189
submitted 11 months ago by L4s@lemmy.world to c/technology@lemmy.world

Stealthy Linux rootkit found in the wild after going undetected for 2 years::Krasue infects telecom firms in Thailand using techniques for staying under the radar.

top 23 comments
sorted by: hot top controversial new old
[-] raspberriesareyummy@lemmy.world 91 points 11 months ago* (last edited 11 months ago)

Zero useful info: what is the attack vector / vulnerability exploited? Without that info, this is useless

[-] anamethatisnt@lemmy.world 60 points 11 months ago* (last edited 11 months ago)
[-] KSPAtlas@sopuli.xyz 29 points 11 months ago

The only thing I know runs that kernel version is my Wii because it needs an old kernel for ppc32 support

[-] registrert@lemmy.sambands.net 41 points 11 months ago

Be careful, one day you'll boot it up only to find some hacker have set new and impossible to beat highscores.

[-] raspberriesareyummy@lemmy.world 1 points 11 months ago

Now that is helpful information - current distros being on 6.x and whatnot... Thanks!

[-] randy@lemmy.ca 30 points 11 months ago

From the article:

The researchers have so far been unable to determine precisely how Krasue gets installed.

So no one knows yet. But I feel that the existence of malware in the wild is newsworthy, even if we don't know how it got there. Regardless, you and I probably don't have to worry about it unless you're a Thai telecom.

[-] raspberriesareyummy@lemmy.world 1 points 11 months ago

And unless we run a 3.x kernel as another commentor pointed out...

[-] Kodemystic@lemmy.kodemystic.dev 9 points 11 months ago

Hpw to combat stuff like this?

[-] d3Xt3r@lemmy.nz 24 points 11 months ago

SELinux, grsecurity, containers, keep your system updated and don't run random untrustworthy code.

[-] TrickDacy@lemmy.world 16 points 11 months ago

random untrustworthy code.

Honestly, is there much code in the world which doesn't meet this description? How do you propose we decide what is trustworthy? Every time I update my packages I'm getting possibly millions of new lines of code that I can't possibly personally vet

[-] PlatinumSf@pawb.social 8 points 11 months ago

Keyword "Random". The code for the packages that shipped for your os and for your user installed utilities are generally 'trusted' code since you sought out the install. It's not bulletproof, but it's a good start vs running any package that happens to land in your downloads folder.

[-] TrickDacy@lemmy.world 0 points 11 months ago* (last edited 11 months ago)

Well, it's not always so cut and dried. For example, do I need to research the maker of an app that looks useful? I don't think most people on lemmy are the types to literally not care at all where software comes from, so I'm just trying to understand better how we can properly draw that line

[-] pete_the_cat@lemmy.world 2 points 11 months ago

Those packages are vetted by multiple maintainers from different places, they'd all have to be in on it.

[-] autotldr@lemmings.world 7 points 11 months ago

This is the best summary I could come up with:


Stealthy and multifunctional Linux malware that has been infecting telecommunications companies went largely unnoticed for two years until being documented for the first time by researchers on Thursday.

Researchers from security firm Group-IB have named the remote access trojan “Krasue,” after a nocturnal spirit depicted in Southeast Asian folklore “floating in mid-air, with no torso, just her intestines hanging from below her chin.” The researchers chose the name because evidence to date shows it almost exclusively targets victims in Thailand and “poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network.

It then proceeds to hook the syscall, network-related functions, and file listing operations, thereby obscuring its activities and evading detection.

Rootkits are a type of malware that hides directories, files, processes, and other evidence of its presence to the operating system it’s installed on.

By hooking legitimate Linux processes, the malware is able to suspend them at select points and interject functions that conceal its presence.

Intercepting the kill() syscall also allows the trojan to survive Linux commands attempting to abort the program and shut it down.


The original article contains 288 words, the summary contains 192 words. Saved 33%. I'm a bot and I'm open source!

this post was submitted on 11 Dec 2023
189 points (97.0% liked)

Technology

59674 readers
1886 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS