HN Reader

If I am skimming this correctly, this is a C&C client allowing remote control over the network, and uses "a rootkit" for further compromise once it somehow gets installed?

I understand the value of in-depth security reports, but the 5th time they told me "WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood." I was wondering when I'd get to the meat and potatoes.

So, an aplication started as root it does a lot, if started as a normal user, does less. Sure, any first year CS student can write something like that. Or you can.. well.. install an ssh server or a vnc server or whatever.

How it gets onto the system in the first place is the interesting (and dangerous) part, that sadly gets skimmed over here.

For signs of the analyzed version, there's this file:

/lib/systemd/system/display-managerd.service

And a process called "kde".

What's the point of these kinds of articles? Most Linux malware (including this one) are not sophisticated at all, built off of pre-existing rootkit code samples off Github and quite sloppy with leaving files and traces (".Xl1", modifying bashrc, really?). And there's a weird fixation on China here, is it just more anti-China propaganda?

> The FireWood backdoor, in a file named dbus, is the Linux OS continuation of the Project Wood malware... > The analyzed code suggests that the file usbdev.ko is a kernel driver module working as a rootkit to hide processes.

Where is the backdoor coming from? If there's a backdoor, something is backdoored. An unknown exploit installing a rootkit and using a modified file, like usbdev.ko, is not a backdoor.

Which pakage / OS ships with the backdoor?

Or doesn't the author of TFA know the definition of a backdoor? Or is it me? I mean, to me the XZ utils exploit attempt was a backdoor (for example). But I see nothing here indicating the exploit they're talking about is a backdoor.

It reads like they classify anything opening ports and trying to evade detection as "backdoors".

Am I going nuts?