V.T. Eric Layton Posted January 5, 2017 Share Posted January 5, 2017 Check out Corrine's posting here --> http://forums.scotsnewsletter.com/index.php?showtopic=91664&hl= 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 5, 2017 Share Posted January 5, 2017 That sounds good and all but how are they escalating the privileges? The article mentions that they are encrypting various folders under / but that cannot be done for a couple of reasons. To begin with I do not think you can encrypt a mounted volume and even if you could, I know for a fact you cannot encrypt or modify a folder outside of /home without root access. You also cannot write to the boot sector without root privileges either. There has to be more details for me to take this as a threat. That and I highly doubt they are targeting home users as no one would be able to pay what they are asking.. 3 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 5, 2017 Share Posted January 5, 2017 Too bad that they didn't bother to quote the most important part of the source article: ESET researchers have discovered a Linux variant of the KillDisk malware that was used in Ukraine in attacks against the country’s critical infrastructure in late 2015 and against a number of targets within its financial sector in December 2016. http://www.welivesec...m-cant-decrypt/ This was a targeted attack back in 2015 3 Quote Link to comment Share on other sites More sharing options...
Hedon James Posted January 5, 2017 Share Posted January 5, 2017 I don't know near enough about this stuff, but if you could "gain access" to someone's remote machine, why couldn't you mount the remote drive and chroot into the entire / directory to wreak havoc? On the flip side, if it was that easy, I'm sure someone would've done it before...or someone would've already come up with a "block" for that. Theoretically, why isn't that a practical attack vector? 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 5, 2017 Share Posted January 5, 2017 why couldn't you mount the remote drive and chroot into the entire / directory to wreak havoc? On the flip side, if it was that easy, I'm sure someone would've done it before...or someone would've already come up with a "block" for that. Theoretically, why isn't that a practical attack vector? Because of the separation of root and user. You could chroot into an install with a livecd because of the way you mount the partitions. You could also use a kernel line on your bootloader to boot single mode which would log you in as root but you cannot do that remotely. You cannot already be booted into linux and then chroot into it. It doesn't work like that. 2 Quote Link to comment Share on other sites More sharing options...
Hedon James Posted January 6, 2017 Share Posted January 6, 2017 why couldn't you mount the remote drive and chroot into the entire / directory to wreak havoc? On the flip side, if it was that easy, I'm sure someone would've done it before...or someone would've already come up with a "block" for that. Theoretically, why isn't that a practical attack vector? Because of the separation of root and user. You could chroot into an install with a livecd because of the way you mount the partitions. You could also use a kernel line on your bootloader to boot single mode which would log you in as root but you cannot do that remotely. You cannot already be booted into linux and then chroot into it. It doesn't work like that. That answers it. Wasn't aware that you couldn't mount a remote directory as root. Wouldn't know how to do it if you could, but didn't know that you couldn't... Thanks SB! 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 6, 2017 Share Posted January 6, 2017 That answers it. Wasn't aware that you couldn't mount a remote directory as root. Wouldn't know how to do it if you could, but didn't know that you couldn't... Thanks SB! Well if a directory/partition is already mounted, you cannot mount it again without ummounting it first and you cannot unmount a running file-system. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.