Mirai malware infects Linux with Busybox
Mirai malware infects Linux with Busybox
Hi, guys.
I don't understand much about these DoS attacks and the Mirai malware, but Wikipedia says that Mirai is Linux malware. Does this mean that my computer, which is running Carolite-1.2, could be infected? If so, how do I check for Mirai, and what do I do about it if I am infected?
Cheers.
Mike7
I don't understand much about these DoS attacks and the Mirai malware, but Wikipedia says that Mirai is Linux malware. Does this mean that my computer, which is running Carolite-1.2, could be infected? If so, how do I check for Mirai, and what do I do about it if I am infected?
Cheers.
Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
I don't know how to answer the questionsyou have posed but I found one quote interesting from the link you gave:
How long before Linux powered devices become illegal to use in certain jurisdictions? I think it's heading that way.
And also a quote from wikipedia:The Department of Homeland Security said Monday that it's been working on security practices for internet-connected gadgets and will release them in the common weeks.
If home routers are potentially involved I suspect this could give enormous power to "Homeland Security" and all the powers that be who like to exert control.Mirai is malware that turns computer systems running Linux into remotely controlled botnets that can be used in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers
How long before Linux powered devices become illegal to use in certain jurisdictions? I think it's heading that way.
Not all are infected. However, the Mirai malware apparently targets machines running busybox so that means Puppy is a potential host.
See this article:
http://securityaffairs.co/wordpress/509 ... i-elf.html It says: [quote]The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.
“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.
See this article:
http://securityaffairs.co/wordpress/509 ... i-elf.html It says: [quote]The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.
“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.
Do all Puppies, including Carolite, use Busybox?the Mirai malware apparently targets machines running busybox so that means Puppy is a potential host.
My computer uses a local wi-fi Internet connection. I don't know what the router is, but is it likely that it's using Linux software or another susceptible system?“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform,"
A computer is not actually an IoT device, is it? Wouldn't the wi-fi router have to be infectable?
Bad news.detection is difficult at this point in time.
Wouldn't you know it. Is there any way around this problem? Can Puppy be re-worked so that root is no longer named root?This other article:
https://nakedsecurity.sophos.com/2016/1 ... en-source/
highlights the method Mirai uses to breach easy passwords to get control of the device and lists a bunch of username/password combos that are breachable. Sure enough root/root is one of them.
I'd have to remove the battery to do that, which presents other problems which may not be solvable (the EeePC was not designed to run without a battery). If you just mean powering off or shutting down, the usual Ctrl>Alt>Del works, but I still have to wait for the shutdown routine to finish.you should have your machine set up so that you can drop it's power immediately if you experience weird symptoms.
How do you get around using save files? Don't you ever make changes to system files? How about bookmarks? Please explain.this can have a bad effect on savefiles which is why I don't use them anymore.
Uy.Until the detection of Mirai improves I don't think there is much we can do.
Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
I believe so. Hopefully someone else can chime in and confirm if thats true.Mike7 wrote:Do all Puppies, including Carolite, use Busybox?
Impossible to say without knowing the brand and model. How do you connect to the router if you don't know what/where it is? Is it using encryption?My computer uses a local wi-fi Internet connection. I don't know what the router is, but is it likely that it's using Linux software or another susceptible system?
That depends on your definition - for example things like Raspberry Pi, Banana pi and Odroid etc are physically small enough to be installed inside a fridge, router or TV as an embedded Linux device yet they are really a PC. If a PC connects to the internet and runs busybox then it certainly qualifies as an IoT device potentially affected by the malware you have highlighted.A computer is not actually an IoT device, is it?
Yes if you are talking about Mirai - but I was referring to the overall security weakness inherent in routers (which is where your passwords pass through). What stops your router responding to hacking attempts? What stops it transferring your passwords back to it's factory of origin (as some IP cameras do)? Some routers are able to be remotely reprogrammed and who knows what kind of person programmed the code in your router or where their loyalties lie? Who writes the code in any router? How secure is that code? The NSA grafted password traps into some laptops - I am sure they can graft backdoors into router code just the same way they require ISPs and companies like HP to install backdoors and monitoring software for the purposes of compliance.Wouldn't the wi-fi router have to be infectable?
But - if you do not know what your router is then the question is - how do you know that it is not just a wifi hotspot set up as a dupe ("evil twin AP")? It is easy for a hacker to set up a spoof hotspot and capture the data streams. And in any case even a home router is a common target for hackers to crack. See this:
http://null-byte.wonderhowto.com/how-to ... r-0165154/
(ok I'm sounding paranoid but all I'm saying is that there are many ways your online banking session can be compromised).
Sorry I really don't know easy or how big a job that might be. I'm sure I have seen some Puppians playing with the passwording. I know it is hard to set up a true non-root environment in Puppy but maybe changing the root pw might be easier than that.Can Puppy be re-worked so that root is no longer named root?
I found a script that shuts the machine down within a second or two. Doing this is risky if you have drives mounted or savefiles in use but you should not have those for an online banking session anyway. I have never had any problems as a result of the immediate powerdown. As an alternative method I press the powerbutton for about 8 seconds and just let the power drop. It is slower than the script method but I had to do it once when the website i was viewing locked my machine and told me it was encrypting my hard drive. Mouse and keyboard wouldnt work so the power button method was all I had. I was very glad I was not running a save file at that time.I'd have to remove the battery to do that, which presents other problems which may not be solvable (the EeePC was not designed to run without a battery). If you just mean powering off or shutting down, the usual Ctrl>Alt>Del works, but I still have to wait for the shutdown routine to finish.
EDIT : Despite the PC lockup and evil message on screen my hard drives were untouched - for which I credit the structure of Puppy and the use of RAMbased activity only, with no drives mounted. That and the hasty power down.
After I have set up my system the way I want it (including bookmarks and new software etc) I make a "personal sfs" which contains the updates the same way that a savefile normally would. Being an sfs the contents are not changeable while the system is running so the system boots with the same code each time. (whereas a savefile will contain whatever has changed during the last session - which could include malware). As an alternative method some people just remaster the main puppy.sfs and then turn off the savefile feature. That way their puppy contains their necessary changes but doesn't get progressively updated during each session.How do you get around using save files? Don't you ever make changes to system files? How about bookmarks? Please explain.
Another method is to stick with the original main puppy.sfs (not remastered) and add scripts into /root/Startup which personalise the system straight after each boot.
.
Last edited by greengeek on Thu 27 Oct 2016, 19:13, edited 1 time in total.
Hi Greengeek,
Curious as to what your thoughts on practicing 'digital entropy' with the systems that you own (at least, all that are in your realm of ownership). The hardware side of this is still formidable (and expensive), but the software side is becoming increasingly within reach of all of us (the wild proliferation of puppies and pup-related distros being one example).
Reading about online hackers, even some of the notorious ones who've turned to lucrative bounty programs and white-hat hacking, one of the things they keep repeating (and what they say they themselves practice) is this 'entropy' (or randomness) along with that old adage: it is hard as he## to hit a moving target.
Curious as to what your thoughts on practicing 'digital entropy' with the systems that you own (at least, all that are in your realm of ownership). The hardware side of this is still formidable (and expensive), but the software side is becoming increasingly within reach of all of us (the wild proliferation of puppies and pup-related distros being one example).
Reading about online hackers, even some of the notorious ones who've turned to lucrative bounty programs and white-hat hacking, one of the things they keep repeating (and what they say they themselves practice) is this 'entropy' (or randomness) along with that old adage: it is hard as he## to hit a moving target.
I think there is probably some truth in that. In particular some of the malware utilities are marketed and sold as "ready made" turnkey attack vectors and I would guess that such things are more likely to be focused towards specific software profiles in the targeted devices.belham2 wrote:online hackers......keep repeating (and what they say they themselves practice) is this 'entropy' (or randomness) along with that old adage: it is hard as he## to hit a moving target.
If we run a system that is "unusual" in it's software construction we must surely be making it harder to hijack - especially if we don't retain cookies, browsing history, or any other data fragments from session to session. As far as I can tell some malware gets inserted in one session, reports back to its 'command and control' server next session, then potentially transmits data each session thereafter - or else can sit quietly for some future session where the cnc server wakes it up. If your software is "non-standard" it is harder for the attack vector to "stick" in the first place - and if the software is loaded into a pristine state each boot then anything that did "stick" in the first session is lost anyway.
However - lets assume that an online sesssion lasts long enough for a script kiddie working at your ISP to identify an attack vector suitable to infiltrate your system - and lets say they manage to set up an ssh link - they could take control of your system during that session - despite the fact that any code they add, modify or take control of will be returned to pristine at next boot.
During that session they could use your device/PC as a DDos vector against someone else - and you may not even know about it. On the other hand I suppose they could make alterations to things like bootloader config etc, or even destroy data on a drive if it is mounted. None of this is "likely" but we know it is "possible". We know some people get their hard drives encrypted, DDos attacks do occur etc etc.
One of the things we must remember though is that whatever version of Linux we run - there are multiple files that could harbour security holes. These include libs, browsers, wget and other download utilities, ssh, ssl, etc etc. So many code fragments that could have been insecure since they were first written. And what goes on inside the kernel? I think I read somewhere recently about a kernel security issue.
In light of that collection of potential security holes I do see some value in running a "mix 'n' match" system that has unusual combinations of utilities and code. Why not run a new glibc in an old system? Why use the latest syslinux if an old one works well in your system? etc. Maybe it will be harder to penetrate if it looks like a patchwork quilt
I like the term "digital entropy" - did you coin that yourself?
.
greengeek wrote:
I like the term "digital entropy" - did you coin that yourself?
.
Well, its hard to claim any fame with a phrase since both words are so pervasive in the world, in many languages (not just English). But, yes, I thought of the term about a year ago and have been thinking about it ever since. This was happening at the same time I have also been trying to dig into what the next logical direction for software AI(s) is. I honestly believe their (software AI) great awakening (or , I mean, awareness) for humans will be in this realm. I still don't consider Iphone/Android personal digital assistants as anything more than jelly without the toast. But if they (AIs) start following us across our device-ownership realm, then that is another thing entirely. AI is perfectly suited to perform 'digital entropy' on the fly, and with the widespread accepted of running things virtually (VMWare, VirtualBox, etc, etc) , the two together seem like they would be a natural fit.
But, alas, until then I pretty much tax my own over-matched, aging synapses with as much randomness as I can when it comes to having an online presence------even to the point I get lost in remembering what's what a few times....haha
Thanks for answering.
To be honest AI scares me. I guess it would potentially be a huge productivity boost - but only if it remains within the parameters we would set for our own behaviour. What use is AI without morality or ethics?belham2 wrote: I have also been trying to dig into what the next logical direction for software AI(s) is. I honestly believe their (software AI) great awakening (or , I mean, awareness) for humans will be in this realm..
Ha, me too. I sometimes wonder if my own 'analogue entropy' is actually the onset of dementia.I pretty much tax my own over-matched, aging synapses with as much randomness as I can when it comes to having an online presence
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
I can agree, but AI would make a great alternative to human companionship here in the dystopia created by feminists. An AI can't hit you and spew misandry.greengeek wrote:To be honest AI scares me. I guess it would potentially be a huge productivity boost - but only if it remains within the parameters we would set for our own behaviour. What use is AI without morality or ethics?
....
As far as I can see busybox is a central part of all puppies. Here are some comments about modifying/replacing it:Mike7 wrote:Do all Puppies, including Carolite, use Busybox?
http://www.murga-linux.com/puppy/viewtopic.php?t=76882
http://barryk.org/blog/?viewDetailed=01368
I will post more links if I find them but it doesn't look promising to try replace busybox. Seems to have been an integral part of puppy in an effort to save space.
Or can it? Imagine how bad we would feel if an AI judged we males even more harshly than our female counterparts already do...bark_bark_bark wrote: An AI can't hit you and spew misandry.
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
Greengeek-
So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?
Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai. That situation could change, though, so if you happen to run across a way to detect this malware, I'd appreciate a heads up.
Thanks and cheers!
Mike7
I did a thorough check and, yes, Carolite is running Busybox. It boots with it and uses it continually. No way, really, to eliminate it.I believe so.Mike7 wrote:Do all Puppies, including Carolite, use Busybox?
I piggy-back on a non-encrypted strong local wi-fi signal.How do you connect to the router if you don't know what/where it is? Is it using encryption?
That's what I was afraid of {sigh}.If a PC connects to the internet and runs busybox then it certainly qualifies as an IoT device potentially affected by the malware you have highlighted.
I am tralking just about the present case, Mirai. My query was purely practical: could my computer be infected with this malware, and what should I do about it, if anything.Yes if you are talking about MiraiWouldn't the wi-fi router have to be infectable?
So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?
I am not running a router. As I said before, I am using a wi-fi signal.What stops your router responding to hacking attempts? What stops it transferring your passwords back to it's factory of origin (as some IP cameras do)?
I don't. It could be anything. Yes, what I am doing is very dangerous (using an unknown wi-fi signal coming from an unknown router). But life is fraught with danger where I am (Buenos Aires, Argentina), so trusting to an unknown wi-fi and router is just a drop in the bucket (albeit a particularly scary one).if you do not know what your router is then the question is - how do you know that it is not just a wifi hotspot set up as a dupe ("evil twin AP")?
Using the Internet at all is a dangerous thing. But I am stuck with it, especially for online banking when I am away from the U.S. I know I should have my own internet connection and not use strange wi-fi signals, but even the local ISPs here are untrustworthy.It is easy for a hacker to set up a spoof hotspot and capture the data streams. And in any case even a home router is a common target for hackers to crack.
Where in this forum can I get that information?I'm sure I have seen some Puppians playing with the passwording. I know it is hard to set up a true non-root environment in Puppy but maybe changing the root pw might be easier than that.
I have Carolite set up so that there is never a "save" until shutdown, and then only as an option. I realize that using savefiles is risky, but the alternatives are simply too complicated for me. As to mounted drives, my only one is the bootable USB pendrive that Carolite is on. I don't even mount my computer's HDD.I found a script that shuts the machine down within a second or two. Doing this is risky if you have drives mounted or savefiles in use
I have had to do that, too, when it seemed that there was some intrusion into my operating system. But there is some safety in using Puppy-on-a-stick, working in RAM, and not using the HDD.As an alternative method I press the powerbutton for about 8 seconds
Sounds good, although kind of time-consuming if you are making changes every session. Actually, most of the time the only changes I make are to bookmarks, and the whole browser could be kept separately from the puppy files. There's a lot I still need to do to increase security.After I have set up my system the way I want it (including bookmarks and new software etc) I make a "personal sfs" which contains the updates the same way that a savefile normally would. Being an sfs the contents are not changeable while the system is running so the system boots with the same code each time.
I've thought about that. There could be a startup script telling puppy where to look for certain files that get changed a lot, for example in another partition of the pendrive.Another method is to stick with the original main puppy.sfs (not remastered) and add scripts into /root/Startup which personalise the system straight after each boot.
Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai. That situation could change, though, so if you happen to run across a way to detect this malware, I'd appreciate a heads up.
Thanks and cheers!
Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
Just a point of note. If you run Debian you can install debsums
apt-get update
apt-get install debsums
and then validate all installed programs and/or configuration files (includes a option to automatically reinstall changed programs if that takes your fancy) ... see https://blog.sleeplessbeastie.eu/2015/0 ... -packages/
I personally try to run a pristine system - apply changes/updates and save immediately after booting ... otherwise not saving. But have more recently switched over to not using sfs's (but instead have all files fully extracted into the save space and a empty main sfs). That's just so I can boot either frugally (changes not saved, unless I run a script to save things), or boot like a full install (all changes immediately stored i.e. that I use to apply certain Debian updates that otherwise wont install under a frugal boot). Running debsums periodically helps ensure that the system still has its integrity. debsums runs to completion pretty quickly, haven't actually timed it but of the order of less than 5 minutes.
If a virus/malware changed busybox then debsums would most likely spot that change as it uses MD5 validation.
apt-get update
apt-get install debsums
and then validate all installed programs and/or configuration files (includes a option to automatically reinstall changed programs if that takes your fancy) ... see https://blog.sleeplessbeastie.eu/2015/0 ... -packages/
I personally try to run a pristine system - apply changes/updates and save immediately after booting ... otherwise not saving. But have more recently switched over to not using sfs's (but instead have all files fully extracted into the save space and a empty main sfs). That's just so I can boot either frugally (changes not saved, unless I run a script to save things), or boot like a full install (all changes immediately stored i.e. that I use to apply certain Debian updates that otherwise wont install under a frugal boot). Running debsums periodically helps ensure that the system still has its integrity. debsums runs to completion pretty quickly, haven't actually timed it but of the order of less than 5 minutes.
If a virus/malware changed busybox then debsums would most likely spot that change as it uses MD5 validation.
I would probably not worry about the risk from Mirai as much as I would worry about the risks from using unencrypted wifi.Mike7 wrote:I piggy-back on a non-encrypted strong local wi-fi signal.
I could be wrong but my guess is - yes a puppy PC could be infected especially if it was online quite a bit, and also if it used a savefile that would retain the cnc interface code across boots. What should you do about it? - there is probably nothing you can do at present.I am tralking just about the present case, Mirai. My query was purely practical: could my computer be infected with this malware, and what should I do about it, if anything.
Yes. In fact Mirai doesn't seem to go looking for the data on your machine - it seems to hijack a machine just to piggyback off it's internet connection and cause havoc to someone else via a DDos attack. The risks to your data can occur anywhere along the data path between you and the bank. In my opinion an insecure wifi connection would be by far the weakest part of that chain.So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?
But that wifi signal is still running through a router - even though it is not your router it is still a router. The fact that it's brand, model, and ownership is unknown to you does put your data at risk.I am not running a router. As I said before, I am using a wi-fi signal.
To be honest I really feel that none of us really have as much security as we believe. I know people who maintain the Southern Cross internet data cable that runs from New Zealand to the U.S via Hawaii and based on their comments I am sure every data packet is transparent to a number of individuals and agencies along the way.Yes, what I am doing is very dangerous (using an unknown wi-fi signal coming from an unknown router). But life is fraught with danger where I am (Buenos Aires, Argentina), so trusting to an unknown wi-fi and router is just a drop in the bucket (albeit a particularly scary one)
I suppose the best advice comes back to regular changing of banking passwords in that case. At least any data that gets trapped on one day can be made irrelevant the next.I know I should have my own internet connection and not use strange wi-fi signals, but even the local ISPs here are untrustworthy.
I will post back if I can find it but it can be hard to find information sometimes. Have to get the keywords right.Where in this forum can I get that [puppy root password change] information?
Thats handy having the save option then. That lets you shutdown without saving. If you wanted greater safety you could always temporarily hide the savefile and run without it, or even make another new one that you could use only for banking sessions (ie only containing the minimal changes required to get online quickly).I have Carolite set up so that there is never a "save" until shutdown, and then only as an option. I realize that using savefiles is risky, but the alternatives are simply too complicated for me. As to mounted drives, my only one is the bootable USB pendrive that Carolite is on. I don't even mount my computer's HDD.
Agreed.there is some safety in using Puppy-on-a-stick, working in RAM, and not using the HDD.
Maybe you could look at using "portable" versions of your preferred browser. That way you could even have two setups - one browser used solely for banking sessions (with tighter security settings, minimal bookmarks and no browser history or cookies) and another browser setup for general internet surfing and bookmark/cookie retention.Actually, most of the time the only changes I make are to bookmarks, and the whole browser could be kept separately from the puppy files.
I doubt you would notice it unless you were comparing router staistics between infected and non-infected session. And of course you don't have access to the router anyway. If your Puppy was infected with Mirai all you might see is more network icon activity.Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai.
Sure, I will post back if I see anything. I quite like the Sophos "Naked Security" website for that sort of info:if you happen to run across a way to detect this malware, I'd appreciate a heads up.
https://nakedsecurity.sophos.com/2016/1 ... ck-on-dyn/
I have not reviewed these threads properly but here are some links regarding the option of changing the root/root uname/password defaults in Puppy Linux:
http://www.murga-linux.com/puppy/viewto ... 3f789d0a19
http://www.murga-linux.com/puppy/viewto ... 60840a8eae
http://www.murga-linux.com/puppy/viewtopic.php?p=228821
http://www.murga-linux.com/puppy/viewto ... 8dabb6b89d
http://murga-linux.com/puppy/viewtopic.php?t=97769
EDIT : This post by Galbi appears to offer the method by which the root password can be changed:
http://www.murga-linux.com/puppy/viewto ... 300#790300
How much that actually increases security I cannot say....
EDIT : Anyone who likes the idea of a Puppy that does not have root access may be interested in this post from the beloved and well missed "nooby":
http://puppylinux.info/topic/making-a-f ... an-be-root
Quote from one of the contributors:
http://www.murga-linux.com/puppy/viewto ... 3f789d0a19
http://www.murga-linux.com/puppy/viewto ... 60840a8eae
http://www.murga-linux.com/puppy/viewtopic.php?p=228821
http://www.murga-linux.com/puppy/viewto ... 8dabb6b89d
http://murga-linux.com/puppy/viewtopic.php?t=97769
EDIT : This post by Galbi appears to offer the method by which the root password can be changed:
http://www.murga-linux.com/puppy/viewto ... 300#790300
How much that actually increases security I cannot say....
EDIT : Anyone who likes the idea of a Puppy that does not have root access may be interested in this post from the beloved and well missed "nooby":
http://puppylinux.info/topic/making-a-f ... an-be-root
Quote from one of the contributors:
It's an emotive discussion.Nothing is more disgusting than not being able to kill the Xorg server by C+A+BS
Hi, rufwoof.
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?
Mike7
Coupla questions here:If you run Debian you can install debsums. . .and then validate all installed programs
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?
Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.