Wamukota Posted March 3, 2016 Share Posted March 3, 2016 I run Linux Mint MATE17.3 workstation behind a router from my ISP and I have UFW enabled with the default settings. Suppose I downloaded and installed the tampered LinuxMint 17.3 ISO with the Tsunami Backdoor. In this case the malware could be installed on the servers due to a security breach in a Wordpress Plugin, but I suppose a tampered ODT or PDF file could be used just as well to install malware on my laptop. Would the default firewall settings be enough to prevent my system from being used by the Linux Mint downloader/IRC Bot backdoor? If not, what settings must I apply to the iptables to allow normal desktop use of my laptop and prevent unwanted/malware services to generate incoming/outgoing traffic? If there are no settings to prevent any incoming/outgoing malware generated traffic, what is the use of a firewall then? Quote Link to comment Share on other sites More sharing options...
crp Posted March 3, 2016 Share Posted March 3, 2016 the better malware will piggyback on common ports and protocols, but if you do not use IRC you could block them. But IRC does not *have* to use the standard port range (i think 6660-6669) and IRC clients can be setup to work through firewalls. This page might help you setup your system , http://www.irchelp.org/irchelp/security/ Also, check out www.glasswire.com 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 4, 2016 Share Posted March 4, 2016 It also depends on if the malware uses a random port or just the standard irc port. From what I have seen over the years, most C&C bots do not use standard ports and the control channels are hidden so unless you know both the port and the channel; your not going to know what to block. Basically unless you setup your firewall to only allow certain ports to send information from your machine, there is not much you could do to stop it. Even if you only have the ports required by the browser (80, 8080 or 443) enabled, they can just as easily use the same ports for the C&C bot. Like most things in security, its a game of cat and mouse. You either have to fix it after the fact or stay off the radar by either using obscure ports or completely locking down your machine to the point of it not being usable. The problem with the LinuxMint iso issue was that the developers didn't bother to configure it correctly http://blog.linuxmint.com/?p=2994 https://blogs.forcepoint.com/security-labs/mint-linux-website-breach-lead-trojanised-iso-and-data-theft 2 Quote Link to comment Share on other sites More sharing options...
Wamukota Posted March 4, 2016 Author Share Posted March 4, 2016 Thanks for the extra info guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.