Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux Backdoor Called Fysbis Used by Russian Hackers


  • Please log in to reply
33 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:10 AM

Posted 14 February 2016 - 04:09 PM

 

The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.

From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.

The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.

Palo Alto Networks


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


BC AdBot (Login to Remove)

 


#2 Naught McNoone

Naught McNoone

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great White North
  • Local time:02:10 PM

Posted 14 February 2016 - 04:27 PM

All the more reason to stop being complacent about Linux malware and viruses.  As Linux gains in popularity, so will it's risk.

 

As of now, Windows is the prime target of viruses, trojans, malware, ransomeware, &c.  But that will change, as more people start to use Linux, thinking that it is virus free.  Remember when everyone thought that the Mac could never be infected?

 

I run ClamAV and ClamAV-Deamon as a matter of course.  Not because I worry about picking up an infection, but because I never know what my children and grandchildren have left on my file server!

 

Tuppance,

 

Naught



#3 Ravenbar

Ravenbar

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:02:10 PM

Posted 14 February 2016 - 05:09 PM

This reminded me to install ClamAV on my new system.


Desktops: "John2" Custom, Gigabyte F2A88Xm-D3H, AMD 6A-5400K Trinity 3.6Ghz Dual-Core APU, 16Gb DDR3  HyperX Fury 1866Mhz RAM, 120Gb Crucial Force LS SSD OS) Linux Mint 17.3, 320Gb Raid1 array consisting of (1) Seagate ST320LT020-9YG14 & (1) Fujitsu MZH2320B

Francisco: HP pavilion p7-1080t upgraded with 16Gb ram. Windows 7. Used only for Gaming

Server.GaltsGulch: HP Elite 8300 Small Form Factor, i7-3770, 16Gb ram, Kingston SSDNow 120Gb SSD, 3Tb storage HDD, Fedora Linux/Avahi, Headless

 


#4 SuperSapien64

SuperSapien64

  • Members
  • 871 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 PM

Posted 14 February 2016 - 05:42 PM

All the more reason to stop being complacent about Linux malware and viruses.  As Linux gains in popularity, so will it's risk.

 

As of now, Windows is the prime target of viruses, trojans, malware, ransomeware, &c.  But that will change, as more people start to use Linux, thinking that it is virus free.  Remember when everyone thought that the Mac could never be infected?

 

I run ClamAV and ClamAV-Deamon as a matter of course.  Not because I worry about picking up an infection, but because I never know what my children and grandchildren have left on my file server!

 

Tuppance,

 

Naught

I wonder how effective a sandbox like Firejail would be against Fysbis?

 

AVs are only about 20% effective Ravenbar.


Edited by SuperSapien64, 14 February 2016 - 05:53 PM.


#5 Ravenbar

Ravenbar

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:02:10 PM

Posted 14 February 2016 - 06:19 PM

 

All the more reason to stop being complacent about Linux malware and viruses.  As Linux gains in popularity, so will it's risk.

 

As of now, Windows is the prime target of viruses, trojans, malware, ransomeware, &c.  But that will change, as more people start to use Linux, thinking that it is virus free.  Remember when everyone thought that the Mac could never be infected?

 

I run ClamAV and ClamAV-Deamon as a matter of course.  Not because I worry about picking up an infection, but because I never know what my children and grandchildren have left on my file server!

 

Tuppance,

 

Naught

I wonder how effective a sandbox like Firejail would be against Fysbis?

 

AVs are only about 20% effective Ravenbar.

 

Yeah, but they're 20% more effective than nothing.


Desktops: "John2" Custom, Gigabyte F2A88Xm-D3H, AMD 6A-5400K Trinity 3.6Ghz Dual-Core APU, 16Gb DDR3  HyperX Fury 1866Mhz RAM, 120Gb Crucial Force LS SSD OS) Linux Mint 17.3, 320Gb Raid1 array consisting of (1) Seagate ST320LT020-9YG14 & (1) Fujitsu MZH2320B

Francisco: HP pavilion p7-1080t upgraded with 16Gb ram. Windows 7. Used only for Gaming

Server.GaltsGulch: HP Elite 8300 Small Form Factor, i7-3770, 16Gb ram, Kingston SSDNow 120Gb SSD, 3Tb storage HDD, Fedora Linux/Avahi, Headless

 


#6 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 6,450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:10 PM

Posted 14 February 2016 - 06:33 PM

'Backdoors' are not a major concern for most private users. The purpose of a backdoor is to gain information or control of a computer or network and few private users are of sufficient interest or value to make this sort of individual attack profitable.

 

That is not to say that security is neither needed nor useful. As Ravenbar said, 20% is better than nothing. The most important aspect is to practice 'safe surfing'. All the usuals - don't click links in e-mails willy-nilly, don't download from potentially dodgy sites, etcetera, etcetera . . .

 

This can be summed up - 'Engage brain before clicking mouse !'

 

Chris Cosgrove



#7 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:10 PM

Posted 14 February 2016 - 09:20 PM

What baffles me is that some have insisted on installing clamAV which will do nothing against this sort of thing, CalmAV is targeted at Windows viruses and does nothing to cover linux vulnerabilities.

Its those bad windows user habits of "I must install a antivirus to be secure!"

While its nice to have a AV client (I run avast personally right now) its only for me to prevent sending bad files to others more than anything else.

The best security is the person in front of the computer in the end.

No OS is bulletproof, but at the same time resist those old traps if you run a alternate OS like linux.

Vulnerabilities will be patched ASAP depending on your distro


Edited by MadmanRB, 14 February 2016 - 09:21 PM.

You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#8 Ravenbar

Ravenbar

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:02:10 PM

Posted 14 February 2016 - 09:28 PM

What baffles me is that some have insisted on installing clamAV which will do nothing against this sort of thing, CalmAV is targeted at Windows viruses and does nothing to cover linux vulnerabilities.

Its those bad windows user habits of "I must install a antivirus to be secure!"

While its nice to have a AV client (I run avast personally right now) its only for me to prevent sending bad files to others more than anything else.

The best security is the person in front of the computer in the end.

No OS is bulletproof, but at the same time resist those old traps if you run a alternate OS like linux.

Vulnerabilities will be patched ASAP depending on your distro

A lot of people are running Dual boot systems, which means if a file gets infected while their in Linux, it can infect their Windows install. I've never gotten a virus in my decades of using a computer, however, a little added protection, even if it's only .0001% more, could be what saves a system from being  infected.


Desktops: "John2" Custom, Gigabyte F2A88Xm-D3H, AMD 6A-5400K Trinity 3.6Ghz Dual-Core APU, 16Gb DDR3  HyperX Fury 1866Mhz RAM, 120Gb Crucial Force LS SSD OS) Linux Mint 17.3, 320Gb Raid1 array consisting of (1) Seagate ST320LT020-9YG14 & (1) Fujitsu MZH2320B

Francisco: HP pavilion p7-1080t upgraded with 16Gb ram. Windows 7. Used only for Gaming

Server.GaltsGulch: HP Elite 8300 Small Form Factor, i7-3770, 16Gb ram, Kingston SSDNow 120Gb SSD, 3Tb storage HDD, Fedora Linux/Avahi, Headless

 


#9 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:10 PM

Posted 14 February 2016 - 09:34 PM

Even on a dual boot setup its still rather silly. After all windows cant read linux file systems on its own. Now yes you can transfer linux files over to windows but its far more effective scanning viruses in windows.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#10 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 12,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:10 AM

Posted 14 February 2016 - 09:39 PM

 

A lot of people are running Dual boot systems, which means if a file gets infected while their in Linux, it can infect their Windows install

 

It's  possible, although highly unlikely.


Edited by NickAu, 14 February 2016 - 09:44 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:10 AM

Posted 14 February 2016 - 10:15 PM

 

The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.

I don't think I have to worry too much about them pwning my music collection and forum passwords tbh. 

 

Linux is still not yet a worthwhile target for profit driven cyber-crims.



#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:10 AM

Posted 14 February 2016 - 11:03 PM

AVs are only about 20% effective.

20% effective at letting you know you are infected, maybe. I'd say much less than that at actually preventing infection.

 

The only effective protection I've found against infection (besides common sense) is policy objects that prevent running of code in unauthorised locations... Even then there's Poweliks and the like, which there is currently no protection against.

 

 

A lot of people are running Dual boot systems, which means if a file gets infected while their in Linux, it can infect their Windows install

It's  possible, although highly unlikely.

High in the sky like being hit by lightening highly unlikely... Anything's possible though, who knows? APT28 and Sednit might decide they do actually want your Steam password and personal photos.

 

Unless of course you download your favourite malware with Linux and then when you next run your Windows install go and find the file and open it.



#13 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 12,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:10 AM

Posted 14 February 2016 - 11:42 PM

 

Unless of course you download your favourite malware with Linux and then when you next run your Windows install go and find the file and open it.

 You would have to download and save it to the Windows partition and run the exe in Windows? No good saving it to  home/downloads and trying to find it while in Windows, Unless Windows can now read ext partition without 3rd party software. 

 

 

who knows? APT28 and Sednit might decide they do actually want your  personal photos.

All they got to do is ask, I don't mind sharing photos of me at the beach in budgie smugglers.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#14 SuperSapien64

SuperSapien64

  • Members
  • 871 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 PM

Posted 15 February 2016 - 12:47 AM

 

 

The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.

I don't think I have to worry too much about them pwning my music collection and forum passwords tbh. 

 

Linux is still not yet a worthwhile target for profit driven cyber-crims.

 

Yeah Linux is still pretty niche. :thumbup2:

 

 

AVs are only about 20% effective.

20% effective at letting you know you are infected, maybe. I'd say much less than that at actually preventing infection.

 

The only effective protection I've found against infection (besides common sense) is policy objects that prevent running of code in unauthorised locations... Even then there's Poweliks and the like, which there is currently no protection against.

 

You mean like Application White Listing?

 

A lot of people are running Dual boot systems, which means if a file gets infected while their in Linux, it can infect their Windows install

It's  possible, although highly unlikely.

High in the sky like being hit by lightening highly unlikely... Anything's possible though, who knows? APT28 and Sednit might decide they do actually want your Steam password and personal photos.

Or your home banking password. :wink:

 

Eventually once Linux becomes more poplar (technically it already is Android) thanks to Steam OS and Windows 10 then such threats will become more prevalent, like they are on Android OS but the fact Android is open source most threats are patched fairly quickly and compared to Windows Android is by far more secure and harder to infect and the same would be with desktop Linux OS.

 

BTW speaking of safe web surfing habits theres a great Firefox extension called Fox Web Security that can block bad domains and adult sites from four DNS servers its very effective and supports password protection to keep children from bypassing it. I use to help protect me from bad domains.



#15 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:10 AM

Posted 15 February 2016 - 02:59 AM

No I don't mean application whitelisting, I mean literally what I said... creating local/group policy objects that restrict execution by location. Whitelisting will still easily allow malware to piggyback if vulnerabilities exist.

 

And I do my banking on a persistent usb drive... only ever visit the 2 banking sites. So no threat there either. (unless of course my router gets pwned)

 

Android is a malware writers wet dream. So many leaky apps and the insatiable desire of people to download crap for free... That said it doesn't have a registry and can't be fooled with in the same way as Windows, and the Google Play Store is doing a pretty good job of protecting the world en-masse.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users