Should a home user worry about this? (malware)

[MikeNovember]

[...]
I do follow MikeNovember post but with a few additions. one, as I do what to be able to detect suspicious activity's on all of my computers, not only in the network traffic. two and I also have outbound firewall rules on every computer as spyware sends data out in the background and its often by it's own processes/programs. also remote access is often create through a tunnel from the inside and out, to bypass firewalls as they often is default set to allow all outbound traffic.
[...]

Hi,

Unfortunately, outbound rules are essentially useless:
- you have seen in the quoted analysis that, once installed, the malware BPFdoor is able to make "low level" outbound connections, bypassing firewalls.
- moreover, malware programs, for long, have used a trick: they "attach" themselves in memory to legit applications, such as browsers, to make authorized outbound connections.

Regards,

MN

[Moem]

Thing is that local attack is by and large always required; untrusted local user or malware.

Quoting this just to make it easier to spot, for those of us whose eyes glaze over when reading longer postings.

[t42]

After reading all this
...
And that worries me

So FUD influencers were successful?

There is nothing to worry about as it's not your job to detect industrial strength malware...

[t42]

Detection:
- A rootkit checker such as rkhunter checks for rootkits presence (with low detection rate, since it is outdated), but also makes hashes of your system files, during the 1st use; during following uses, it will compare the hash with the 1st one, stored, and will detect if file has changed; user will have to decide if change is normal (in case of file update; Synaptic will help with its history) or not. Of course, the 1st use of rkhunter should be done on a freshly installed secure system.

- The use of an antivirus, such as Clamav, might help to detect installed malware when doing a complete system scan; however:
* Clamav detection rate is low, it should be completed by Clamav unofficial signatures,
* using an antivirus program from an infected computer might arrive to non-detection (virus/malware could use "countermeasures"), and Clamav should so be installed and used from an external boot disk,

Usefulness of recommended rootkit checker and Clamav in the context of this post on the scale from 1 to 10 is:

Code: Select all

[1]

[rene]

So FUD influencers were successful?

They always are because, yes, again, "better safe than sorry", right.

Well, as to someone at least. I will admit that Schultz' recent poll viewtopic.php?f=61&t=372761 sitting at ninety-five percent was sort of heart-warming; I guess the five percent will just have to fend for themselves: generally (democratic) societies have about fifteen percent unsalvageables so I'm calling it a success.

[iliketrains]

Malware method #4 manipulated iso ?
Mint nipped that in the bud but what floats around in torrents etc ?
Stay vigilant, just because you're paranoid doesn't mean they're not after you. But don't over do the paranoia, it's not healthy.

[Termy]

Linux isn't immune

It never was; please don't listen to anyone who tells you otherwise. We are extraordinarily well protected, but we're certainly not immune.

[RollyShed]

If nobodies software is checking my system, then it kinda is my job
I dont want that job and im not qualified

OK, go back to Windows, no one stopping you, and get wiped out by Microsoft doing something stupid. It happens time after time and no virus checker will stop it.

[MikeNovember]

Usefulness of recommended rootkit checker and Clamav in the context of this post on the scale from 1 to 10 is:

Code: Select all

[1]

Sorry, but you are wrong:

- Among the names used by BPFDoor, there is "avahi-daemon", a legit file present on Ubuntu / Linux Mint. The use of cryptographic hashes, such as done by rkhunter or by tripwire, would identify that "avahi-daemon" has changed. [I did not recommend any rootkit checker but rkhunter, writing "A rootkit checker such as rkhunter checks for rootkits presence (with low detection rate, since it is outdated), but also makes hashes of your system files, during the 1st use; during following uses, it will compare the hash with the 1st one, stored, and will detect if file has changed"]

- As per the quoted web page, there are now 21 among the several tens of viruses scanners used by Virus-Total that can detect BPF Door; so the use of a virus scanner is now appropriate (after four years!) to detect this malware.

So, would you have taken time to read and have your brain function, you would not have written this answer.

Regards,

MN

[t42]

Sorry, but you are wrong:

- Among the names used by BPFDoor, there is "avahi-daemon", a legit file present on Ubuntu / Linux Mint. The use of cryptographic hashes, such as done by rkhunter or by tripwire, would identify that "avahi-daemon" has changed. [I did not recommend any rootkit checker but rkhunter, writing "A rootkit checker such as rkhunter checks for rootkits presence (with low detection rate, since it is outdated), but also makes hashes of your system files, during the 1st use; during following uses, it will compare the hash with the 1st one, stored, and will detect if file has changed"]

- As per the quoted web page, there are now 21 among the several tens of viruses scanners used by Virus-Total that can detect BPF Door; so the use of a virus scanner is now appropriate (after four years!) to detect this malware.

So, would you have taken time to read and have your brain function, you would not have written such a nonsense and condescending answer.

For the benefit of someone who happens to read the above false information:
The implant overwrites the argv[0] to full /proc and determine the command line and command name. So the investigator running ps will see the bogus name. No legit files are overwritten, also rkhunter is not running realtime, but usually on the cron.daily bases. BPFDoor runs leaving no obvious traces.

[MurphCID]

Sorry, but you are wrong:

- Among the names used by BPFDoor, there is "avahi-daemon", a legit file present on Ubuntu / Linux Mint. The use of cryptographic hashes, such as done by rkhunter or by tripwire, would identify that "avahi-daemon" has changed. [I did not recommend any rootkit checker but rkhunter, writing "A rootkit checker such as rkhunter checks for rootkits presence (with low detection rate, since it is outdated), but also makes hashes of your system files, during the 1st use; during following uses, it will compare the hash with the 1st one, stored, and will detect if file has changed"]

- As per the quoted web page, there are now 21 among the several tens of viruses scanners used by Virus-Total that can detect BPF Door; so the use of a virus scanner is now appropriate (after four years!) to detect this malware.

So, would you have taken time to read and have your brain function, you would not have written such a nonsense and condescending answer.

For the benefit of someone who happens to read the above false information:
The implant overwrites the argv[0] to full /proc and determine the command line and command name. So the investigator running ps will see the bogus name. No legit files are overwritten, also rkhunter is not running realtime, but usually on the cron.daily bases. BPFDoor runs leaving no obvious traces.

Ok for normies, how easy it to get this, and should we as "normal users" be worried? So for me going to a coffeeshop, surfing the net, and not clicking on any phishing emails, how likely am I to get this malware? Again, is it the Black Death of malware, infecting millions of systems and wreaking havoc, or is it just a minor outbreak of the flu?

[Moem]

Ok for normies, how easy it to get this, and should we as "normal users" be worried? So for me going to a coffeeshop, surfing the net, and not clicking on any phishing emails, how likely am I to get this malware?

I believe Rene has answered that question several times in this very topic. This was the first time:
viewtopic.php?p=2176467#p2176467
Surely it's easier to read it again, as often as needed, instead of asking people to repeat themselves or others?

[MikeNovember]

For the benefit of someone who happens to read the above false information:
The implant overwrites the argv[0] to full /proc and determine the command line and command name. So the investigator running ps will see the bogus name. No legit files are overwritten, also rkhunter is not running realtime, but usually on the cron.daily bases. BPFDoor runs leaving no obvious traces.

Once more wrong, once more you don't know how rkhunter works and what BPFDoor does.
From https://www.bleepingcomputer.com/news/s ... te-access/:

Part of BPFdoor's techniques to evade detection is to rename the binary to appear as a normal Linux daemon using the choices below:

/sbin/udevd -d
/sbin/mingetty /dev/tty7
/usr/sbin/console-kit-daemon --no-daemon
hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
dbus-daemon --system
hald-runner
pickup -l -t fifo -u
avahi-daemon: chroot helper
/sbin/auditd -n
/usr/lib/systemd/systemd-journald

Pourcelot says that the threat actor updated BPFdoor regularly, improving each release with different names for commands, processes, or files.

Among the names mentioned, "avahi-daemon" is the name of an existing legit file.

Once rkhunter is installed, you run a:

Code: Select all

sudo rkhunter --propupd

Rkhunter will create the system files properties database with files hashes.
If, after this creation, a file is altered (update, or overwritten by malware), a rkhunter check will mention this change, and user will be warned something has changed.
BPFDoor install, or any malware install that overwrites a system file, will be detected.
Of course, rkhunter is not a real-time scanner, and needs to be launched manually or using cron.

For a better detection (largest number of system files changes survey and system files additions), see the following tutorial about Tripwire: viewtopic.php?f=42&t=374056

Regards,

MN

[t42]

Among the names mentioned, "avahi-daemon" is the name of an existing legit file.
.....
Of course, rkhunter is not a real-time scanner, and needs to be launched manually or using cron.

Even after it was hinted that the implant overwrites the argv[0] to full /proc and determine the command line and command name, still, understanding nothing. It seems that words "avahi-daemon" affects someone as a bull red flag.

And what all this has to do with how rkhunter works - rkhunter is not running realtime though such tool makes no difference in case of BPFdoor detection even it was.

[Termy]

Regarding rkhunter(8): it uses a database ('/var/lib/rkhunter/db') to store information on the nasties, so while the program itself will be out of date, the database will not, allowing it to still detect newer rootkits, hence the --update flag.

[MurphCID]

Ok for normies, how easy it to get this, and should we as "normal users" be worried? So for me going to a coffeeshop, surfing the net, and not clicking on any phishing emails, how likely am I to get this malware?

I believe Rene has answered that question several times in this very topic. This was the first time:
viewtopic.php?p=2176467#p2176467
Surely it's easier to read it again, as often as needed, instead of asking people to repeat themselves or others?

Perhaps I am dense but I did read his post, and I am still somewhat confused. Sorry. Never mind DUH! I was having a senior moment! I re-read his second post and it is all there. Sorry about that there is so much going on in my life right now I am a bit scatterbrained.

[Moem]

Perhaps I am dense but I did read his post, and I am still somewhat confused. Sorry.

Well, let me summarize it (emphasis is mine):

No, not worrisome for desktop Linux users. (...)
Getting infected with this or any other malware in the first place is what you on desktop Linux have to go far out of your way for (...)
It's getting it on your system that's on desktop Linux and in practice a very close to zero chance, what with e.g. the repository model; users very much not being in the habit of downloading and running random executables from the web.

If it's still not clear whether or not Rene considers it something you should worry about, then I guess I can't make it clear.

[rene]

Thanks much. I'm getting terribly burned out from these threads...

[rickNS]

Thanks much. I'm getting terribly burned out from these threads...

And, those who propagate them, but even worse, are those defending / trying to justify them.

[Termy]

TBF, I don't blame ex-Windows users struggling with this stuff. It's the norm in Windows, which they seem sort of brainwashed to accept. I know it gets frustrating to answer the same stuff over and over, but if you're getting burned out or something, take a break! I get drained too, but that's when I tend to leave it alone for a while.