Recently, security experts from Kaspersky and Symantec discovered an extremely stealthy Linux spy Trojan that specializes in stealing sensitive data from government departments and important industries around the world.
The latest Linux spy Trojan discovery is another piece of the puzzle of Kaspersky and Symantec's advanced persistent attack, Turla, which was discovered in August this year. The main targets of "Tulan" attacks are government departments, embassies and consulates in 45 countries around the world, military, educational and scientific research institutions, and pharmaceutical companies, and is the top APT advanced persistent attack activity today, which is at the same level as the recently discovered Regin, and is very similar to the state-level malware discovered in recent years, such as Flame, Stuxnet and Duqu, and is highly technically sophisticated.
According to Kaspersky Lab, the security community had previously only found the "Tulan" spy Trojan based on Windows systems. And because "Tulan" uses rootkit technology, it is extremely difficult to detect.
The exposure of the Linux spy Trojan shows that the attack surface of the "Tulan" also covers the Linux system, similar to the Windows version of the Trojan, the Linux version of the "Tulan" Trojan is highly stealthy and cannot be detected by conventional methods such as the Netstat command, and the Trojan enters the system and remains silent, sometimes even lurking in the target's computer for years, until the attacker sends an IP packet containing a specific sequence of numbers.
After activation, the Linux version of the Trojan can execute arbitrary commands, even without elevating system privileges, and any ordinary privileged user can start it for monitoring.
The security community currently has very limited knowledge of the Linux version of the Trojan and its potential capabilities, and what is known is that the Trojan is developed in C and C++ languages, contains the necessary codebase, and is able to operate independently. The Turan Trojan's code removes symbolic information, making it difficult for researchers to reverse engineer and conduct in-depth research.
Security Niu recommends that Linux system administrators of important departments and enterprises check whether they are infected with the Linux version of the Trojan as soon as possible, and the method is very simple: check whether the outbound traffic contains the following link or address: news-bbc.podzone[.] org or 80.248.65.183, which is the command control server address hardcoded by the Linux version of the Trojan that has been discovered. System administrators can also use YARA, an open-source malware research tool, to generate certificates and detect if they contain "TREX_PID=%u" and "Remote VS is empty!" Two strings.
|
Posted on 12/20/2014 12:17:04 AM
|
|
|
|
Posted on 12/20/2014 8:04:26 PM
I feel like people are amazing now