Linux malware based on publicly available cd00r.c

[mike acker]

reference to article on ZD Net

Excerpt

However, the Linux malware is based on an old and publicly available proof-of-concept backdoor known as 'cd00r.c', developed by hackers at phenoelit.org to solve the visibility 'problem' of standard backdoors. As phenoelit.org noted at the time, cd00r.c could be used for attack or defence.

"Standard backdoors and remote access services have one major problem: The ports they are listening on are visible on the system console as well as from outside (by port scanning)," phenoelit.org explains.

"The approach of cd00r.c is to provide remote access to the system without showing an open port all the time. This is done by using a sniffer on the specified interface to capture all kinds of packets. The sniffer is not running in promiscuous mode to prevent a kernel message in syslog and detection by programs like AntiSniff."

"sniffer, --eh" my question then is how would such a sniffer get into the system ?

[Habitual]

"This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands. It can't be discovered via netstat, a commonly used administrative tool. It uses techniques that don't require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system," researchers noted.

http://www.securityweek.com/newly-disco ... ux-systems

[BigEasy]

SSH3 ?

[shengchieh]

Am I correct that this applies more to servers than desktops?

Personally, I like upgrading with a fresh installation, instead of update - rolling release or not. I like to make sure everything naugthy get wiped every now and then.

Sheng-Chieh