Virus on Linux

[viking60]

The trojan worm BackDoor.Wirenet.1 is the first worm in history that can work on Linux and Mac OS X. When launched, it creates its copy in the user's home directory. The program uses the Advanced Encryption Standard (AES) to communicate with its control server whose address is 212.7.208.65. It also works as a keylogger - so it is set out to steal your passwords and financial information. Now the anti virus industry is rejoycing and want to sell solutions for Mac and Linux - but is this really neccessary? When we look at the description of the virus we find that it "installs" it self in the directory ~/WIFIADAPT Well - not too hard to find and remove that. They could at least have spent an "." to make it hidden This is probaly a targeted trojan and you are probably not the target: A cross platform virus that is targeted on Mac and Linux and leaves Windows out (where 90% of the potential really lies) must have been made for a particular reason.

In any case you do not need AV software. If you find WIFIADAPT in your home directory - just delete it.
Then you would have done the almost historical action of removing the very first Trojan to steal Linux and Mac passwords.
The next thing to do is visit here! We will be commenting every one of them and it probably will not make us overworked.
More here

In general you will not get this from the repositories of any distro! You will need to download unofficial (and unreviewed) stuff like PPA's in Ubuntu/Mint.
You will need to install it directly or as part of another package - it is not very likly that it will install itself.

Regarding rootkits; Installing chkrootkitand rkhunter should be the first thing you do on every distro - it will be in your repoositories

[rolf]

This has got me thinking.
I have installed rkhunter, run it a couple of times, then forgot about it. chkrootkit is also there and, at least, I see rkhunter in /etc/cron.daily/. Now, I used to be sure anacron is installed at every installation of Mandrake but it is now part of the default package set, afaik, so it is there, important for my machines that are not on all the time. So, I look in /etc/rkhunter.conf and I see MAIL-ON-WARNING= is not configured, so that is not so good That reminds me that I seldom see the "you have mail" message at login and I never figured out how to set it up to mail me at my isp, which is something I would not miss.....

I now must surrender my Guru badge and sidearm

[viking60]

Shame on you (By the way I have not configured any mail either...)
I forgot to mention that since the virus-server that receives the data is known 212.7.208.65 it should be blocked for traffic in your firewall/iptables. I use Firestarter as the front end and there it is real easy. (Not sure how that is done in Mandrivas MCC ?)
Even if you are not infected; just block it anyway (I also block Facebook since there was a lot of activity there even without an active account).
And if you are really paranoid you could create ~/ WIFIADAPT and put a file in there that has the same name and then set the both to read only. That would stop the virus from creating it I guess.

(And remember there are quite some false positives in rkhunter so no reason to panic.....)

[R_Head]

Anti-Virus software is a huge business so I would not be surprised the very same people are making crap.

Think of it as a Pharmaceutical company.
They develop crap to make people sic or addicted so they can depend on them.

[viking60]

Apple has a problem with a Trojan that disguises itself as cupsd processes and uses RSA keys to encrypt the traffic via OpenSSH 6.0p1 which is a modified spy tool placed by the Trojan.. So the Trojan will make a "secure" connection to the spy.
These are the bad files that you need to remove:
com.apple.cocoa.plist
cupsd (Mach-O binary)
com.apple.cupsd.plist
com.apple.cups.plist
com.apple.env.plist

More here

Just to make it clear; Cups is not infected - it is only used to camouflage the Trojan trafic.

It is still a mystery how this could get around the Apple Firewall -Gatekeeper.
I have not seen that Linux is affected by this - but it is kind of related so it cannot hurt to mention it. But Apple, Facebook, Twitter and Microsoft have been targeted and infected.

[dedanna1029]

rolf & viking, re: setting up to be mailed:
MCC-->Security-->Configure system security, permissions, and audit-->click "Configure" (to the right of "Security")-->At the bottom, "Send alerts by email to:" - fill in email addy.

Now that, is the first thing I do. It will send an email to warn, and to send results of security checks to your ISP email, or whatever email you want to use. You can also play with /etc/hosts.deny.

[rolf]

Thanks for the Security tips.