[vox-tech] Linux Computer Infected

Rick Moen rick at linuxmafia.com
Sat Jun 2 23:48:10 PDT 2018 

Quoting Timothy D Thatcher (daniel.thatcher at gmail.com):

> Hah, I'm glad it was nothing as nefarious as some weird malware or
> rootkit, or as irritating/potentially expensive as an actual hardware
> failure. Great work, and thanks, Rick.

One more comment (and yes, as can be seen on
http://linuxmafia.com/~rick/faq/ and
http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3, this _is_
something of a hobbyhorse of mine):


_Rootkits_ are by definition NOT attack tools.  Period.


Yes, the contrary is widely believed, and I know exactly which
commercial interest promotes that and many similar misunderstandings:
It's the security / antimalware industry, which has absolutely no
interest in a well-informed computer user community who understand
security threats.  They want a spooked community willing to outsource 
and open wallets.

This essay ended up being long, and isn't yet in proper presentation
format, but I think bountifully illustrates my point about that industry:
http://linuxmafia.com/kb/Essays/security-snake-oil.html


Back to rootkits:  A rootkit is a set of replacements for regular
administrative monitoring tools (ps, netstat, top, ls, etc.) that have
been gimmicked to ignore the files and processes of an intruder.
The intruder enters a system and escalates to root authority via
OTHER MEANS ENTIRELY, and only then, armed with stolen root authority, 
replaces normal system tools with rootkit replacements in order to hide
himself/herself.

Quoting (myself) from http://linuxmafia.com/~rick/faq/#virus5:


   [omitting here a very long alphabetical list of 'ringers'; things often
   claimed in error to be 'viruses' that simply aren't]

   Every one of those is some sort of _post-attack_ tool; all are
   erroneously claimed on sundry anti-virus companies' sites (and
   consequently in various news articles) to be "Linux viruses". Some
   are actually "rootkits", which are kits of software to hide the
   intruder's presence from the system's owner and install "backdoor"
   re-entry mechanisms, after the intruder's broken in through other
   means entirely.  Some are "worms"/"trojans" of the sort that get
   launched locally on the invaded system, by the intruder, to probe it
   and remote systems for further vulnerabilities. Some are outright
   attack tools of the "DDoS" (distributed denial of service) variety,
   which overwhelm a remote target with garbage network traffic from all
   directions, to render it temporarily non-functional or incommunicado.

   The news reporters and anti-virus companies in question should be
   ashamed of themselves: None of the above, in itself, can break into any
   remote Linux system. All must be imported manually (or equivalently by
   script) and installed by an intruder who has cracked your system by
   other means.

   That incompetent reporting sometimes has extremely damaging
   consequences: In 2002, British authorities arrested
   (https://www.nytimes.com/2002/09/20/world/computer-virus-author-arrested.html)
   the alleged author of the T0rn rootkit, based on their mistaken notion
   that it's a "Linux virus". (My efforts to get the Reuters / NY Times
   story corrected were ignored, except by cited anti-virus consultant
   Graham Cluley, who told me he'd been misquoted.)

   I should mention in passing that feeble albeit genuine malware like the
   RST and OSF ELF-infectors are often downloaded and manually installed,
   locally, by attackers AFTER THEY'VE ENTERED AND CRACKED ROOT VIA OTHER
   MEANS ENTIRELY, often as part of their "rootkits". Some of these help
   keep alive UDP-based backdoors to preserve their ongoing access. The
   point, again, is that they're an _after-effect_ of break-in, not a
   method of attack in themselves. It's like a burglar disabling your
   back-porch door lock from inside your kitchen; it's damage, but not the
   guy's means of entry.

More information about the vox-tech mailing list