Skribent: Didier Kryn Dato: Til: dng Emne: Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware,
taking our kernels from Debian?
Le 01/05/2021 à 17:50, Florian Zieboll via Dng a écrit : > Hallo Didier,
>
> why do you think it's targeting only systems with systemd or gvfs
> installed? At a first glance, I don't see any hints towards this
> conclusion besides the fact that the installer / dropper of this very
> sample did name the executables accordingly and provides a systemd
> "service" file. It should be easily realizable to automatically choose
> other names, depending on the targeted environment.
>
> The Netlab blog post even states:
>
> || Depending on the Linux distribution, create the corresponding
> || self-starting script /etc/init/systemd-agent.conf
> || or /lib/systemd/system/sys-temd-agent.service.
>
> AFAIK, the directory '/etc/init/' is only created/used by resp. for the
> 'upstart' init system, thus I assume that also (at least) those systems
> are covered as well.
Apparently I overlooked it a bit, however, if neither systemd nor
gvfs are explicitely targetted, systems running these softwares are. If
the executables are named systemd-daemon and gvfsd, it's for the process
names to be the same and not alarm the admin.
If I discovered on one of my Devuan machines a process named
systemd-what-the-f or gvfs-something, I would immediately kill it and
try to find where it comes from. But if I was running Gnome on Debian, I
certainly wouldn't.