Quoting goli...@devuan.org (goli...@devuan.org): > EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users > https://thehackernews.com/2019/07/linux-gnome-spyware.html
My view: The only _actually interesting question_ in any report about malware is how the code gets executed. The cited story says exactly zero about that -- leaving the natural suspicion that this codebase has no means of entry whatsoever, but rather would be installed by certain script kiddies after user-level compromise by other means entirely. I checked the referenced 'new report Intezer Labs shared with The Hacker News' to see if it were any better. Paul Litvak, writing for Intezer Labsi, is perfectly honest and straight-forward about this: He doesn't know, since this codebase was discovered as a 'a test version that was uploaded to VirusTotal, perhaps by mistake'. Fair enough. The author semi-almost-implies one speculation: Gamaredon Group is an alleged Russian threat group. It has been active since at least 2013, and has targeted individuals likely involved with the Ukrainian government. Gamaredon Group infects victims using malicious attachments, delivered via spear phishing techniques. [...] Our investigation into EvilGnome yielded several similarities between the threat actors behind EvilGnome and Gamaredon Group: [...] 'Phishing' means sending users deceptive simulated requests for the user's login credentials, e.g., to webmail. 'Spear phishing' is a gimmicky bit of AV-biz marketing jargon, where the meaning is just phishing but sent to key individuals whom the criminals particularly would find useful to fool in that way. But Litvak doesn't otherwise say anything about a means of execution on the target user's machine. My surmise is that it's just another trojan, which is to say it's something that would be installed after entry and compromise through other means entirely, Litvak referring to it as a 'Linux backdoor implant' supports this surmise. It's common for computer crackers (or their scripted tools) to install backdoor processes so that the criminal can have a means of re-entry if the user or the user's admin starts killing malware processes (or they die, etc.). Basically, this doesn't strike me as even a tiny bit interesting. The template of '$EVILCODE does $STUFF to your system if you run it' raises the obvious question of 'What about _not_ running it?' By and large, code doesn't run itself, so failure to answer that 'one interesting question' means the interesting bit got omitted. Of possible interest: http://linuxmafia.com/faq/Essays/security-snake-oil.html It's poor form to be amused at my own writing, but I rather like where I said to the AV-biz guy Hey, am I being trolled? Posting references to "Hey, download me and I'll mail you a lollipop" trojans isn't new. Throwing in two local privilege-escalation attacks to silently gain root on unpatched systems, _if_ the user is dumb enough to download and run untrustworthy code from nobody in particular, isn't new either. So, wow: A user acting in an extremely stupid manner is likely to hurt his/her system. News at 11. Also of possible interest: http://linuxmafia.com/~rick/faq/ _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
