Alien Spy Rat Drops Banking Malware in Linux, Firefox, VM, Android, OSX, Windows

[wa_desert_rat]

Derek... you seem to be doing pretty well with the accusations and name-calling, yourself. Fine. Provide one single bit of evidence that RAT, in any incarnation, can be invoked by an email Phish, can download a malware payload, and can execute that payload in Linux and I will agree that it is "cross platform". Simply including references to Linux in the source code are not enough to convince me.

 

So far I have not seen any evidence that it works in Linux and at least one piece of evidence (the contagio report which looks very much like the other two versions of the RAT) that it does not. Contagio does provide a snippet of code that shows it seems to work in XP and in one version of OSX (Lion). The Fidelis report only shows executables in Windows despite mentioning Linux.

 

Just one bit of evidence that it actually performs as malware on Linux. That's all I ask.

 

WDR

[skp51443]

Here is a FUD for you. Only highly qualified techs can run unix properly.

 

Mom at 90 isn't able to run her OpenSuse Linux, hasn't been able to forever... Nope!

 

Actually she has been running her own system for several years, she hated Vista enough to make the move. The only thing I'm doing for her is installing a new version every 18-24 months and she could actually do that herself too but she is on a really slow and limited net connection so it is faster for me to do it.

 

 

I guess mom could run her Linux box as root but it would be a pain since the root user's home directory is not under /home where everything else ends up by default but Linux is pretty flexible so you could do a bunch of links to make using root almost as simple as using a normal user. Same goes for us here, running as root is possible but it is an aggravation in day to day use, a lot of our programs pop warnings up saying "don't run me as root" since they don't need the elevated permissions.

 

As an aside I do not know of any Linux or Unix systems that got compromised by someone running as root, a couple got bit by programs running with root permissions but that is a bit different issue. I do know of a fair number of systems where someone was running as the root user and did something dumb and destroyed the system. That is all too easy to do with a simple typo if you are root, pretty harmless if you aren't.

 

Someday the threat level for Linux will be high enough I'll turn on more of the built in but optional additional security stuff, well if I don't get buried first.

 

Not too bad for an operating system you can download, run and update for free, install anywhere and as often as you like, even give all your friends copies when their Windows boxes are borked.

[RV_]

Well said Duke, Thanks. That's all it was, and is. There is a confirmed new variant of malware that is part of a new phishing campaign seen in the wild by security firms known worldwide who regularly write about malware in Windows and we read it, take appropriate measures or not. No one starts quibbling with the report because they believe their OS is invulnerable today. Or nearly.

 

I got the same kind of denials here from the Mac crowd prior to them getting hammered a few times 2003-2007, and the folks denying were so out of date they still think Windows has primarily virus attacks instead of phishing attacks, hacks of third party software like Adobe and Oracle software, just like any OS can be compromised by fooling the operator into doing something some who name call, call stupid, with a lot of the same kinds of quibbling and always implying or outright saying that there is a conspiracy to keep Linux or OSX down or smear them or some such. Those folks have a need to feel superior in the tech world. They are the folks who try to appear caring in public but call everyone "Lusers" in private. Sorry but I just don't need to be superior, or be "king of the hill" here. And if any of my post threatens anyone with new facts, or feel they are frustrated because I will neither join a gang or feel threatened, nor attack others, well, get used to it. I have no hidden agenda, and I certainly won't apologize for any intellect I might have because someone feels intimidated.

 

I look at it this way. Kaspersky, an acknowledged world leader in security for all OS', and Fidelis another well known security firm say that there is a new threat and they say it is cross platform, and is being spread by email phishing. All people really care about, even if the chance is remote, is what can they do? The answer is not to open any attachments that threaten or tantalize with something you did not ask for.

 

Then you jump in and try to discredit the message. So I have to decide, which is more likely to be right, our own WDR jumping all over me and calling me the King of FUD, or the acknowledged leader in security worldwide, and another one of the security firms doing biz worldwide.

 

I think that decision was easy for all.

 

So folks, whether you believe it or not, there is a new proven cross platform phishing campaign going on that will try to fool you into clicking on an email attachment. So regardless of whether you think your OS can be infected or not, it might be wise to consider some extra caution. I have no problem with you WDR clicking on any and all even when you see it is a phishing attempt because you don't believe Kaspersky and Fidelio and your OS is invulnerable, and major labs know less than you or are in on my conspiracy to make Linux look bad every chance I can.

 

I will still post what the world leaders in Security believe, if I think it might adversely affect my friends here using Windows, OSX, or Linux. No matter how much of a ruckus you try to raise. I just don't understand why they aren't consulting with you first before releasing security threat assessments.

 

For the record I am assertive not aggressive. I taught communications and assertiveness. The first thing folks had to learn was that there s no such thing as an attitude because you can't see it, touch it etc. What people call good or bad attitudes are actually a set of behaviors they find good or bad, and that is also setting dependent.

 

When one calls me a name in aggression because that has worked for them before, they are actually looking for an equal or opposite role or their name calling/ threats/bad behaviors won't work. They need either an aggressor to get mad back and bump heads and then their lack of substance in a conflict is lost as both have behaved badly so the aggressor can point to the other and say they did the same. Or they need an opposite, a victim to dominate and let them have their way. The Assertive person does not play either role, and assertiveness is not a role to avoid conflict or engage it. We don't get mad, manipulative, or "even" in return.

 

We don't call names we object to actual behaviors and ask them to stop politely. Most passive aggressive in conflicts mistake assertive for aggressive. They invent bad behaviors where none existed. See assertive folks like me deal in behaviors not labels or threats. Saying someone has a bad attitude for example, is a passive aggressive ploy that is countered by taking an equal and or opposite role and saying no I don't.

 

The assertive person name behaviors that make up what the uninformed or bullies only view through a conflict escalation role, they need to be right, rather than do right. So when someone is rude to me or starts the bully victim juvenile conflict escalations, I just name the behavior, in this case calling me pretty silly names, and asking you not to be rude or to stop being rude with you name calling. Some folks online have only claptrap as their method to be a successful bully. They can't fight their own battles so they call in reinforcements or like minded folks jump in to beat up the person who dares to not be intimidated by aggression.

 

WDR, when you jump into a quibble defending something that needs no defending, and as a result distract from the message I m trying to post, that folks need to be extra careful, all OS', as the top guys say there is a threat and all you have to do is not click on attachments in fishy, suspicious, threatening, or enticing emails you did not expect. When you do that WDR, I feel surprised because you are nowhere near as well informed or leader in the field of security worldwide as my sources are in every case. I would like you to stop your name calling and other rude behaviors when I'm trying to post a new security threat.

 

If you go back over the posts, you'll see nowhere did I call you names. I described your actual behaviors. For example, I did not fall for your ploy in saying I could not prove it worked on Linux then mistakenly used a 7 month old article to try and prove your point that no one knew what WA in it and the new links showed them clearly.

 

People who can't handle conflict often go from aggressor when that doesn't work to being a victim hoping I'll then toke the dual or opposite role o their game of lose-lose can work. Sorry, I don't need victims either, nor create them.

 

Nor did I take an equal aggressive role to say that you certainly have not proven it can't. I don't do your research for you on demand, nor tried to. You aren't seriously trying to give me assignments are you? See, it doesn't work.

 

I would like you to stop hijacking my threads, telling me how I must post, or what I must post. If you feel I broke a forum rule, like attacking another member as you have with your silly name calling, then report my post. Oh, and no, I did not report your post/s. Nor encourage anyone else to. That would validate your hijack intent and would be the opposite role to make your game work, being a victim. Something I am not to my soul, any more than I am an aggressor.

 

I'm fine. If you aren't that is your responsibility. I can't be your victim for you, no needs there. Again, if don't like the hole you're in, you can stop digging any time. Next time you might even show you care about the folks here and chime in with how to be careful, for them if not for yourself, then you can, in private, click on all the attachments you want.

 

To wrap up, be extra careful out there with attachments folks! Most are anyway. Like security briefings though, we don't lose a thing being reminded.

 

And as always:

 

Safe computing!

[wa_desert_rat]

RV's title to this thread, "Alien Spy Drops Banking Malware in Linux, Firefox, VM, Android, OSX, and Windows" links to a blog on Kaspersky Labs' threatpost blog. As of now even Derek admits that the RAT does not operate in a VM environment. I contend that by listing all the other Unix and Linux environments first and Windows (the only functioning example in the report he linked to) last he was spreading FUD because there is no evidence that this agent actually works in a Unix/Linux/OSX environment. Plus his lead-in would give the impression, as always, that Linux security was no better than that of Microsoft's Windows.

 

I also argued that Phishing attacks seldom succeed against *nix users because is it much more difficult to spoof malware file names in that environment. I've posted another thread that explains that more clearly.

 

I should say here that I have tried to execute a .jar file dropped into my own Linux system and could not; even though I have a perfectly good, functioning Java runtime environment. This is because a .jar file on Linux is not automatically executed; it must have the executable attribute set and on Linux a downloaded file never gets its executable attribute set. The user must go in and do that himself.

 

Here is a discussion among Java experts about how a Java .jar could create a temporary file/folder under the control of a user at the machine: http://stackoverflow.com/questions/617414/create-a-temporary-directory-in-java but it doesn't address a .jar file creating subdirectories in Linux from a downloaded file.

 

MY REQUESTS FOR CLARIFICATION

 

I could not post a comment to the Fidelis .pdf but since threatpost is mentioned as more-or-less a co-author I posted on their blog (despite Derek's insistence that I failed to "school" them in a somewhat whiny post on threatpost) on April 22, 2015 in which I mentioned that the report illustrated an attack that was only aimed at Windows and that the malware dropper they showed would not work if installed on a Linux host. Today I asked them for any evidence that this malware would work as described on a Linux/Unix/OSX host. No response yet although my comments are published. You can see them at https://threatpost.com/new-evasion-techniques-help-alienspy-rat-spread-citadel-malware/112064#comment-501922.

 

The Fidelis Report, in their final report on this (April 8, 2015) Fidelis lists only files that could be executed on a Windows OS (created using MS Visual C) as being dropped into the infected system. This example is clearly out of the running because it could not execute on Linux even if there were a functional Java runtime environment on the machine and even if that runtime could do the same things on Linux that it can do In Windows.

 

Idion.ca's Binary Forest blog (March 2015) has disassembled source code (by the way, this is not code that is running, but simply analysis of the source code) that uses a Java runtime to create Linux and Mac OS subdirectories but the writer of the blog says that, as of March 23, 2015 he is still trying to understand how the dropper works. My comment asking him "Has anyone actually managed to get this to work on Linux" has not been answered. You can see my comment on their blog here: http://blog.idiom.ca/2015/03/alienspy-java-rat-overview.html?showComment=1429973262031#c7503887980042551221

 

Contagio, in a blog report on the RAT agent dated November, 2014, apparently got enough RAT working to see that it did not drop malware into OSX or Linux machines. But it does appear the blog's author did manage to get the Java .jar files to work but since Derek insists that this is an old version and therefore not worth consideration we'll ignore that bit too. But, for the record, I've asked him how he managed to get the exploit to work on Linux. I suspect he set the .jar files to executable and ran them. Even then that apparently did not work to access the C&C server and download the malware package.

 

So there we have it. Derek's arguments have been "the experts are right". My argument is "no one has demonstrated anything other than RAT works on Windows and if it only works on Windows it's not cross-platform". Derek has not chosen not to respond to my request that he find just one example of it working on a Linux platform.

 

I have described, in my own words, my problems with RAT being "cross-platform". Derek has described why the experts have to be right.

 

Derek could, of course, go get the RAT creation applet and make one for Linux and test it. I'd like to see that, actually.

 

 

WDR

[wa_desert_rat]

One is left to wonder why, if SPY is not really cross-platform, it contains so much material referencing Linux and OSX. I can think of two reasons. One is that the originators of the create-an-exploit kit that is the SPY are still trying to work that bit out. The second is that they might like to pull the chain a bit.

 

I'd also like to add that the "old" version of the SPY *I* link to and that Derek insists is too old and not the same thing as the much more virulent versions he linked to at binaryforest is the first link in the REFERENCES listed at the bottom of their report. Apparently Derek hasn't noticed this. Shhhh... don't tell him.

 

References

• http://contagiodump.blogspot.ca/2014/11/alienspy-java-rat-samples-and-traffic.html
• https://developer.gnome.org/autostart-spec/
• https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
• https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/launchd.plist.5.html#//apple_ref/doc/man/5/launchd.plist

 

WDR

[TheDuke]

First, it was stated as a FUD.But so those little old ladies found, downloaded, installed, set up, found software, downloaded free software fron an authorized site, without any intervention from anyone especially either of you?

I know plenty of elderly people who have done exactly that with windows machines.

[wa_desert_rat]

First, it was stated as a FUD.But so those little old ladies found, downloaded, installed, set up, found software, downloaded free software fron an authorized site, without any intervention from anyone especially either of you?

I know plenty of elderly people who have done exactly that with windows machines.

You must have forgotten what it was you said. Let me remind you: "Only highly qualified techs can run unix properly" Changing the details of the argument is a common trait...

 

 

WDR

[skp51443]

First, it was stated as a FUD.But so those little old ladies found, downloaded, installed, set up, found software, downloaded free software fron an authorized site, without any intervention from anyone especially either of you?

I know plenty of elderly people who have done exactly that with windows machines.

 

Mom has never downloaded a copy of Windows, she isn't into stealing software.

 

I did the install on her machine, burned the DVD here too since I have a much better net connection than she does. However she did download a Linux for her older sister and get it going it pretty much on her own, I did give her a few tips on where to get it and how to burn a DVD under Windows. She has passed out the DoD Linux to several family members, she uses it when visiting them since their Windows machines are in bad shape and she doesn't want to enter any of her user info or passwords on a suspect system.

 

If you have never installed Linux it is pretty simple and takes about 20 minutes for OpenSuse. Buy or download/burn a DVD or USB stick, put the DVD/USB in the computer and reboot from it. Follow the instructions on screen, go with the default choices offered and you'll be walked through the process. Reboot and download the latest updates for all the software you just loaded and you are done.

 

Here is the getting started page for OpenSuse 13.2: https://en.opensuse.org/Portal:13.2

 

DoD Linux is even simpler, download, burn boot and you are running, no install needed. http://www.spi.dod.mil/lipose.htm

 

Not rocket science, just a few clicks in most cases. There are some computers that aren't well supported due to manufacturers refusing to release hardware details so drivers can be built (see hardware list at the Suse link) but for the most part they will work quite well.

[RV_]

So are you Linux guys saying the security firms are wrong? And recommend that those who run OSX and Linux, be they old ladies, family, strangers, or just end users, don't need to be more cautious about clicking on attachments now?

[wa_desert_rat]

So are you Linux guys saying the security firms are wrong? And recommend that those who run OSX and Linux, be they old ladies, family, strangers, or just end users, don't need to be more cautious about clicking on attachments now?

Are you saying that those security firms cannot make a mistake? Or that they might focus on Windows if they couldn't get an exploit to work on Linux? Or that they even tried to get it to work on Linux but, instead, simply assumed it would based on references to other operating systems in the source code?

 

In general, I have found that people who begin a post with the phrase, "Are you saying..." and then continue to add their own interpretation of what you said are working on what is widely known as the "straw man" method of debating. Rephrase what they said and then argue that for the win.

 

You'd be better off trying to find out whether they did all that rather than spend a few pages whining about what a terrible person I am. If you publish a link to a report that claims to illustrate a cross-platform exploit and I discover that none of their references shows any evidence of that AT ALL and I find a link that actually indicates that it isn't maybe you should try to find out if I'm right before you try to convince people that I'm not.

 

WDR

[RV_]

Get over yourself. You're right, Kaspersky is wrong. Sure. What are the chances?

 

[wa_desert_rat]

People who have to post cute little cartoons and videos to make their point aren't capable of making a point. Get a grip.

 

WDR

[skp51443]

There are real threats out there regardless of your operating system and folks do need to be aware of them. However crying wolf does no good and can actually as in the old parable lead to harm when folks get desensitized to security issues by all the false alarms and ignore real threats.

So if someone has a real Linux, Mac, BSD or Windows security issue I'm glad to see it mentioned. Fear-mongering by folks hoping to sell a product to the clueless isn't so useful to me. Like WDR I wasted some time better spent looking at cat pictures or something on this only to once again come up empty on the Linux front. And that last sentence has been my first and only comment on the RAT issue here.

-------

Microsoft as a company seems to be moving away from their past history of FUD, Astroturfing and other less than legitimate practices and attempting to restore their reputation so badly tarnished in the past. I'd hope to see others following that path but so far it doesn't look like that is all too common yet.

FUD: http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt

From 2011, and the author saw no hope for MS reform: http://www.junauza.com/2011/07/microsoft-fud-campaigns-against-linux.html

Astroturfing: http://en.wikipedia.org/wiki/Astroturfing

Microsoft campaigns: http://techrights.org/wiki/index.php/AstroTurfing

 

Bad information, click bait headlines, FUD and similar tactics still work on the uneducated consumer but more and more folks are beginning to see that the wool is being pulled over their eyes and not responding to the tactics.

 

If you have some free time google up Microsoft FUD, Microsoft Astroturfing or Microsoft illegal actions for some interesting reading. Join me in hoping that is now in the past and MS will continue to improve.

 

-----------

 

If you want to see how easy a Linux install is try here: (many choices)

 

https://www.youtube.com/results?search_query=opensuse+13.2+installation+

 

I just installed OpenSuse 13.2 on an old laptop, less than 30 minutes (DVD install, not faster USB one) to finish it and another 30 (fast network though) and two reboots to update every component and program to the latest version and confirm all was working. My last Windows 7 Install took many hours and many, many reboots to just update the OS, adding my programs and updating them took even more time.

 

I don't really care what you run or what you buy, I just found a fun toy that works for me and my friends and family and like to share it. Sadly Suse, OpenSuse, Novell or Attachmate have never offered me anything for promoting it. I did much better promoting Windows which scored me a lot of great stuff over the years. No biggie, I'm retired my roof and beans are covered so I no longer have a financial incentive to promote Windows. Actually kinda funny as Microsoft put a lot of that money in my savings account!

[RV_]

Great info Stan. I've tried Linux but prefer another. I'm not defending Windows nor offending Linux. Nor trying in any way to harm Linux, despite harm being to affect market share negatively (according to the definition of FUD,) which they are struggling to have on desktops and laptops, which is the topic as this is a Personal Computer malware variant.

 

You guys need to realize not every mention of real or newly found vulnerabilities is an attack on Linux. I did not think they were attacking Windows. Never mind personal attacks on you.

 

Thanks for reminding folks about the definition of FUD:

 

"FUD is generally a strategic attempt to influence perception by disseminating negative and dubious or false information. An individual firm, for example, might use FUD to invite unfavorable opinions and speculation about a competitor's product; to increase the general estimation of switching costs among current customers; or to maintain leverage over a current business partner who could potentially become a rival."

 

The article and my post was about it affecting, or possibly affecting, Windows, Linux, OSX, and Android. There was no attempt to hurt Linux's sterling reputation that is demonstrated by some of its users. I have no strategy against Linux, as in the definition of FUD. Do either of you see one where there is none? Linux and the users of Linux here are not my personal competitors, in fact most are not even on my radar screen except when they jump up for attention, or to pull out their laundry list of the horrible egregious things Microsoft has done. When someone with XP can't afford another computer, I always recommend Linux. But tell them it's up to them to learn it, as I am way out of date for setting anything but a Raspberry Pi up with a version of Linux.

 

In the article, or my posts here,there is no conspiracy, strategic, competitive, or otherwise, directed at Linux, or their users, as mentioned in the definition of FUD. (or Apple)

 

I don't like to use Linux, except for one Linux based Windows rescue disk, so what?

 

What was missing in all of my posts was the fact that it was not FUD about anything because it was about all the OS' and wasn't sky is falling, just a new phishing campaign, which if one was interested could follow the links to examples of attachment titles seen in the wild.

 

So since it is not about Linux, but also Windows and Apple, and Android, where are all those folks?

 

I am glad you are doing such due diligence.

 

I still remind folks using all OS' mentioned to remember not to treat attachments you didn't expect too casually. It's for all, not against one.

 

But I like your side step with a definition of FUD Stan. And that you don't eliminate the possibility that there is malware that affects Linux.

 

Lots of Linux folks act and say that the architecture of Linux prevents malware from being a self-propagating problem.

 

That's not exactly a flame, but it's certainly a grandstanding position. And it would be lovely if it were true. But it's not. The architectures of Windows and Linux are surprisingly similar - they're much more alike than they are different - and although Linux malware is, happily, very rare, there is nothing about the architecture of the operating system which prevents it.

 

(Be careful of claiming that something is impossible in computer security. A single counter-example will knock you off your pedestal. And 12,238 counter-examples will leave you reeling. That's the number of unique IP numbers SophosLabs enumerated, between May and July 2008, which were infected with the Linux/Rst-B virus. In 2008, this virus was already more than six years old. And they only counted computers on which the virus was running as root. It doesn't call home if it's not running as root, so the total number of active infections was probably significantly higher.)

 

Linux malware exists. It's not a huge problem. It's easily avoided. But don't be in denial. There's no "magic smoke" inside your operating system which renders you automatically immune to a determined cybercrook.

 

Windows systems aren't invariably less secure than those running Linux. You may know how to secure a Linux system more tightly and more easily than a Windows one. But other Linux admins might not. And accept that at least some Windows admins will know how to secure their systems to a standard as high as yours.

 

An injury to one is an injury to all. Stopping malware and spam even though it won't harm you directly is just the sort of altruism which the internet needs. Please don't be aloof about the problems which affect everyone.

[wa_desert_rat]

Neither Stan nor I have ever said Linux is "immune" to malware. What both of us have said is that Linux is far more secure against malware (and other) attacks. And I've explained exactly why.

 

You can go on about how there are exploits and malware for Linux all you like but the fact still stands that THIS exploit has only been demonstrated to work on Windows. All you have to do, Derek, is find one bit of evidence that the RAT has actually done on Linux or Unix or OSX exactly what it has been demonstrated to be able to do on Windows. As long as you can't then it's not cross-platform and does not invade Linux.

 

So far your experts haven't demonstrated that. I haven't said that they can't... but so far they haven't. So far they've only demonstrated that the RAT works as advertised when presented to a Windows user as a phishing attack.

 

And I've asked them. You might try asking them, too.

 

 

WDR

[RV_]

Last word!

[wa_desert_rat]

Oh, don't worry... I'll keep you updated.

 

WDR

[RV_]