• girsaysdoom@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    62
    ·
    edit-2
    1 year ago

    Here’s a link to the actual Trendmicro article: https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html.

    Not sure why OP’s article linked the version from 2 years ago.

    Also an article with more info: https://www.bleepingcomputer.com/news/security/new-sprysocks-linux-malware-used-in-cyber-espionage-attacks/.

    Edit:

    My understanding of these articles is that there is a hacking group that is targeting public facing servers that are exploitable using other methods and utilizing this sprysocks software to create an opening for them to remotely access the server. If that’s the case then this shouldn’t affect most Linux desktops or isolated systems. Let me know if anyone has more info.

      • girsaysdoom@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        The originally posted article looks like it linked to the older version of this malware. I just linked the newer version of the report from yesterday that I found through a different article.

  • danielfgom@lemmy.world
    link
    fedilink
    English
    arrow-up
    58
    arrow-down
    6
    ·
    1 year ago

    On the upside they are helping secure Linux because now the the appropriate action can be taken to prevent this in future.

    I’m sure a security patch has already been released. The Linux community normally addresses these things very quickly.

    • Lmaydev@programming.dev
      link
      fedilink
      English
      arrow-up
      29
      arrow-down
      7
      ·
      1 year ago

      I’m all for looking on the bright side but this is a bit much lol

      Linux users online tend to get very high and mighty every time another OS has a sucurity bug. But it’s a good thing for Linux hehe

      • ElderWendigo@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        2
        ·
        1 year ago

        Linux users online tend to get very high and mighty every time another OS has a sucurity bug. But it’s a good thing for Linux hehe

        That’s because illuminating security vulnerabilities is VERY GENERALLY a good thing for an open source community driven software that can be more agile than closed and private code bases that are GENERALLY entrenched in a corporate structure slowed by all of the inertia inherent in those systems.

        • Lmaydev@programming.dev
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          14
          ·
          1 year ago

          Don’t like all Linux patches have to be emailed directly to chappy for him to personally check?

            • Lmaydev@programming.dev
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              1 year ago

              This process initiates with Linus Torvalds, wherein, he releases a new kernel and then opens a 2-week merge window. During this merge window, he pulls the code for the next release from subsystem maintainers. Subsystem maintainers send signed git pull requests to Linus either during the merge window or before

              • SuddenlyBlowGreen@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                No, that’s just for development discussion and code versioning. Nothing the end-user needs to touch or see.

                End users update their system with commands/through interfaces or they receive automatic updates, depending on their system.

    • Shadow@lemmy.ca
      link
      fedilink
      English
      arrow-up
      15
      ·
      1 year ago

      There’s no actual vuln here is there? It’s just a persistent backdoor that hides with some elf and kernel tricks.

      • danielfgom@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Sure. I’m not excusing it, just saying now they we know about it, at least it can get patched. Nothing worse than having a security hole going unpatched for years.

  • Lmaydev@programming.dev
    link
    fedilink
    English
    arrow-up
    35
    ·
    1 year ago

    Their search turned up a version of the malware with the release number 1.1. The version Trend Micro found was 1.3.6. The multiple versions suggest that the backdoor is currently under development.

    They version better than I do at work.

  • mmababes@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Should linux users install antivirus/anti-malware software like Windows users?

    How should Linux users protect themselves from threats like this?

    • Qvest@lemmy.world
      link
      fedilink
      English
      arrow-up
      59
      arrow-down
      4
      ·
      1 year ago

      No.

      By installing software only from trusted sources (default repositories from your distribution are the safest software you will ever install on linux)

        • Qvest@lemmy.world
          link
          fedilink
          English
          arrow-up
          21
          ·
          1 year ago

          Yes. Opening PDFs might be safer on Linux, but general internet security and practice goes a long way, too. Using a content-blocker like uBlock Origin on Firefox can greatly reduce attack surface on both Linux and Windows as well

      • mmababes@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        Ok, what if you’ve downloaded and installed a compromised application without knowing it was compromised?

        For example, I have installed some software from SourceForge and Fosshub without reading the source code so I don’t know if I have compromised my system unwittingly.

        • NateNate60@lemmy.ml
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          1 year ago

          You can try some free Linux antivirus software programs like ClamAV but realistically, as long as you mainly install software through your distro’s package management software or graphical app store, you’re probably fine.

          Although not all open-source software is safe, it’s a hundred times less likely to be malicious for the sole reason that it’s out in the open for someone to verify, and they’d get busted immediately if they tried something untoward.

      • Dizzy Devil Ducky@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        For the average person like me, having something like an antivirus is better than not on Linux. Especially since I tend to download various things outside of the default repository (i.e. Ankama Launcher which I’ve only ever seen as a appimage).

        Though your advice is good, I couldn’t go through with it without wanting to rip my hair out.

    • rastilin@kbin.social
      link
      fedilink
      arrow-up
      17
      arrow-down
      1
      ·
      1 year ago

      I think the fundamental protection is always going to be the firewall that blocks all incoming connections unless you explicitly open a port for a running server.

      It’s frustrating that the article doesn’t have much information about the delivery method for this attack. Is it a remote connection, or you have to run it locally and it escalates privileges?

      • Qvest@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        2
        ·
        1 year ago

        researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021

        Sounds like it targets servers specifically, so desktop users should be safe

    • BeigeAgenda@lemmy.ca
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      2
      ·
      1 year ago

      In general the users should not worry about kernel vulnerabilites because of the built in security in Linux and because the desktop is a much smaller target.

      As other people write: Keep to trusted sources (like your distributions own repo) and you should be all right.

      It’s the Linux servers that should take note and apply patches.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    1 year ago

    This is the best summary I could come up with:


    Researchers from NHS Digital in the UK have said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.

    In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021.

    The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation.

    The Trend Micro researchers eventually named their discovery SprySOCKS, with “spry” denoting its swift behavior and the added SOCKS component.

    Besides showing interest in espionage activities, Earth Lusca seems financially motivated, with sights set on gambling and cryptocurrency companies.

    Monday’s Trend Micro report provides IP addresses, file hashes, and other evidence that people can use to determine if they’ve been compromised.


    The original article contains 537 words, the summary contains 143 words. Saved 73%. I’m a bot and I’m open source!

  • Lucidlethargy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Thank goodness I’m on windows.

    Just kidding, I know that triggers Lemmy, lol. I actually like Linux a lot, even though I only use it in docker right now.

  • gmtom@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    16
    ·
    1 year ago

    Even after blocking the Linux community I still get these random irrelevant Linux articles.

    • ZeroCool@feddit.chOP
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      Where do you think you are? You’re in a technology community. Just because you aren’t interested in linux doesn’t mean articles about linux are somehow “irrelevant” to the community.