# New Virus that targets Linux



## fernandel (Nov 24, 2018)

From FreeBSD-Questions mailing list:

https://www.zdnet.com/article/new-l...ur-root-password-and-disables-your-antivirus/


----------



## ShelLuser (Nov 24, 2018)

I'm not worried. Please take note of this small detail (I quote): "_The trojan itself is a giant shell script of over 1,000 lines of code. *This script is the first file executed on an infected Linux system.*_". Ergo: the system had to be infected before this becomes active, which defies the purpose of a virus.

Also note that it doesn't spread through exploitation, merely by using SSH to try and log onto a remote server and then trying to infect it. This depends on being able to log onto a remote server "just like that", which of course can't normally happen. Even if you use key-based authentication (~/.ssh/id_rsa.pub) you'd still protect the private key through means of a password.

But definitely an interesting find!


----------



## drhowarddrfine (Nov 25, 2018)

Title is wrong. It targets Linux so has nothing to do with FreeBSD.


----------



## _martin (Nov 25, 2018)

Basically it's a wrapper script around two older Linux kernel bugs. The only *nix related thing is the shell script itself. There are way more sophisticated malware/RATs out there..


----------



## kpa (Nov 25, 2018)

Please take large grain of salt with this type of news, UNIX/Linux/*BSD has always done the separation concerns and interests the right way and it's almost in every case of a potential exploit that it first requires access to a local account that can freely run programs.

And please don't use that argument that it doesn't have anything to with FreeBSD. If you're stupid enough to expose your system to such a virus FreeBSD isn't anything special, it will get infected just the same because if this virus is a reasonably well shell script it will be portable to an extend that the virus will run on FreeBSD and will do the damage.


----------



## _martin (Nov 25, 2018)

kpa This malware in question abuses CVEs 2016-5195 and 2013-2094. So this particular malware has nothing to do with FreeBSD. 

OP's title of this thread is not correct. This particular malware is not targeting *nix systems. It's a malware spreading on a Linux exploiting two well known oldish kernel vulnerabilities. 

But, using this example, there is a way to use similar vector on other vulnerable systems (FreeBSD included) should there be known vulnerability. Good examples are web browsers, torrent clients, .. clients were user program is interacting with the world.


----------



## Phishfry (Nov 26, 2018)

The good thing about these false alarms is that it causes me to run a virus scan after manually checking my files and running services.

It is also a learning experience
I ran `service -e` and had savecore running and thought 'what the heck is that'.
Looking at /etc/rc.d/savecore I determined it was legitimate.
I then studied the files sorted by date and did the same for /usr/local/etc/rc.d

I also like to checkout the root users .history file for unfamiliar commands.


----------



## Phishfry (Nov 26, 2018)

The problems with Virus Scanners is they are not very accurate.
Scanning with clamAV it showed 126 "Possible Threats"
Digging in 100 are OpenLibre tutorial files with a Macro inside. So waste of time unless macro is malicious.
The other 25 are various BIOS's files 'packed' with something clam finds offensive(Win.Packer)
But I will give it credit. I had 1 PDF file with a JavaScript inside. 
I didn't even investigate if malicious. Not important so deleted it.
So not a complete waste of time.
Reminds me of AVG though. Same kind of false positives. Packers and Macros.
Too much noise can really make A/V software useless.


----------



## Deleted member 30996 (Nov 26, 2018)

I use security/rkhunter but don't bother with an AV program anymore as I don't run an email server or see much point. OpenBSD doesn't even have rkhunter in their repository.

I don't allow SSH to run so this doesn't worry me much.


----------



## ronaldlees (Nov 30, 2018)

Phishfry said:


> The good thing about these false alarms is that it causes me to run a virus scan after manually checking my files and running services.
> 
> It is also a learning experience
> I ran `service -e` and had savecore running and thought 'what the heck is that'.
> ...



I like the bit about checking the root .history file: a little old-school but might be beneficial where a full blown rootkit hasn't been installed.  Just took a peek, and it's A-OK ATM.  

@ fernandel : Thanks for the info.  I have one 2016-ish Linux setup that hasn't been cared for.  I probably need to update it, except that means more "infected" drivers LOL.  Which is worse?


----------

