[kwlug-disc] Ransomware in Gentoo

CrankyOldBugger crankyoldbugger at gmail.com
Fri Mar 31 13:01:56 EDT 2017


To add to B.S.'s comment, when he said "Backups", he meant "offsite" or
"not on the network".  While this is more for Windows users than us Linux
folks, I have heard that these ransomware viruses (virii?) do run around
the local network pretty quickly, so if you're backing up to just another
PC or NAS, then the infection will spread.  I know a guy who had a customer
fall prey to one of these.  They're nasty things.

Do regular backups, but do them to something that you can easily unplug,
like a USB stick.  Plug the stick in, do your backups, pull the stick out,
label it and put it somewhere safe.  You could even buy a bunch of USB
sticks and rotate them for even more protection.

A/V is not "necessary" in the Linux world like it is in Windows or Macs,
but it doesn't hurt to be extra paranoid from time to time.  I've heard
good things about ClamAV, and I've used it myself, but if you want to do
some reading you could try:
http://www.makeuseof.com/tag/free-linux-antivirus-programs/




On Fri, 31 Mar 2017 at 11:50 Khalid Baheyeldin <kb at 2bits.com> wrote:

> A possible program that was used is this one (last comment in the thread).
> Initially a proof of concept, but now some actors are using it for real.
>
> The key is gaining root access. If you prevent that, then you are safe.
>
> https://github.com/jdsecurity/CryptoTrooper
>
> Since it has a similar /etc/motd.
>
> On Fri, Mar 31, 2017 at 11:45 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
> Scrolling down a bit in the comments.
>
> He used Firefox as root, then probably clicked on a link or ad that had
> malware in it. That replaced his Python executable with the ransomware
> thing.
>
> I never ran antivirus on Linux either.
>
> On Fri, Mar 31, 2017 at 11:10 AM, Joe Wennechuk <
> youcanreachmehere at hotmail.com> wrote:
>
> I saw this link on reddit.
> https://forums.gentoo.org/viewtopic-t-1060828.html
>
>
> I have never run any antivirus or anything on my linux box. Does anyone
> know how this got into this users machine, and/or how I should be
> protecting my home, and work environments using Linux?
>
>
>
>
> Joseph Wennechuk
> Phone: (226) 505-4812
> https://www.linkedin.com/pub/joseph-wennechuk/4/b59/382
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and
> wrong." -- H.L. Mencken
>
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and
> wrong." -- H.L. Mencken
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20170331/2d680953/attachment.htm>


More information about the kwlug-disc mailing list