Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It's Time to begin taking Security seriously, even Linux users!


  • Please log in to reply
24 replies to this topic

#1 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:50 AM

Posted 13 January 2016 - 03:33 AM

As an Emsisoft Blog subscriber & user of the software on my Windows systems, which are about half of that of a year ago, today ran across an article that raised my eyebrows & should do the same for all computer owners, regardless of the OS ran. Including Linux users. 

 

The threat at large here uses Javascript, which we all use & is named 'Ransom32', using  NW.js, a framework to create software & desktop applications for Windows, Mac & Linux systems. It's based on the very popular Node.js & Chromium projects, which includes the very popular alternative Google Chrome browser, among others. The thing of it being, is that it only needs to be activated one time on the system, should it slip by any protection on the system, it's on. All of one's documents, downloads, videos, whatever is on the drive can (& eventually will) be encrypted. 

 

More about this seriously emerging threat here:

 

http://blog.emsisoft.com/2016/01/11/ransomware-for-hire-3-steps-to-keeping-your-data-safe/?ref=newsbox_ticker160111&utm_source=software&utm_medium=newsbox&utm_content=ticker160111&utm_campaign=newsbox_ticker160111

 

And more, the First Javascript Ransomware:

 

http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/?ref=ticker160111&utm_source=newsletter&utm_medium=newsletter&utm_content=blog&utm_campaign=ticker160111

 

This is a serious threat to all computer users. The days of opening 'untrusted' emails on Linux & feeling safe are gone, unless booting from Live finalized media (a CD or DVD). Not CD/DVD RW media, as this type of media can still be written to, even after the ISO is burned. This means that booting from a USB stick may infect it & will need to be securely erased before inserting in another computer with a partition tool, followed by a reset of the MBR to clear the hidden boot code that even DBAN misses on HDD's, even if 'autonuke' is ran twice. Don't believe that? Try it on an old, spare drive that had a Linux install, insert it in a PC & boot, a 'grub rescue' error may be displayed. This means that the MBR wasn't erased or reset, a commonly found option on a Windows partition tool or bootable CD. Or maybe GParted has the same capability, am not sure. 

 

Regardless, we have a threat on our hands to contend with & need to create a plan of action. 

 

It's my hope that as Linux users, we can discuss security plans that may divert these attacks, obviously the first may be doing away with not only Google Chrome, yet all browsers that are Chromium based, especially the betas like Vivaldi, and any older Opera browsers no longer supported which uses Chromium as a base, much like Linux Mint & many other distros uses Ubuntu to build their OS's on. It appears that in the long haul, Google Chrome may need to revert to another source other than Chromium to build their browser on, after all, it's just a skin with their customizations, which can be transferred to another base, or modified to fit another. 

 

I'm asking members to be constructive here, and read the above articles closely to understand the nature of the attack. Without Javascript, which is totally different from any installed Java software for certain software, we'd have no modern browsers as today, would still be in the dark ages of doing everything by Terminal (cmd for Windows users). 

 

Chances are, someone has already posted this in the Windows sections of the forum, as Emsisoft offers no security for Linux, yet if there's demand, may in the future. 

 

Good Luck & Stay Safe! :)

 

Cat

 

 


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


BC AdBot (Login to Remove)

 


#2 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:01:50 AM

Posted 13 January 2016 - 04:56 AM

"Start"?  I beg to differ. If you haven't been taking security seriously for at least the past 15 years, regardless of platform, you haven't been paying attention.   :)

 

They've had something up on the front page for a little while about that now, haven't they?  Odd how the first thing people are told to do is disable Java/Javascript, but then trying to do anything with it disabled you run into:  Please enable it for this page messages on almost everything you visit.  Turn off JS and then go visit your bank :) and see how well things work.

 

Untrusted emails:  phishing.  User training.  Don't know this person?  Don't click.  Don't let attachments autoopen, don't blindly click on embedded links.  Heck I was able to get my wife to understand this.

My theory on why this works is Windows.  Windows has done Pavlov training on users to blindly click OK on any dialog box that shows up, because it displays way too many.  I'm waiting for the "Windows has detected you moved your mouse, click ok to continue" dialog.

 

Let me jump up on my "old dog crumudgeon" soap box for a moment or two:

Email is text, not HTML.  Set your mail reader up to display things that way.  Ignore all the embedded html links, don't load images from 3rd party sites.

 

If more folks remembered the days of fast internet access being a 57Kbps dialup modem, they'd do this naturally.

 

Ok, I'm getting off the box now.


Edited by mremski, 13 January 2016 - 04:56 AM.

FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,724 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:50 PM

Posted 13 January 2016 - 05:49 AM

But But I wanna see the photo of my house in Nigeria, A Nigerian princess sent it to me so it must be safe because the minister of finance said she was nice, Please let me download that attachment, Oh go on say yes.



#4 cat1092

cat1092

    Bleeping Cat

  • Topic Starter

  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:50 AM

Posted 13 January 2016 - 05:52 AM

 

 

Untrusted emails:  phishing.  User training.  Don't know this person?  Don't click.  Don't let attachments autoopen, don't blindly click on embedded links.  Heck I was able to get my wife to understand this.

 

mremski, you're one of the few who follows these rules & am glad that you got your wife to understand way. :)

 

The problem is for many Linux users, that way too many thinks that just because they're running those OS's, they're safe from anything, based on the myth that all emails has only embedded .exe Malware files. I've seen this personally, and installed Linux Mint on 30+ systems for others whose Windows OS's were constantly getting infected, despite having quality security backed by either the Pro version of Malwarebytes, or the 14 day Trial with the features. Most all ran P2P software (uTorrent or other such client), and these same users started where they left off with the Transmission app that's included with Linux Mint & many other Ubuntu based OS's. The infections stopped in their tracks. and that ended most all of the calls to me in this regard, the OS would be steadily seeding or leeching 24/7 (usually on another's network). 

 

One can still use a bootable Linux DVD & do the same, not even the Javascript would infect the computer, because by default, there's no access to other drives on the system, the session is running in RAM only, and a reboot flushes everything away. This is the most secure way to run a Linux OS, is from the install media, and no a USB stick doesn't cut it, being the system booted from that stick leaves it open for Malware to sneak through. How effective it may be depends on what was transferred to the bootable USB stick.

 

Fortunately, there are several no-cost options for securing one's Linux                                                                                                                                                                                                                                                                                                                                                                                                               

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#5 cat1092

cat1092

    Bleeping Cat

  • Topic Starter

  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:50 AM

Posted 13 January 2016 - 05:57 AM

But But I wanna see the photo of my house in Nigeria, A Nigerian princess sent it to me so it must be safe because the minister of finance said she was nice, Please let me download that attachment, Oh go on say yes.

 

I've seen that junk years ago, while running XP secured by Avast Free back when it had the auto CD player interface & had a Yahoo email account, is this the type of stuff this author is speaking of, scams that are 10 years old? And didn't include a real threat of any type?

 

From what I seen, there was no mention of these in the articles. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 13 January 2016 - 06:33 AM

The ransomware uses javascript which is platform indepedent, but it is an self-extracting archive, that is unpacked into %appdata% and uses javascript to add its encryption routine (chrome.exe) as a startup entry in the run-key in the registry. This malware is exclusively Windwos for now.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 13 January 2016 - 06:42 AM

Related thread:wink:
 
ATM Windows only!
If I look at it, a simple repack will not do the trick on Linux...
 
- the browser sandbox is different on Linux
- extracting without user input on Linux is difficult
- executable bit has to be set
- none two Linux distros and installs are the same
 
That being said, nothing is impossible... theoretical!
 
BTW: I saw some updates on Linux about removing the "executable bit", so the devs are already on it before it is even happening! As always, open source has many advantages!  :thumbup2:
 
Greets!



#8 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH

Posted 13 January 2016 - 07:29 AM

 

 

 

Untrusted emails:  phishing.  User training.  Don't know this person?  Don't click.  Don't let attachments autoopen, don't blindly click on embedded links.  Heck I was able to get my wife to understand this.

 

mremski, you're one of the few who follows these rules & am glad that you got your wife to understand way. :)

 

The problem is for many Linux users, that way too many thinks that just because they're running those OS's, they're safe from anything, based on the myth that all emails has only embedded .exe Malware files. I've seen this personally, and installed Linux Mint on 30+ systems for others whose Windows OS's were constantly getting infected, despite having quality security backed by either the Pro version of Malwarebytes, or the 14 day Trial with the features. Most all ran P2P software (uTorrent or other such client), and these same users started where they left off with the Transmission app that's included with Linux Mint & many other Ubuntu based OS's. The infections stopped in their tracks. and that ended most all of the calls to me in this regard, the OS would be steadily seeding or leeching 24/7 (usually on another's network). 

 

One can still use a bootable Linux DVD & do the same, not even the Javascript would infect the computer, because by default, there's no access to other drives on the system, the session is running in RAM only, and a reboot flushes everything away. This is the most secure way to run a Linux OS, is from the install media, and no a USB stick doesn't cut it, being the system booted from that stick leaves it open for Malware to sneak through. How effective it may be depends on what was transferred to the bootable USB stick.

 

Fortunately, there are several no-cost options for securing one's Linux                                                                                                                                                                                                                                                                                                                                                                                                               

 

Cat

 

My wife thought it was a bit overkill until she started seeing stuff on the news about it.  Then I got the wide eyed "I guess you were right".  At that point I just said "Yes dear, I'm sorry for being right" and had a beer.  Another of my "wins" was going out to eat.  I always use cash, because I don't like my CC going out of sight and too many stories about double swiping, etc.  She thought I was crazy, until again, news had a story about a local restaruant that had a server doing just was I said could happen.

 

I agree that the primary issue is "user training".  Very hard to write billions of lines of code (think os and applications) correctly (know how easy it is to find string overflows that lead to stack corruption in just about any code?) so the end user must always think.  Open Source has the advantage here because anyone can look at the source (if they want).  Heck OpenBSD makes it a point to go through periodic scrubs of the base and important apps to try and make sure no new holes opened up (that's why they are very picky about accepting patches, don't submit anything using strlen).

Standard Unix permissions and the fact that most Linux logins are not root or wheel go a long way towards limiting damage.

 

Nick is referring to the old Nigerian 419 scams.  To the best of my knowledge they did not include malicious stuff in any attachments, they were primarily concerned with getting you to send them money.  Doesn't mean that it never happened, just that I don't recall it happening.

 

@myrti/@GNULinux:  good points, both.  At the moment it may be targeted at Windows, but the folks writing this stuff don't often stay still, so it could be retargeted.  Good practices with file permissions and ACLs (SELinux) could likely mitigate a large portion of the potential damage.

 

Computers and the Internet have made it easy for the old time con-men to find a victim.  They used to have to work at it, now they almost sit back and let the victims come to them.

 

Topics like this are good to bring up and discuss.  If it saves "even one person" from losing data (even if it is pictures of Grandma, the Nigerian Princess) we've done a good thing.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#9 JohnC_21

JohnC_21

  • Members
  • 24,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 AM

Posted 13 January 2016 - 03:30 PM

I have not installed this yet but Bitdefender offers an on-demand only AV for linux. You can request a free license for non-commercial use.

 

http://www.bitdefender.com/business/antivirus-for-unices.html



#10 cat1092

cat1092

    Bleeping Cat

  • Topic Starter

  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:50 AM

Posted 14 January 2016 - 01:17 AM

I have not installed this yet but Bitdefender offers an on-demand only AV for linux. You can request a free license for non-commercial use.

 

http://www.bitdefender.com/business/antivirus-for-unices.html

 

This one I've tried 3-4 times with no success, maybe it's best suited for 32 bit versions, as I didn't try the Linux version of Bitdefender on my last one of these. Though it would seem that since Bitdefender is still issuing the keys to the software, it should run on some type of Linux OS. 

 

Just not Linux Mint 17 MATE x64. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#11 cat1092

cat1092

    Bleeping Cat

  • Topic Starter

  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:50 AM

Posted 14 January 2016 - 02:25 AM

The ransomware uses javascript which is platform indepedent, but it is an self-extracting archive, that is unpacked into %appdata% and uses javascript to add its encryption routine (chrome.exe) as a startup entry in the run-key in the registry. This malware is exclusively Windwos for now.

regards
myrti

 

myrti, Thanks for reassuring us that for now, this Malware is confined to Windows. :)

 

Had I not read the article, of which I take the source (the Emsisoft team) seriously, would never had brought this up. Yet felt that I had to since Mac & Linux users were included in the list of systems that could be targeted for infection, plus it's still a good thing to backup one's data at a minimum. Or transfer data to a external drive, USB stick, optical media, whatever's available as generated. It's best practice to keep important data off of the OS drive anyway, or at least anything that cannot be replaced. 

 

The cool thing with Linux is that with install media, one can be up & running, having a fully configured system within 2-3 hours, even if we were to get such an infection. Though the drive should be sanitized with a bootable utility such as Darik's Boot and Nuke, often called DBAN (be sure to also reset the MBR of the HDD with GParted or other bootable partition tool afterwards, making sure to click 'Apply'), or if SSD, use a secure erase tool, such as Parted Magic. Though this is now a paid for offering, there's an older version that's as effective on the Major Geeks website that I've had since new & still use to this day. It's also a bootable Linux OS, though by now, the browser is quite old & I suspect that most who uses the tool doesn't care to browse. 

 

http://www.majorgeeks.com/files/details/parted_magic.html

 

Some SSD OEM's also has their own secure erase utility, which may require creating a bootable CD. It's also best to retrieve & save the ISO when possible, though on a Linux OS, am not sure where this file would be located. And at any rate, most of this software won't install on a Linux OS. Making Parted Magic perhaps the best option. One will often be given the option of a 'enhanced secure erase', which zips the files to a place on the drive, it's best to skip this & perform the Full secure erase, which takes less than a minute normally. In fact, it refreshes the Flash cells, many times restoring lost performance, though it shouldn't be overused. I normally create a drive image & perform this action once per year, not to overwrite data (unless infected), rather to restore any loss of performance. 

 

We've also discussed backup of Linux OS's elsewhere on the forum, and for those who keeps only their root partition on the SSD, there's Timeshift, which produces a restorable & bootable clone of the partition. This doesn't backup the /home partition, while some Linux experts says having a separate partition for this is unneeded, that depends on the situation, there's no 'one size fits all' here. Neither does it image the Swap partition. 

 

While none of may not be a valid threat to Linux/Mac users for now, always keep in mind that criminals are forward minded, professional ones refuses to give up. This is why we should still remain on our toes & stay alert, even if the threat doesn't apply today, there's no guarantee this will always be the case. This is precisely why the corporations that defends against Malware are 24/7 operations, they have to be, just as the criminals are. Otherwise the 'Am I Infected' line would be a much larger one. What may not be a threat as of this minute may become one 5 minutes from now & security providers has to keep up. 

 

Thanks to everyone for your interest in reading this Topic. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#12 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 AM

Posted 14 January 2016 - 06:11 PM

To minimise potential javascript attacks.

 

If you're using Firefox for your Linux browser, then install NoScript ... https://addons.mozilla.org/en-US/firefox/addon/noscript/ ... which will allow you to set scripting permissions on a site by site basis.

 

If you're using Thunderbird as your Linux e-mail client, then set the following ... View > Message body as > Simple HTML

 

 

Simple HTML

If you choose View – Message Body As – Simple HTML, then you see HTML messages in a simplified form. Thunderbird does not run JavaScript code, and does not download remote images. Simple HTML preserves basic HTML formatting.

 

It's a reasonable compromise between HTML and its consequent risks, and plain text only, which means you lose all formatting.


Edited by Gary R, 14 January 2016 - 06:13 PM.


#13 Al1000

Al1000

  • Global Moderator
  • 8,054 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:50 AM

Posted 14 January 2016 - 07:26 PM

Thanks for the advice Gary. I've been using NoScript for some time now, but never heard of this:

If you're using Thunderbird as your Linux e-mail client, then set the following ... View > Message body as > Simple HTML


Now done. :)

#14 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 AM

Posted 15 January 2016 - 01:26 AM

You're welcome. :)

 

Of course the number of infections that a Linux user is likely to contract is pretty insignificant, especially when compared to the range of things that are lining up to cause havoc on a computer running Windows, but that doesn't mean that you shouldn't follow good safe browsing habits.

 

As a helper in the Malware sections of various forums for the last 10 years or so, I've been asked many times what Anti-Virus and/or Anti-Malware products I recommend, and my answer is always the same .....

 

It's not the products you install that will keep you safe from infection, it's your browsing habits. You can install all the products you want (or use the safest OS you know) but if you don't pay attention to what you click on, if you carelessly open e-mail attachments from people you don't know, and/or install software from uncertain sources, then somewhere along the way, you're going to run into trouble. Good browsing habits will protect you much more than anything else will.



#15 cat1092

cat1092

    Bleeping Cat

  • Topic Starter

  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:50 AM

Posted 15 January 2016 - 01:40 AM

Gary, great advice about NoScript, for the first year that I ran Firefox as my only browser, the only two add-ons I had were NoScript & AdBlock Plus. :)

 

Then added Down Them All when as a TechNet member it became necessary, the Microsoft download manager couldn't keep a steady download going for a minute, DTA runs wide open unless configured not to (best when others uses the network). Being that I'm usually the only one on the network, leave it at the 100% default, and the speed surpasses the ISP plan that I pay for by 20-25%, milking every drop of possible speed during the entire download, plus has a built in hash checker to ensure the download matches the MD5, SHA1, SHA256, whatever. Better than the Trial versions of other D/L Managers I've tried out, and make a donation once per year. 

 

Used Firefox solo for almost 4 years, then after a couple of buggy releases, which included several sub-releases, made the switch to Google Chrome for the sheer browsing speed, and kept Firefox as my workhorse downloading browser. Now am having second thoughts & am considering going back to Firefox for the NoScript feature alone. Plus the bugs that caused me to leave are gone, if only Mozilla hadn't taken a year to fix minor issues, I'd likely never had left. Today, a year is just too long to deal with a buggy browser, and the lack of the latest Flash Player is a non-issue today (known trick since mid-2014). 

 

It's simply adding a PPA, which will be kept updated, as long as that maintainer is up & running. If not, one will get an error during updating (this also happened when the Medibuntu PPA went down). 

 

http://www.makeuseof.com/tag/how-to-get-chromes-latest-flash-player-to-work-in-firefox-on-linux/

 

My Flash Player install for Firefox on Linux Mint 17. 

 

Screenshot-22_1.png

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users