HN Reader

These things always get really cool names, like "Wolfsbane" and "firewood". makes me want to make some malware to see what cool name security researchers give it lol

The use of LD_PRELOAD as part of the attack surface makes me think that a statically-linked binary has some value. Not a maximalist approach like some experimental distros, but I think there's clearly some value in your standard userland utilities always performing "as you expect," which LD_PRELOAD subverts. Plenty of Linux installs around the world get on fine using BusyBox as the main (only?) userland utility package.

What AV (if any?) would people recommend for linux? I feel that clamav is more for incoming files than something which would or could catch this?

So, an aplication started as root it does a lot, if started as a normal user, does less. Sure, any first year CS student can write something like that. Or you can.. well.. install an ssh server or a vnc server or whatever.

How it gets onto the system in the first place is the interesting (and dangerous) part, that sadly gets skimmed over here.

If I am skimming this correctly, this is a C&C client allowing remote control over the network, and uses "a rootkit" for further compromise once it somehow gets installed?

I understand the value of in-depth security reports, but the 5th time they told me "WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood." I was wondering when I'd get to the meat and potatoes.

Seems like their malware relies on a couple of things:

- intended target is KDE and GNOME

- privilege escalation through LD_PRELOAD hooking from userland via open, stat, readdir access (of any other program that the user executes, see down below)

- persistence through display manager config for KDE

- persistence through desktop autostart files for GNOME

- fallback persistence through .bashrc, profile or profile.sh in /etc

- installs trojanized ssh client version

- installs a JSP webshell

- sideloads kernel module as libselinux.so and .ko module. Probably the rootkit helpers to access them from userland

Despite the snarky comments in here, this malware is actually quite sophisticated.

If you don't agree, I challenge you now to measure the time it takes for you to find all .so files on your system that are loaded right now, and have been modified since your package manager installed them.

My point being that there is no EDR on Linux that catches this (apart from ours that's WIP), because all existing tools are just checking for windows malware hashes (not even symbols) as they're intended for linux fileservers.

For signs of the analyzed version, there's this file:

/lib/systemd/system/display-managerd.service

And a process called "kde".

> The FireWood backdoor, in a file named dbus, is the Linux OS continuation of the Project Wood malware... > The analyzed code suggests that the file usbdev.ko is a kernel driver module working as a rootkit to hide processes.

Where is the backdoor coming from? If there's a backdoor, something is backdoored. An unknown exploit installing a rootkit and using a modified file, like usbdev.ko, is not a backdoor.

Which pakage / OS ships with the backdoor?

Or doesn't the author of TFA know the definition of a backdoor? Or is it me? I mean, to me the XZ utils exploit attempt was a backdoor (for example). But I see nothing here indicating the exploit they're talking about is a backdoor.

It reads like they classify anything opening ports and trying to evade detection as "backdoors".

Am I going nuts?

What's the point of these kinds of articles? Most Linux malware (including this one) are not sophisticated at all, built off of pre-existing rootkit code samples off Github and quite sloppy with leaving files and traces (".Xl1", modifying bashrc, really?). And there's a weird fixation on China here, is it just more anti-China propaganda?