I think I caught Widigo
I installed Trisquel 8 on 01/12/2017.
Soon, I think it was the first day but am not sure, I had a problem with Abrowser and the Trisquel site which I posted here - https://trisquel.info/en/forum/flidas-and-abrowser
I ended up without Abrowser and was pretty happy using dooble except I didn't figure out how to download with it. I think it might be a 'save link' function but that didn't occur to me
Yesterday,
I downloaded, unpacked and did a dd to thumbdrive of GuixSD.
Later I installed bleachbit - http://archive.trisquel.info/trisquel/pool/main/b/bleachbit/bleachbit_1.0-1_all.deb
but also tried to install the latest version - https://www.bleachbit.org/download/file/t?file=bleachbit_1.12_all_ubuntu1604.deb
I was using the terminal due to the browser issue, wget and maybe ftp, the terminal's history function and copying and pasting. I screwed up and got my commands mixed up at some point during the bleachbit story and suddenly the terminal filled up with a bunch of binary looking stuff. It might have happened when I ran something like this command 'sudo dpkg -i bleachbit_1.0-1_all.deb' I mean I screwed up and maybe entered 'wget sudo dpkg -i bleachbit_1.0-1_all.deb' in the terminal.
Anyway, I don't know what happened but it was unsettling so a little while later I downloaded chkrootkit and ran it. Got the result below.
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
Looking up further info saw the possibilty of a false positive but follow up tests didn't turn out well.
I think I flunked every test listed here:
https://www.cert-bund.de/ebury-faq
# ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x000006e0 65538 root 666 3283128 0
(that is an exact match to the example on the cert-bund website, the good news was this, "Please note that the SHMs are only created on the first event of data exfiltration – so immediately after a reboot of the system, the malicious SHMs will probably not show up in the output of 'ipcs -m'." So maybe I caught it before it got to do its dasterdly deeds.)
Cert-bund says, "On Linux-based systems, an additional shared library file 'libns2.so' is installed and the existing libkeyutils file is patched to link against this library instead of libc6. The malicious 'libns2.so' file can be located by running the following command, which should not return any results on clean systems. "
I had it:
# find /lib* -type f -name libns2.so
/lib64/libns2.so
I think this is like a backdoor waiting to be knocked on
netstat -nap | grep "@/proc/udevd"
george@Trisquel:~/myScripts$ unix 2 [ ACC ] STREAM LISTENING 5597 2529/atd @/proc/udevd
Based on the results of 'ipcs -m', 'find /lib* -type f -name libns2.so' and netstat -nap | grep "@/proc/udevd" I figured it was a high probabilty I was infected and trying to clean wasn't an option.
So I reformatted and reinstalled.
Currently Abrowser works like it should and haven't had any problem with Trisquel's certificate.
chkrootkit still comes back with:
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
This file is mentioned (I'm not sure what I saw yesterday before reformating):
find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;
-rw-r--r-- 1 root root 14256 Dec 10 2015 /lib/x86_64-linux-gnu/libkeyutils.so.1.5
but according to the cert-bund, "If any file is larger than 25 kilobytes in size, it is most probably a malicious version of the library," and mine is only around 14 kb.
ls -als | grep libkeyutils*
Binary file libkeyutils.so.1.5 matches
and a simple 'ls -als' shows:
0 lrwxrwxrwx 1 root root 18 Jan 17 21:56 libkeyutils.so.1 -> libkeyutils.so.1.5
16 -rw-r--r-- 1 root root 14256 Dec 10 2015 libkeyutils.so.1.5
in the list.
but this comes up clean:
find /lib* -type f -name libns2.so
and this comes back empty as well:
sudo netstat -nap | grep "@/proc/udevd"
So now I think there is a good chance I am not infected, but still am wary.
From what I've read this 'libkeyutils.so.1 -> libkeyutils.so.1.5' is really important. How does one verify they have a good version? Any other recommendations? Maybe I am just paranoid?
I skimmed through a 69 page pdf called Operation Windigo yesterday and this is a serious threat. People often say Linux is secure but reading this document would have made my hair curl if I had any. That's here if anyone is interested:
http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
But even so I am really liking Flidas
The ssh -G test no longer works since -G is a legitimate option since OpenSSH 6.8 See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796599, https://www.openssh.com/txt/release-6.8, and https://github.com/eset/malware-ioc/tree/master/windigo.
Meanwhile, I highly recommend using key-based authentication for ssh (and disabling password authentication), as well as a firewall.
Try to execute this command:
$ md5sum /lib/x86_64-linux-gnu/libkeyutils.so.1.5
If Trisquel 8's version of libkeyutils1 is 1.5.9-8ubuntu1 (I am still on Trisquel 7), you should get this output:
f1b8d7d79b596bd7b333ec8cd6b0b6115dda670a /lib/x86_64-linux-gnu/libkeyutils.so.1.5
The indeed go this checksum from Ubuntu 16.04's file that I downloaded from http://packages.ubuntu.com/xenial/amd64/libkeyutils1/download is.
sudo md5sum /lib/x86_64-linux-gnu/libkeyutils.so.1.5
45598330193c7f910453f603b358edd4 /lib/x86_64-linux-gnu/libkeyutils.so.1.5
That doesn't look right, eh?
This is the one I have:
/lib/x86_64-linux-gnu/libkeyutils.so.1.5
vs
libkeyutils1_1.5.9-8ubuntu1_amd64.deb
Does that make a difference?
45598330193c7f910453f603b358edd4 is right. I just downloaded the package and that is what I get. You should be fine.
Is Trisquel's version of the libkeyutils1 package not 1.5.9-8ubuntu1? If it is, isn't its build "reproducible" ( as in https://wiki.debian.org/ReproducibleBuilds )? If both answers are "yes", isn't it possible that Trisquel's infrastructure was compromised?
No, I downloaded the Ubuntu package (1.5.9-8ubuntu1), and that is the checksum that I got.
O.K, that's reassuring, thanks guys. Also I haven't had a reason to use ssh for a while but I'll remember to set up the key-based authentication when I do. Thanks again.
If you don't use it, then disable it:
systemctl disable ssh
This a little more info.
1 Yes - It does have a different name.
locate libkeyutils.so
/lib/x86_64-linux-gnu/libkeyutils.so.1
/lib/x86_64-linux-gnu/libkeyutils.so.1.5
sudo md5sum /lib/x86_64-linux-gnu/libkeyutils.so.1.5
45598330193c7f910453f603b358edd4 /lib/x86_64-linux-gnu/libkeyutils.so.1.5
file /lib/x86_64-linux-gnu/libkeyutils.so.1
/lib/x86_64-linux-gnu/libkeyutils.so.1: symbolic link to libkeyutils.so.1.5
It's still not bloated to above 25 kb:
ls -als /lib/x86_64-linux-gnu | grep libkeyutils.so.1.5
0 lrwxrwxrwx 1 root root 18 Jan 17 21:56 libkeyutils.so.1 -> libkeyutils.so.1.5
16 -rw-r--r-- 1 root root 14256 Dec 10 2015 libkeyutils.so.1.5
The netstat test is clean and and the helper file 'libns2.so' is not found so this reinstall seems ok.
2nd Question: I will look into at that Debian page you cited. It's not something I've ever done so it may take a while to process.
Trisquel 8 is here:
http://jenkins.trisquel.info/makeiso/iso/
repository info
sudo apt-get update
Hit:1 http://es.archive.trisquel.info/trisquel flidas InRelease
Hit:2 http://es.archive.trisquel.info/trisquel flidas-security InRelease
Get:3 http://es.archive.trisquel.info/trisquel flidas-updates InRelease [6,082 B]
Hit:4 http://es.archive.trisquel.info/trisquel flidas-backports InRelease
Get:5 http://es.archive.trisquel.info/trisquel flidas-updates/main Sources [310 kB]
Get:6 http://es.archive.trisquel.info/trisquel flidas-updates/main amd64 Packages [765 kB]
Get:7 http://es.archive.trisquel.info/trisquel flidas-updates/main i386 Packages [756 kB]
Fetched 1,837 kB in 2s (654 kB/s)
Reading package lists... Done
Uruk eh? I'll have to check it out.
If you can't get to the forum with Abrowser you would be the fourth person I know of having had that issue recently. 2 with Midori and 2 with Abrowser. brashley46 posted screenshots at https://trisquel.info/en/forum/flidas-and-abrowser of midori trouble and dany4president opened up a similar post.
Browsers having trouble going where they are trying to could certainly be a sign of our web server being compromised. DNS misdirection is the first step in getting victims to land at a site that installs malware on their computers before it finally serves up the web page requested like a proxy server. My experience was after accepting the certificate overriding what Abrowser wanted me to do, trisquel.info took minutes to finally load up using all available cpu cycles while waiting. The initial web server wouldn't be serving malware but rather a very limited (to avoid detection) number of redirections to vulnerable clients (come to think of it, I remember seeing a trisquel cookie that simply said, "has_javascript" or something to that order). I do not have much expertise in all this but the scary thing is that a compromised server starts with a back door that is very hard to find and get rid of. And that might come about if say the web master used ssh from another server already compromised thereby having his credentials stolen. But all the information I can find on the Windigo family of malware is at least a year old and most two years or more. Throughout all that time the gang behind was continually changing components and how it worked. Every time a study was released on it, they would change it so that the known info no longer applied.
After a new install, I am having no problem accessing the forum with Abrowser, now. Trisquel 8 with Mate Desktop looks really cool and I guess it's an early alpha or whatever so some hiccups are to be expected. I was just having problems installing brasero and gave up for now. Last night I tried banshee and was surprised by a hook download of 172 new CA-certs. After my recent experience that made me nervous. I just uninstalled it.
Looking at Uruk web page, is that xfce desktop? Oh, says mate. Is that with Docker? What kind of browser do you get? I see they have done a lot of work in the package management area.
Well, we all got to be on our toes :) cause something may be afoot. Heh,he.
WTF Trisquel infrastructure is backdoored now?
No, it is not. It was my mistake. I apologized in https://trisquel.info/forum/i-think-i-caught-widigo#comment-109359
Re Trisquel infrastruture: I sure hope not. I'm loving Trisquel 8 so far.
I definitely got a root kit though so I am reformatting my whole system. And it really lit a fire under my fanny to figure out much more about how to protect myself. The internet is one scary monster these days. I don't know where it came from.
Just reinstalled Trisquel 8 and ran all the tests listed in my opening and seem clean. I had already reinstalled once but I decided to do a complete reformat of a multiboot system. Honestly, I don't know if that will be enough. I had tails on a stick but now my PC doesn't seem to want to acknowledge the possibility of booting to a usb device. Maybe firmawre was altered. I'd hate to think it but...
I installed noscript right away because I've read that javascript presents one vulnerability to the dns redirect. And I learned that noscript's ABE functionality is no joke. It has the intention of stopping malware from learning about your LAN and passing exploits to your routers etc.
re our server, there was a test I read about to try and it came out ok:
Test to see if a server is compromised with Linux/Cdorked (part of the Windigo operation family)
Command and result on infected:
$ curl -i http://myserver/favicon.iso | grep "Location:"
Location: http://google.com/
My Trisquel.info test:
curl -i https://trisquel.info/favicon.iso | grep "Location:"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
Location: https://trisquel.info/en/favicon.iso
But if Abrowser complains about a cert, I'll be getting out of there from now on!
Maintain a huge hosts file.
Another up and coming attack vector is trusted apps. I'm not sure I want to easily trust Firefox plugins.
re hash sums:
Some hash sum and other info is at https://github.com/eset/malware-ioc/tree/master/windigo/
there is a list of md5hash sums on infected sshd, ssh, ssh-add and target of the libkeyutils.so.1 symbolic link, also httpd, nginx, lighttpd and bind. I only have ssh, ssh-add and libkeyutils.so.1.5. and my hash sums of those don't fit the Windigo profile.
Well, I'm off to adjust my about:config (just found out about about:about, kind of cool.)
I am a translator!
>Maybe firmawre was altered. I'd hate to think it but...
That is possible, but it requires a powerful attacker. Script kiddo can't do that AFAIK.
>And I learned that noscript's ABE functionality is no joke. It has the intention of stopping malware from learning about your LAN and passing exploits to your routers etc.
Indeed. Noscript is mandatory. Even with "allow script globally" it will still make your borwser much more secure.
Operation Windigo is a highly sophisticated attack, ever changing, linked to command and control centers and comromising web servers serving up malicious dns answers so that the victim is relayed through chains of compromised servers, installing back doors (accessible through ssh and through http headers) and spam bots. Because my case was evidenced in the same ways that were reported back in 2014 or earlier, it may be that it was someone not associated with the 'gang' that started it. I say that because it's reported that every time an analysis about their operation was released, they quickly altered their code to hide it from the testing tools that security professionals had developed.
I mentioned a pdf at the end of my opening post. It is 69 pages and really goes into detail. Any one who thinks Linux is very secure ought to read it. I don't think it is secure enough by default. Below is an opening summary from that document to wet your appetite.
(It appears that this statement was made around February, 2014)
'• The Windigo operation has been ongoing since at least 2011
• More than 25,000 unique servers have been compromised in the last two years
• A wide range of operating system have been compromised by the attackers; Apple OS X,
OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux, including Linux
on the ARM architecture
• Malicious modules used in Operation Windigo are designed to be portable. The spam-sending
module has been seen running on all kinds of operating systems while the SSH backdoor has been
witnessed both on Linux and FreeBSD servers
• Well known organizations including cPanel and Linux Foundation (kernel.org) fell victim of this operation
• Windigo is responsible for sending an average of 35 million spam messages on a daily basis
• More than 700 web servers are currently redirecting visitors to malicious content
• Over half a million visitors to legitimate websites hosted on servers compromised by Windigo
are being redirected to an exploit kit every day
• The success rate of exploitation of visiting computers is approximately 1%
• The malicious group favors stopping malicious activity over being detected
• The quality of the various malware pieces is high: stealthy, portable, sound cryptography
(session keys and nonces) and shows a deep knowledge of the Linux ecosystem
• The HTTP backdoor is portable to Apache’s httpd, Nginx and lighttpd
• The gang maximizes available server resources by running different malware and activities
depending on the level of access they have
• No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past.'
The latest reporting I've been able to find about Windigo is from 2015 but in my searching I've seen that there is an ever growing listing of exploits that attack GNUlinux. One reason is the popularity of Android. These days people, including hackers, can do almost all their computing on their phone.
Also, Jodiendo's post here fits right in:
https://trisquel.info/en/forum/hacker-news-twitter-dnschanger-malware-back. I disabled the dns server on my routers which though commercial run some form of linux I am sure.
Here's a quote from an interview with Linus Torvalds in the November, 2016 issue of Linux Pro Magazine:
"But, I have to say, some of those attack people are pretty smart people, and clearly they are not all criminals; some of them work for the government."
Re the firmware issue, I need to install tails to fresh thumb drive and try that.
Could you give me a link to the pdf file?
I am a translator!
He already provided the link at the end of the initial post.
Here.
http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
>clearly they are not all criminals; some of them work for the government.
lulz
Oh, I didn't see that. Thanks!