this post was submitted on 19 Sep 2023

221 points (94.0% liked)

Technology

77954 readers

1885 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

221

Chinese hackers have unleashed a never-before-seen Linux backdoor (arstechnica.com)

submitted 2 years ago by ZeroCool@feddit.ch to c/technology@lemmy.world

15 comments fedilink hide all child comments

all 18 comments

sorted by: hot top controversial new old

[–] danielfgom@lemmy.world 44 points 2 years ago (2 children)

On the upside they are helping secure Linux because now the the appropriate action can be taken to prevent this in future.

I'm sure a security patch has already been released. The Linux community normally addresses these things very quickly.

[–] Lmaydev@programming.dev 17 points 2 years ago

I'm all for looking on the bright side but this is a bit much lol

Linux users online tend to get very high and mighty every time another OS has a sucurity bug. But it's a good thing for Linux hehe

[–] Shadow@lemmy.ca 12 points 2 years ago

There's no actual vuln here is there? It's just a persistent backdoor that hides with some elf and kernel tricks.

[–] Lmaydev@programming.dev 32 points 2 years ago

Their search turned up a version of the malware with the release number 1.1. The version Trend Micro found was 1.3.6. The multiple versions suggest that the backdoor is currently under development.

They version better than I do at work.

[+] mmababes@lemmy.world 23 points 2 years ago* (last edited 2 years ago) (3 children)

[removed by mod]

[–] Qvest@lemmy.world 48 points 2 years ago (3 children)

No.

By installing software only from trusted sources (default repositories from your distribution are the safest software you will ever install on linux)

[–] learningduck@programming.dev 16 points 2 years ago (1 children)

But you can still be infected by virus by other means like opening PDFs or accessing a malicious link, no?

[–] Qvest@lemmy.world 19 points 2 years ago

Yes. Opening PDFs might be safer on Linux, but general internet security and practice goes a long way, too. Using a content-blocker like uBlock Origin on Firefox can greatly reduce attack surface on both Linux and Windows as well

[–] AceFuzzLord@lemm.ee 3 points 2 years ago

For the average person like me, having something like an antivirus is better than not on Linux. Especially since I tend to download various things outside of the default repository (i.e. Ankama Launcher which I've only ever seen as a appimage).

Though your advice is good, I couldn't go through with it without wanting to rip my hair out.

[–] BeigeAgenda@lemmy.ca 14 points 2 years ago

In general the users should not worry about kernel vulnerabilites because of the built in security in Linux and because the desktop is a much smaller target.

As other people write: Keep to trusted sources (like your distributions own repo) and you should be all right.

It's the Linux servers that should take note and apply patches.

[–] rastilin@kbin.social 12 points 2 years ago (1 children)

I think the fundamental protection is always going to be the firewall that blocks all incoming connections unless you explicitly open a port for a running server.

It's frustrating that the article doesn't have much information about the delivery method for this attack. Is it a remote connection, or you have to run it locally and it escalates privileges?

[–] Qvest@lemmy.world 9 points 2 years ago

researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021

Sounds like it targets servers specifically, so desktop users should be safe

[–] autotldr@lemmings.world 11 points 2 years ago

This is the best summary I could come up with:

Researchers from NHS Digital in the UK have said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.

In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021.

The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation.

The Trend Micro researchers eventually named their discovery SprySOCKS, with “spry” denoting its swift behavior and the added SOCKS component.

Besides showing interest in espionage activities, Earth Lusca seems financially motivated, with sights set on gambling and cryptocurrency companies.

Monday’s Trend Micro report provides IP addresses, file hashes, and other evidence that people can use to determine if they've been compromised.

The original article contains 537 words, the summary contains 143 words. Saved 73%. I'm a bot and I'm open source!

[–] Destraight@lemm.ee -3 points 2 years ago

Great.. guess I'll install windows 10 again