out at some time
    • it seems that some of the programming is, at least, clumsy; maybe a later version cleans that up, maybe it doesn't
    • it is significant that this is new and not a variant of some existing rootkit; it probably wouldn't show that evidence of clumsy programming if it were a derivative, but, potentially, it is something completely new to worry about


    Quote Originally Posted by djh-novell View Post
    6tr6tr wrote:

    > What sort of risks are involved in this linux rootkit attack? How can
    > I protect my opensuse install?
    >
    > https://threatpost.com/en_us/blogs/n...emerges-112012


    Good to know about this threat. Thanks for posting the link. If you look
    at the links contained within the article, you will find that the threat
    is to a specific version of debian, via a corrupt kernel module.

    So the answer to your question is that you don't need to do anything to
    protect your openSUSE.

    In general though, only download software from sources that you trust!
    The current version is coded around a specific kernel version; in general, this would be a fairly odd restriction to have in place. It would have to have been coded by someone with very little knowledge indeed if they didn't know that requiring this specific kernel version would severely restrict the threat value of this piece of malware (you'd have to wonder if someone with that little knowledge could achieve this!) or maybe they have a very specific target (just to come up with a random example, they could be at a college where this kernel version is very common in machines that they would like to exploit).

    Possibly they have a plan, possibly it was always intended to be some kind of 'proof of concept' just out of intellectual curiosity. Possibly, it was never really intended that this should escape in this form, but this is a development version that has escaped accidentally.

    Today, it seems as if this thing is little more than a curiosity to most of us, but that isn't to say that it couldn't be developed in to something really worrying. Another reason to follow good security practises!

  6. #6

    Default Re: What sort of risks are involved in this linux rootkit attack?How can I protect my opensuse install?

    Obscurant wrote:
    > Hmmm. I'd already read the 'Crowd Strike' post, and
    >
    > - this looks like an early stage in a rootkit development; if whoever
    > did this didn't just do this for fun, it would be reasonable to expect
    > a more sophisticated version to come out at some time
    > - it seems that some of the programming is, at least, clumsy; maybe a
    > later version cleans that up, maybe it doesn't
    > - it is significant that this is new and not a variant of some
    > existing rootkit; it probably wouldn't show that evidence of clumsy
    > programming if it were a derivative, but, potentially, it is something
    > completely new to worry about


    I don't see what there is new to worry about.

    If you install somebody's corrupt kernel module on your machine, you are
    owned. The details of what it does once it's been installed are pretty
    much irrelevant. And we haven't been told anything at all about how the
    kernel module was installed, AFAIK. So there's nothing new to worry
    about. If it turns out to have some new means to be installed, then we
    need to worry.

    Sure the rootkit detectors need upgrading to find it (at least one of
    the links said they already had) and sure either the original author or
    somebody else could improve its details, but the point is that what
    matters about an exploit is how it is installed, not what it does.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •