Return to Level1Techs.com

[solved] *hidden wasp* trojan attack in linux os

security
#1

From “Switched To Linux” YouTube website about 6 days ago describes the ‘Hidden Wasp’ on Linux systems.

Refer to description under the video for details.

As there has been no information on this forum that can be found if anyone knows of any occurances please post.

0 Likes

#2

ty, i would like to know more about security issues on linux.

1 Like

#3

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

this is the link from the video itself which gives a better overview.

first part of the malware seems to be a bash script that creates a user and then proceeds to download the trojan and rootkit.

but the following must be given:

  • initial “malware” bash script needs to exist on the machine
  • user has to execute it
  • was tested on (I guess) ubuntu LTS

Countermeasures:

  • dont execute random bashscripts you download
  • check for newly added users

Also:

Im not sure if Distros SELinux enabled by default are as vulnerable as distros without.

So if your machine is not compromised already:

DONT EXECUTE RANDOM CODE FROM THE INTERNET

11 Likes

#4

The primary blog/article is I beleive this one…

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
Unsure as of right now what exactly the impact is as I just found out about this abiut 45 minutes ago or about 11:45 MDT.

0 Likes

#5

Superior,!! Was bouncing around the net for other info when you posted .

This was a a suprise but from the Linux community storm and and counter measures appears the quickness of responce may have contained/caught it??

0 Likes

#6

This was (smugly hehe) reported on Level1News more than a week ago: https://youtu.be/TqCB4Wg1GSI?t=1864

0 Likes

#7

Thank’s for that. Unfortunately missed that podcast …

Perhaps next time something like this comes up a note would be put up by concerned people in the forum for others who also missed the podcast.

Cheers

1 Like

#8

Thanks for the post, I must have missed this on the news too

1 Like

#9

Also apparmor

0 Likes

#10

And this kids, is why Powershell scripts support code-signing., and system policy can be defined to check the script signature matches a valid code-signing cert. Whilst its not a 100% every case defence it does definitely help control whether or not you want specific scripts to execute, and also helps track/prevent some muppet/malware modification of your script outside of change management process.

Linux/bash/zsh/etc. needs to get code-signing support yesterday.

So that

  • if you want to do so, you can code-sign your scripts so you know if they have changed or are what you actually wrote and signed off on.
  • distros can code-sign important system files so you can verify they are what you originally deployed (i guess you can already do that by manually verifying sha hash, but that doesn’t prevent execution). Or rather, if they aren’t explicitly re-signed by the user and approved, they won’t run if modified.

Linux users tend to shit on Windows for a lot of the insecurity in that platform, but Linux lags way behind both macOS and Windows in the capability of verifying scripts, etc. at the moment.

9 Likes

#11

Yeah i saw Tom’s video about this.
I double checked my system if the said user acount existed on my system,
or that the said file existed on my system.
But non of them existing on my system.
So i’m basically good so far is guess.

0 Likes

#12

so you’re telling me I shouldnt curl | sh

2 Likes

#13

TFW official docs encourage this lmao.

1 Like

#14

only as root since its only code and windows is the superior platform, it definitely is linux fault if something breaks.

0 Likes

#15

i cringe every time I see it

2 Likes

#16

I just found an example

2 Likes

#17

Security issues arrive from not auditing the software you download. They also come from improper enforcement of SElinux … Fedora and Suse come with it by default they put security first

2 Likes

#18

I’m pretty sure Docker tells you to do it, too

0 Likes

#19

Very astute matter you raised good man.

As one can see, and as someone who has used Windows and Mac pouring close to a few tens of thousands of $$$ into these platforms and now really digging into Linux wish I could give you some answers.

The possee that road in and unloaded their guns here have more knowledge than I , and like you, would just like some reassurance from them as to the matter as a few have with their knowledge.

Others though have taken to shooting the wrong people or anything moving that is not the OS or platform THEY use. How rediculous and sandbox childish.

Chevy? Ford? Mercedes Benz? Toyota? I DON’T CARE!
I just need to get from A to B without highway robbery happening.

0 Likes

#20

I’m abit worried about how a compromised docker container could be used to gain root access to the host :no_mouth:

1 Like