Announcement

Collapse
No announcement yet.

FontOnLake, a new Linux malware

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    FontOnLake, a new Linux malware

    However, it currently is found in only SE Asia. About 15 years ago, when Kapersky and other AV makers were trying to convince Linux users that they needed proprietary, costly AV protection, I examined many of the 425 supposed Linux viruses listed in their various databases. Without exception they all were of "low risk", and even more revealing, were found on 3 or less computers. That low of an exposure is the same as saying "we made this in our lab and it is not out in the wild." This malware has the same smell. But, I'll leave that for you to decide for yourself.
    Here's the video:

    and here is a white paper describing what is known about the malware:
    https://www.welivesecurity.com/wp-co...fontonlake.pdf

    They do not know how this malware infects Linux machines. One test to determine if you've been infected is:
    Code:
    lsof -U | grep -F @/tmp/dbus- | grep -v ^dbus
    If that command returns nothing then you are not infected. If it returns your dbus port you are.

    Know you know all I know about it.



    Last edited by Snowhog; Oct 18, 2021, 09:21 PM. Reason: Remove formatting code tags from quoted command
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    GreyGeek I get this return on that command...

    [FONT=monospace][COLOR=#000000]lsof: command not found
    Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

    Comment


      #3
      Originally posted by TWPonKubuntu View Post
      GreyGeek I get this return on that command...
      Looks like you need to install lsof. It lists open files. As you know, since everything in Linux is a file, including dbus sockets, if the dbus socket is in use ("open") it will be listed by lsof. If your dbus socket is not in use it won't be listed and you don't have FontOnLake.
      Last edited by GreyGeek; Oct 19, 2021, 11:09 AM.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Thanks
        Checked and lsof IS installed. Ran the command in your OP and response was blank. I assume that means I'm good.
        My error, I did not use the correct command in my first attempt.
        Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

        Comment


          #5
          All samples we have seen target kernel versions 2.6.32-696.el6.x86_64 and 3.10.0-229.el7.x86_64
          according to vermagic. There are two known versions of the rootkit with significant differences, but
          certain overlap. They are based on an open-source project Suterusu
          Seems to need to built for the kernel on the system being targeted, I think?
          Note the specific distribution targeted above, as well.
          Also, no mention of how it gets on the system to begin with, other than the above rootkit (as seems to be the norm for these reports, it seems), so an already-compromised system is needed.

          Comment

          Working...
          X