On Sat, 1 May 2021 17:11:48 +0200 Didier Kryn <k...@in2p3.fr> wrote: > Le 30/04/2021 à 15:05, Arnt Karlsen a écrit : > > On Fri, 30 Apr 2021 14:37:20 +0200, Arnt wrote in message > > <20210430143720.7311bc82@d44>: > > > > > >> https://www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/ > >> > > ..how it works: > > https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ > > > This backdoor is targetting systemd and gvfs. > > It is not very surprising that systemd is targetted, since it is > present (by force) in most installed Linux systems. > > Gvfs is not expected to be installed on servers, but is required > by some desktop goodies - even in Xfce4, for example if you install > the tool to mount/unmount hotplug disks; it is primarily to avoid it > that I developped hopman.
Hallo Didier, why do you think it's targeting only systems with systemd or gvfs installed? At a first glance, I don't see any hints towards this conclusion besides the fact that the installer / dropper of this very sample did name the executables accordingly and provides a systemd "service" file. It should be easily realizable to automatically choose other names, depending on the targeted environment. The Netlab blog post even states: || Depending on the Linux distribution, create the corresponding || self-starting script /etc/init/systemd-agent.conf || or /lib/systemd/system/sys-temd-agent.service. AFAIK, the directory '/etc/init/' is only created/used by resp. for the 'upstart' init system, thus I assume that also (at least) those systems are covered as well. libre Grüße, Florian _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
