[vox-tech] (forw) Re: Linux Computer Infected

Rick Moen rick at linuxmafia.com
Sun Jun 3 16:57:30 PDT 2018 

Seems to have been intended to be posted, rather than sent just to me in
private mail.

----- Forwarded message from Bob Scofield <scofield at omsoft.com> -----

Date: Sun, 3 Jun 2018 09:23:47 -0700
From: Bob Scofield <scofield at omsoft.com>
To: Rick Moen <rick at linuxmafia.com>
Subject: Re: [vox-tech] Linux Computer Infected

Since Rick expresses skepticism for antivirus companies in this post,
I'll use this one to report on my latest discovery.

The problem with my computer started after I updated to the latest
version of ESET antivirus for Linux.  The only thing I had not done
to get my re-install finished was to re-install ESET.  So this
morning I did.  And after the install the problem reappeared.
Cinnamon and Thunderbird would crash.  Firefox was completely
unusable.  So I uninstalled ESET and now everything is back to
normal.

Bob

On 06/02/2018 11:48 PM, Rick Moen wrote:
> Quoting Timothy D Thatcher (daniel.thatcher at gmail.com):
> 
>> Hah, I'm glad it was nothing as nefarious as some weird malware or
>> rootkit, or as irritating/potentially expensive as an actual hardware
>> failure. Great work, and thanks, Rick.
> One more comment (and yes, as can be seen on
> http://linuxmafia.com/~rick/faq/ and
> http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3, this _is_
> something of a hobbyhorse of mine):
> 
> 
> _Rootkits_ are by definition NOT attack tools.  Period.
> 
> 
> Yes, the contrary is widely believed, and I know exactly which
> commercial interest promotes that and many similar misunderstandings:
> It's the security / antimalware industry, which has absolutely no
> interest in a well-informed computer user community who understand
> security threats.  They want a spooked community willing to outsource
> and open wallets.
> 
> This essay ended up being long, and isn't yet in proper presentation
> format, but I think bountifully illustrates my point about that industry:
> http://linuxmafia.com/kb/Essays/security-snake-oil.html
> 
> 
> Back to rootkits:  A rootkit is a set of replacements for regular
> administrative monitoring tools (ps, netstat, top, ls, etc.) that have
> been gimmicked to ignore the files and processes of an intruder.
> The intruder enters a system and escalates to root authority via
> OTHER MEANS ENTIRELY, and only then, armed with stolen root authority,
> replaces normal system tools with rootkit replacements in order to hide
> himself/herself.
> 
> Quoting (myself) from http://linuxmafia.com/~rick/faq/#virus5:
> 
> 
>     [omitting here a very long alphabetical list of 'ringers'; things often
>     claimed in error to be 'viruses' that simply aren't]
> 
>     Every one of those is some sort of _post-attack_ tool; all are
>     erroneously claimed on sundry anti-virus companies' sites (and
>     consequently in various news articles) to be "Linux viruses". Some
>     are actually "rootkits", which are kits of software to hide the
>     intruder's presence from the system's owner and install "backdoor"
>     re-entry mechanisms, after the intruder's broken in through other
>     means entirely.  Some are "worms"/"trojans" of the sort that get
>     launched locally on the invaded system, by the intruder, to probe it
>     and remote systems for further vulnerabilities. Some are outright
>     attack tools of the "DDoS" (distributed denial of service) variety,
>     which overwhelm a remote target with garbage network traffic from all
>     directions, to render it temporarily non-functional or incommunicado.
> 
>     The news reporters and anti-virus companies in question should be
>     ashamed of themselves: None of the above, in itself, can break into any
>     remote Linux system. All must be imported manually (or equivalently by
>     script) and installed by an intruder who has cracked your system by
>     other means.
> 
>     That incompetent reporting sometimes has extremely damaging
>     consequences: In 2002, British authorities arrested
>     (https://www.nytimes.com/2002/09/20/world/computer-virus-author-arrested.html)
>     the alleged author of the T0rn rootkit, based on their mistaken notion
>     that it's a "Linux virus". (My efforts to get the Reuters / NY Times
>     story corrected were ignored, except by cited anti-virus consultant
>     Graham Cluley, who told me he'd been misquoted.)
> 
>     I should mention in passing that feeble albeit genuine malware like the
>     RST and OSF ELF-infectors are often downloaded and manually installed,
>     locally, by attackers AFTER THEY'VE ENTERED AND CRACKED ROOT VIA OTHER
>     MEANS ENTIRELY, often as part of their "rootkits". Some of these help
>     keep alive UDP-based backdoors to preserve their ongoing access. The
>     point, again, is that they're an _after-effect_ of break-in, not a
>     method of attack in themselves. It's like a burglar disabling your
>     back-porch door lock from inside your kitchen; it's damage, but not the
>     guy's means of entry.
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech


----- End forwarded message -----

More information about the vox-tech mailing list