> The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding.
The actual malware uses the task name from these "never occurring crontab". The invalid date is just a kind of signature.
> Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface
What's the entry point for such a RAT? Does it scan for vulns in the server and plant itself there, or what? Article is lacking explanation of how a Linux e-commerce backend actually gets comp'd.
> In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the Linux calendar system on February 31st. It is not recognized by other security vendors and is likely to stay undetected on critical infrastructure for the coming months.
For years I've heard people saying: "People is not as used as windows, that's why nobody is interested in writing virus for linux." Turns out that considering the number of "embedded" linux these days, linux is probably much more popular than any other OS. Consider android devices, smart tv, routers... all these are devices that are directly in touch with the end users. The fact that these have been nowhere near as annoying as windows devices is a testament to how seriously developers and vendors have been taking security and also a bit of luck and the heritage of some unix ideas.
Of course, most high profile linux use are on servers. So it is expected that these systems are preferred targets. But considering all that, if you look closely at how some linux users, distributors and vendors behave, it seems like they are in another world. Security is mostly ignored as if linux was somehow magically free from vulnerabilities simply because you're using a package manager and mostly no extra security action is taken.
Maybe linux users and sysadmins became lazy or lax for the long years of a perceived security calmness. They will probably need a few incidents before learning some lessons from the windows crowd.
> They will probably need a few incidents before learning some lessons from the windows crowd.
Hum, thank-you but no. The lessons the Windows crowd learned are mostly bullshit, officialized due to people's helplessness and total lack of any reasonable alternative.
Linux people are very serious about things like supply-chain verification, auditable software, and machine activity monitoring. All actions with viable engineering principles and real impact, differently from the "you need to install an antivirus" insanity.
You seem to misunderstand the threat model of the average Linux device. Linux only becomes as vulnerable as Windows when you use it like Windows, and for the vast majority of use cases that is certainly not how it's treated. The average Linux device is either an Android phone with a completely different, sandbox and permission-based threat model, or a purpose-built machine that runs a handful of off-the-shelf software that can be assumed as reasonably secure. As such, the majority of exploits on Linux simply stem from misconfiguration. Luckily for attackers, the learning curve of a modern Unix machine is fairly steep, so they can count on a reasonable degree of oblivious behavior, such as not locking down your crontab to specific users/cgroups.
Windows is insecure because it's "shopping spree" method of software management is inherently unsafe. At least desktop Linux enforces integrity protection when you're downloading software from your package manager, and gives you sandboxing options (albeit not very good ones) to further mitigate security concerns. Failing that, it gives people the option of using ludicrously secure systems like Tails, Whonix and Qubes, which would really be impossible with how Windows is set up.
[+] [-] yborg|4 years ago|reply
[+] [-] tyingq|4 years ago|reply
[+] [-] tata71|4 years ago|reply
[+] [-] sys_64738|4 years ago|reply
[+] [-] 4llan|4 years ago|reply
The actual malware uses the task name from these "never occurring crontab". The invalid date is just a kind of signature.
[+] [-] rzzzt|4 years ago|reply
...after reading: but also because one entry has a valid "every 30 minutes" specification :) and the rest are only used for storage.
[+] [-] vmoore|4 years ago|reply
What's the entry point for such a RAT? Does it scan for vulns in the server and plant itself there, or what? Article is lacking explanation of how a Linux e-commerce backend actually gets comp'd.
[+] [-] tuankiet65|4 years ago|reply
[+] [-] tata71|4 years ago|reply
[+] [-] marcodiego|4 years ago|reply
For years I've heard people saying: "People is not as used as windows, that's why nobody is interested in writing virus for linux." Turns out that considering the number of "embedded" linux these days, linux is probably much more popular than any other OS. Consider android devices, smart tv, routers... all these are devices that are directly in touch with the end users. The fact that these have been nowhere near as annoying as windows devices is a testament to how seriously developers and vendors have been taking security and also a bit of luck and the heritage of some unix ideas.
Of course, most high profile linux use are on servers. So it is expected that these systems are preferred targets. But considering all that, if you look closely at how some linux users, distributors and vendors behave, it seems like they are in another world. Security is mostly ignored as if linux was somehow magically free from vulnerabilities simply because you're using a package manager and mostly no extra security action is taken.
Maybe linux users and sysadmins became lazy or lax for the long years of a perceived security calmness. They will probably need a few incidents before learning some lessons from the windows crowd.
[+] [-] marcosdumay|4 years ago|reply
Hum, thank-you but no. The lessons the Windows crowd learned are mostly bullshit, officialized due to people's helplessness and total lack of any reasonable alternative.
Linux people are very serious about things like supply-chain verification, auditable software, and machine activity monitoring. All actions with viable engineering principles and real impact, differently from the "you need to install an antivirus" insanity.
[+] [-] smoldesu|4 years ago|reply
Windows is insecure because it's "shopping spree" method of software management is inherently unsafe. At least desktop Linux enforces integrity protection when you're downloading software from your package manager, and gives you sandboxing options (albeit not very good ones) to further mitigate security concerns. Failing that, it gives people the option of using ludicrously secure systems like Tails, Whonix and Qubes, which would really be impossible with how Windows is set up.
[+] [-] Proven|4 years ago|reply
[deleted]
[+] [-] encoderer|4 years ago|reply
[+] [-] iRobbery|4 years ago|reply
[+] [-] kingcharles|4 years ago|reply
It looks like there has never been a real 31 February.