From owner-freebsd-questions@freebsd.org Sat Nov 24 18:56:47 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEFC0113577F for ; Sat, 24 Nov 2018 18:56:47 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 7072087453 for ; Sat, 24 Nov 2018 18:56:46 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from [10.0.0.5] (adsl-108-68-163-116.dsl.chcgil.sbcglobal.net [108.68.163.116]) by kicp.uchicago.edu (Postfix) with ESMTP id 57A5C71808A for ; Sat, 24 Nov 2018 12:56:40 -0600 (CST) Subject: Re: New Virus that targets *.nix To: freebsd-questions@freebsd.org References: <20181124175844.6115411.91608.68576@shaw.ca> From: Valeri Galtsev Message-ID: Date: Sat, 24 Nov 2018 12:56:40 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20181124175844.6115411.91608.68576@shaw.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 7072087453 X-Spamd-Result: default: False [-0.35 / 15.00]; ARC_NA(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.30)[-0.303,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_SPAM_MEDIUM(0.01)[0.006,0]; RCPT_COUNT_ONE(0.00)[1]; MX_GOOD(-0.01)[kicp.uchicago.edu,cosmo.uchicago.edu]; NEURAL_HAM_SHORT(-0.13)[-0.125,0]; RCVD_IN_DNSWL_NONE(0.00)[70.20.135.128.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; IP_SCORE(-0.02)[country: US(-0.09)]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2018 18:56:48 -0000 On 11/24/18 11:58 AM, Dale Scott wrote: > I don't know about everyone else, but considering my general lack of success running Linux shell scripts in general on FBSD, I don't think I'll  panic just yet. ;-) > I fully agree with Dale. First of all it can not be called virus (it does not upon arrival take over the system), it can not even be called a worm as it doesn't propagate itself, unless it compromises machine on system level, about which few words below, and has sure way to compromise next hop machine. Well, the worst this thing can be called is elevation of privileges script(s) based on LOCAL (not remote) vulnerability, namely Dirty COW. Now, here are the questions: 1. Do you keep your system updated (and and have implemented solutions mitigating Dirty COW)? If yes, then you should not be expecting system level compromise. 2. Do you run one or another system integrity check system? One example could be from long ago before they went commercial: tripwire. There are variety of others, do your research and choose what sounds appropriate for you (not mentioning what I do: I do not want to help bag guys in the first step of any attack: collection of information). It is also interesting to note where this is coming from: DrWEb based in Russia (closed source commercial provider). I can not comment on DrWeb as I would comment on Kasperski same based in Russia. Kasperski is KGB (or whatever current name of that powerful agency is), note: not "ex" as there is no "ex" in these services. I can imagine that in countries with "strong" government, such as Russia (or USA for that matter - continue your own opinion list) "free" services or software (which are not open source) offered by some companies may carry additional load. And maybe some commercial (closed source) too. So, use your own reasoning, people. Incidentally, do you run antivirus software on your UNIX or Linux servers for any purpose other than scanning emails that can be accessed by clients running MS Windows or files shared to MS Windows machines (via SAMBA)? If not, and if you feel anxious about DrWeb's piece, then you become their potential user on machines that do not need their software at all. Which may be one of the goals. Another, to create larger userbase between Windows people (maybe even making it look taht they are also helping poor UNIX and Linux people which may look legit in eyes of big majority of people who do not have expertise in computers). If you need to run antivirus for well justified reasons I mentioned above, use software from trusted provider. My choice on UNIX (-like) and Linux machines is open source clamav. I hope, this helps. Valeri > >   Original Message > From: Carmel NY > Sent: Saturday, November 24, 2018 7:14 AM > To: FreeBSD > Reply To: FreeBSD > Subject: New Virus that targets *.nix > > This looks like a particularly nasty virus. > > https://www.zdnet.com/article/new-linux-crypto-miner-steals-your-root-password-and-disables-your-antivirus/ > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++