:: Re: [DNG] ..are we|Devuan safe from…
Top Page
Delete this message
Reply to this message
Author: Tomasz Torcz
Date:  
To: dng
Subject: Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Dnia Sat, May 01, 2021 at 05:11:48PM +0200, Didier Kryn napisał(a):
> Le 30/04/2021 à 15:05, Arnt Karlsen a écrit :
> > On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message
> > <20210430143720.7311bc82@d44>:
> >
> >
> >> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/
> > ..how it works:
> > https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
>
>
>     This backdoor is targetting systemd and gvfs.


Can you prove that? The analysis you linked shows nothing like that:
- gvfsd is only used as a part of name of backdoor binary, there seem to be no
interaction with real gvfsd at all
- first file described in analysis is an _upstart_ configuration file

-- 
Tomasz Torcz           “(…) today's high-end is tomorrow's embedded processor.”
tomek@???                      — Mitchell Blank on LKML