Jump to content

Killdisk Malware Targets Linux

V.T. Eric Layton

By V.T. Eric Layton
in Bruno's All Things Linux

 Share

Recommended Posts

securitybreach

securitybreach

Posted
Posted

That sounds good and all but how are they escalating the privileges? The article mentions that they are encrypting various folders under / but that cannot be done for a couple of reasons. To begin with I do not think you can encrypt a mounted volume and even if you could, I know for a fact you cannot encrypt or modify a folder outside of /home without root access. You also cannot write to the boot sector without root privileges either. There has to be more details for me to take this as a threat.

 

That and I highly doubt they are targeting home users as no one would be able to pay what they are asking..

  • Like 3
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

Too bad that they didn't bother to quote the most important part of the source article:

ESET researchers have discovered a Linux variant of the KillDisk malware that was used in Ukraine in attacks against the country’s critical infrastructure in late 2015 and against a number of targets within its financial sector in December 2016.

 

http://www.welivesec...m-cant-decrypt/

 

This was a targeted attack back in 2015

  • Like 3
Link to comment
Share on other sites
Hedon James

Hedon James

Posted
Posted

I don't know near enough about this stuff, but if you could "gain access" to someone's remote machine, why couldn't you mount the remote drive and chroot into the entire / directory to wreak havoc? On the flip side, if it was that easy, I'm sure someone would've done it before...or someone would've already come up with a "block" for that. Theoretically, why isn't that a practical attack vector?

  • Like 1
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

why couldn't you mount the remote drive and chroot into the entire / directory to wreak havoc? On the flip side, if it was that easy, I'm sure someone would've done it before...or someone would've already come up with a "block" for that. Theoretically, why isn't that a practical attack vector?

 

Because of the separation of root and user. You could chroot into an install with a livecd because of the way you mount the partitions. You could also use a kernel line on your bootloader to boot single mode which would log you in as root but you cannot do that remotely.

 

You cannot already be booted into linux and then chroot into it. It doesn't work like that.

  • Like 2
Link to comment
Share on other sites
Hedon James

Hedon James

Posted
Posted

why couldn't you mount the remote drive and chroot into the entire / directory to wreak havoc? On the flip side, if it was that easy, I'm sure someone would've done it before...or someone would've already come up with a "block" for that. Theoretically, why isn't that a practical attack vector?

 

Because of the separation of root and user. You could chroot into an install with a livecd because of the way you mount the partitions. You could also use a kernel line on your bootloader to boot single mode which would log you in as root but you cannot do that remotely.

 

You cannot already be booted into linux and then chroot into it. It doesn't work like that.

 

That answers it. Wasn't aware that you couldn't mount a remote directory as root. Wouldn't know how to do it if you could, but didn't know that you couldn't... Thanks SB!

  • Like 1
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

That answers it. Wasn't aware that you couldn't mount a remote directory as root. Wouldn't know how to do it if you could, but didn't know that you couldn't... Thanks SB!

 

Well if a directory/partition is already mounted, you cannot mount it again without ummounting it first and you cannot unmount a running file-system.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...