[kwlug-disc] Ransomware in Gentoo
Mark Steffen
rmarksteffen at gmail.com
Fri Mar 31 13:54:51 EDT 2017
Updates/patching and common sense are more necessary in Linux. Windows you
probably want an AV, ideally something that can block shellcode/memory
injection attacks and sandbox zero day/unknown executions.
Backups that are originated from the device you want to backup have an
inherent security flaw that they typically have access to the backup
storage repository, and can therefore delete or encrypt the backups if the
malware author makes his cryptoware "aware" of the backup technology you
are using.
Backup systems that "pull" data from the computer that is being backed up
are better (for example BareOS) but this often isn't practical when doing
offsite-type backups.
An alternative mitigation if, for example, you are backup up a Linux box
with Duplicity to a remote rsync host (so your Linux box obviously has the
credentials which puts your backup data at risk), would be to have the
backup server use ZFS and have a good snapshot policy in place (7 days, 4
weeks, 3 months, 1 year, or something) this way, if you discover you've
been crypto'd (they usually want money so they tend to make sure you are
aware) AND they take out your backup, the server admin can recover your
previous data from yesterday's or last week's snapshot.
But as Cranky said, rotating some offline storage devices like USB
sticks/drives for your critical data is a great idea, the problem with
manual methods is they often don't get done after a while.
*Mark Steffen*
Office Direct: +1.226.476.1240 | Mobile/WhatsApp: +1.226.600.0464
*"Don't believe everything you read on the Internet." -Abraham Lincoln*
On Fri, Mar 31, 2017 at 1:01 PM, CrankyOldBugger <crankyoldbugger at gmail.com>
wrote:
> To add to B.S.'s comment, when he said "Backups", he meant "offsite" or
> "not on the network". While this is more for Windows users than us Linux
> folks, I have heard that these ransomware viruses (virii?) do run around
> the local network pretty quickly, so if you're backing up to just another
> PC or NAS, then the infection will spread. I know a guy who had a customer
> fall prey to one of these. They're nasty things.
>
> Do regular backups, but do them to something that you can easily unplug,
> like a USB stick. Plug the stick in, do your backups, pull the stick out,
> label it and put it somewhere safe. You could even buy a bunch of USB
> sticks and rotate them for even more protection.
>
> A/V is not "necessary" in the Linux world like it is in Windows or Macs,
> but it doesn't hurt to be extra paranoid from time to time. I've heard
> good things about ClamAV, and I've used it myself, but if you want to do
> some reading you could try: http://www.makeuseof.com/tag/
> free-linux-antivirus-programs/
>
>
>
>
> On Fri, 31 Mar 2017 at 11:50 Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> A possible program that was used is this one (last comment in the
>> thread). Initially a proof of concept, but now some actors are using it for
>> real.
>>
>> The key is gaining root access. If you prevent that, then you are safe.
>>
>> https://github.com/jdsecurity/CryptoTrooper
>>
>> Since it has a similar /etc/motd.
>>
>> On Fri, Mar 31, 2017 at 11:45 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>>
>> Scrolling down a bit in the comments.
>>
>> He used Firefox as root, then probably clicked on a link or ad that had
>> malware in it. That replaced his Python executable with the ransomware
>> thing.
>>
>> I never ran antivirus on Linux either.
>>
>> On Fri, Mar 31, 2017 at 11:10 AM, Joe Wennechuk <
>> youcanreachmehere at hotmail.com> wrote:
>>
>> I saw this link on reddit. https://forums.gentoo.org/
>> viewtopic-t-1060828.html
>>
>>
>> I have never run any antivirus or anything on my linux box. Does anyone
>> know how this got into this users machine, and/or how I should be
>> protecting my home, and work environments using Linux?
>>
>>
>>
>>
>> Joseph Wennechuk
>> Phone: (226) 505-4812
>> https://www.linkedin.com/pub/joseph-wennechuk/4/b59/382
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. -- Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple, and
>> wrong." -- H.L. Mencken
>>
>>
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. -- Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple, and
>> wrong." -- H.L. Mencken
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20170331/694e9814/attachment.htm>
More information about the kwlug-disc
mailing list