:: Re: [DNG] ..are we|Devuan safe from…
Top Page
Delete this message
Reply to this message
Author: Florian Zieboll
Date:  
To: dng
Subject: Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
On Sat, 1 May 2021 17:11:48 +0200
Didier Kryn <kryn@???> wrote:

> Le 30/04/2021 à 15:05, Arnt Karlsen a écrit :
> > On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message
> > <20210430143720.7311bc82@d44>:
> >
> >
> >> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/
> > ..how it works:
> > https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
>
>
>     This backdoor is targetting systemd and gvfs.
>
>     It is not very surprising that systemd is targetted, since it is
> present (by force) in most installed Linux systems.
>
>     Gvfs is not expected to be installed on servers, but is required
> by some desktop goodies - even in Xfce4, for example if you install
> the tool to mount/unmount hotplug disks; it is primarily to avoid it
> that I developped hopman.



Hallo Didier,

why do you think it's targeting only systems with systemd or gvfs
installed? At a first glance, I don't see any hints towards this
conclusion besides the fact that the installer / dropper of this very
sample did name the executables accordingly and provides a systemd
"service" file. It should be easily realizable to automatically choose
other names, depending on the targeted environment.

The Netlab blog post even states:

|| Depending on the Linux distribution, create the corresponding
|| self-starting script /etc/init/systemd-agent.conf
|| or /lib/systemd/system/sys-temd-agent.service.


AFAIK, the directory '/etc/init/' is only created/used by resp. for the
'upstart' init system, thus I assume that also (at least) those systems
are covered as well.


libre Grüße,
Florian