[HN Gopher] OrBit: New Undetected Linux Threat Uses Unique Hijac...
___________________________________________________________________
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution
Flow
Author : afrcnc
Score : 33 points
Date : 2022-07-07 19:09 UTC (3 hours ago)
(HTM) web link (www.intezer.com)
(TXT) w3m dump (www.intezer.com)
| pdonis wrote:
| How is this thing supposed to get installed on a Linux machine?
| smspf wrote:
| Nice read, I wonder how this was detected though. Did it trigger
| any alarms on the infected machine? Was a firewall or specialized
| traffic inspection involved?
| hoppla wrote:
| Enjoyable article.
|
| I am fairly confident that this rootkit would be detected by
| rkhunter, but possibly only when the adversary is logged into the
| machine, as the malware hides the pids and network ports
| associated with their ssh connection.
| netsec_burn wrote:
| This is the same company that wasn't aware that LD_PRELOAD has
| been in use since the 90's in their last post. Here is that
| unique method of hijacking execution flow using
| /etc/ld.so.preload, 20 years ago:
| https://seclists.org/incidents/2002/Jan/86. None of this is
| unique or novel, including replacing the loader. LD_PRELOAD
| rootkits have severe drawbacks (which are not an issue for eBPF
| rootkits).
| rhexs wrote:
| It's weird how there's been a massive uptick in security
| "threat researchers" blogging about hello world style malware
| in the past few years. On the plus side, malware reverse
| engineering is a tough job that traditionally didn't pay that
| well, so hopefully they're doing better now with the rise of
| all these startups doing blog posts about LD_PRELOAD.
| TechBro8615 wrote:
| There's a wide gap between the majority of infosec bloggers
| and the top echelon of experts. I don't see a problem with
| that, personally, and it's not much different than the
| distribution of expertise in most other software domains.
| Surely the more the merrier, since at least some of those new
| entrants will grow into experts.
|
| Also, there's a reason the "hello world" malware posts are
| popular - the techniques they're describing might have been
| known for years, but they're practical and they work. Often
| their longevity is only due to their unfixable nature in
| exploiting a design flaw. So they're useful not only from a
| practical standpoint but also an academic one of
| demonstrating a class of attack so pernicious that it can
| only be eliminated with a ground up redesign.
| ewuhic wrote:
| To me all of the sec research still seems like some kind of
| secret wisdom bound only to the best hackers out there, am I
| wrong here?
| rhexs wrote:
| That's just the culture of defcon/blackhat/"if you get any
| certs you're dumb".
|
| If you can program, you can learn almost any concept in
| security with self study and a handful of good books.
| Marketing posts, such as these, often aren't very useful
| but sure look neat with all the basic blocks...
| AlexSW wrote:
| It seems to me hard sometimes to know what all of the 'state-
| of-the-art' and historic techniques are; in practice there'll
| likely be far too many to enumerate on a variety of platforms.
| But I do wonder if there are good lists or compilations
| anywhere that would include these.
| netsec_burn wrote:
| That is the purpose of resources like MITRE's ATT&CK. Here is
| the ATT&CK page on the technique which is portrayed to be
| novel in this post:
| https://attack.mitre.org/techniques/T1574/006/
| [deleted]
___________________________________________________________________
(page generated 2022-07-07 23:01 UTC)