Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.os.linux > #81065 > unrolled thread

What do you make of this reported Linux back door?

Back to article view | Back to alt.os.linux

Contents

  What do you make of this reported Linux back door? Hank <hankrobins@notspam.uk> - 2025-02-28 08:45 +0100
    Re: What do you make of this reported Linux back door? "Carlos E.R." <robin_listas@es.invalid> - 2025-02-28 13:06 +0100
      Re: What do you make of this reported Linux back door? Lawrence D'Oliveiro <ldo@nz.invalid> - 2025-03-02 00:38 +0000
    Re: What do you make of this reported Linux back door? John Hasler <john@sugarbit.com> - 2025-02-28 08:09 -0600
    Re: What do you make of this reported Linux back door? "J.O. Aho" <user@example.net> - 2025-02-28 18:00 +0100
      Re: What do you make of this reported Linux back door? Adrian Caspersz <email@here.invalid> - 2025-03-04 18:29 +0000
        Re: What do you make of this reported Linux back door? "J.O. Aho" <user@example.net> - 2025-03-04 22:51 +0100
          Re: What do you make of this reported Linux back door? "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 00:05 +0100

#81065 — What do you make of this reported Linux back door?

https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/

Between early November and December 2024, Palo Alto Networks researchers
discovered new Linux malware called Auto-color. We chose this name based on
the file name the initial payload renames itself after installation.

The malware employs several methods to avoid detection, such as:

Using benign-looking file names for operating
Hiding remote command and control (C2) connections using an advanced
technique similar to the one used by the Symbiote malware family
Deploying proprietary encryption algorithms to hide communication and
configuration information
Once installed, Auto-color allows threat actors full remote access to
compromised machines, making it very difficult to remove without
specialized software.

[toc] | [next] | [standalone]

#81070

On 2025-02-28 08:45, Hank wrote:
> https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
> 
> Between early November and December 2024, Palo Alto Networks researchers
> discovered new Linux malware called Auto-color. We chose this name based on
> the file name the initial payload renames itself after installation.
> 
> The malware employs several methods to avoid detection, such as:
> 
> Using benign-looking file names for operating
> Hiding remote command and control (C2) connections using an advanced
> technique similar to the one used by the Symbiote malware family
> Deploying proprietary encryption algorithms to hide communication and
> configuration information
> Once installed, Auto-color allows threat actors full remote access to
> compromised machines, making it very difficult to remove without
> specialized software.


The important information, which is how it enters initially a machine, 
is missing. It seems to be root running an infected executable.

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]

#81077

On Fri, 28 Feb 2025 13:06:42 +0100, Carlos E.R. wrote:

> The important information, which is how it enters initially a machine,
> is missing. It seems to be root running an infected executable.

There are lots of these toolkits around. They sound very scary, but they 
all assume that you have some vulnerability, that you can take advantage 
of via a separate exploit, to get them installed in the first place.

[toc] | [prev] | [next] | [standalone]

#81071

From the link:

"the file is intended to run explicitly by the victim on their Linux
machine."

It must also be run as root. Therefor this malware is not by itself a
vulnerability: obviously any program you run as root can do anything.
This thing is just a payload for an attack.  The actual vulnerability,
if any, is the method by which the user is induced to run the thing as
root.
-- 
John Hasler 
john@sugarbit.com
Dancing Horse Hill
Elmwood, WI USA

[toc] | [prev] | [next] | [standalone]

#81072

On 28/02/2025 08.45, Hank wrote:
> https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
> 
> Between early November and December 2024, Palo Alto Networks researchers
> discovered new Linux malware called Auto-color. We chose this name based on
> the file name the initial payload renames itself after installation.
> 
> The malware employs several methods to avoid detection, such as:
> 
> Using benign-looking file names for operating
> Hiding remote command and control (C2) connections using an advanced
> technique similar to the one used by the Symbiote malware family
> Deploying proprietary encryption algorithms to hide communication and
> configuration information
> Once installed, Auto-color allows threat actors full remote access to
> compromised machines, making it very difficult to remove without
> specialized software.

As Carlos and John has already pointed out, you need to execute a binary 
(or script) and it's self inflicted, don't install anything you can't 
install from your distros repository unless you really know what you are 
doing.

-- 
  //Aho

[toc] | [prev] | [next] | [standalone]

#81087

On 28/02/2025 17:00, J.O. Aho wrote:
> 
> As Carlos and John has already pointed out, you need to execute a binary 
> (or script) and it's self inflicted, don't install anything you can't 
> install from your distros repository unless you really know what you are 
> doing.
> 

So many users are tempted to install software, using the wget workflow 
that directly pipes script hosted on website into a command prompt.

It is so risky....

-- 
Adrian C

[toc] | [prev] | [next] | [standalone]

#81088

On 04/03/2025 19.29, Adrian Caspersz wrote:
> On 28/02/2025 17:00, J.O. Aho wrote:
>>
>> As Carlos and John has already pointed out, you need to execute a 
>> binary (or script) and it's self inflicted, don't install anything you 
>> can't install from your distros repository unless you really know what 
>> you are doing.
>>
> 
> So many users are tempted to install software, using the wget workflow 
> that directly pipes script hosted on website into a command prompt.
> 
> It is so risky....

yes, it's risky, I do always use a distribution that has a good 
ecosystem, so you don't have to run some script to install stuff, but 
just use the standard package manager using the default repositories.

-- 
  //Aho

[toc] | [prev] | [next] | [standalone]

#81089

On 2025-03-04 22:51, J.O. Aho wrote:
> On 04/03/2025 19.29, Adrian Caspersz wrote:
>> On 28/02/2025 17:00, J.O. Aho wrote:
>>>
>>> As Carlos and John has already pointed out, you need to execute a 
>>> binary (or script) and it's self inflicted, don't install anything 
>>> you can't install from your distros repository unless you really know 
>>> what you are doing.
>>>
>>
>> So many users are tempted to install software, using the wget workflow 
>> that directly pipes script hosted on website into a command prompt.
>>
>> It is so risky....
> 
> yes, it's risky, I do always use a distribution that has a good 
> ecosystem, so you don't have to run some script to install stuff, but 
> just use the standard package manager using the default repositories.

rpm packages contain pre/post install scripts, too. Not all the packages 
use this facility, but some have to. For example, the kernel itself, it 
has to run dracut and grub something and others.

-- 
Cheers, Carlos.

[toc] | [prev] | [standalone]

Back to top | Article view | alt.os.linux

csiph-web