:: Re: [DNG] ..are we|Devuan safe from…
Página Principal
Delete this message
Reply to this message
Autor: Didier Kryn
Data:  
Para: dng
Assunto: Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Le 01/05/2021 à 17:50, Florian Zieboll via Dng a écrit :
> Hallo Didier,
>
> why do you think it's targeting only systems with systemd or gvfs
> installed? At a first glance, I don't see any hints towards this
> conclusion besides the fact that the installer / dropper of this very
> sample did name the executables accordingly and provides a systemd
> "service" file. It should be easily realizable to automatically choose
> other names, depending on the targeted environment.
>
> The Netlab blog post even states:
>
> || Depending on the Linux distribution, create the corresponding
> || self-starting script /etc/init/systemd-agent.conf
> || or /lib/systemd/system/sys-temd-agent.service.
>
> AFAIK, the directory '/etc/init/' is only created/used by resp. for the
> 'upstart' init system, thus I assume that also (at least) those systems
> are covered as well.


    Apparently I overlooked it a bit, however, if neither systemd nor
gvfs are explicitely targetted, systems running these softwares are. If
the executables are named systemd-daemon and gvfsd, it's for the process
names to be the same and not alarm the admin.

    If I discovered on one of  my Devuan machines a process named
systemd-what-the-f or gvfs-something, I would immediately kill it and
try to find where it comes from. But if I was running Gnome on Debian, I
certainly wouldn't.

--     Didier