Mirai malware infects Linux with Busybox

[rufwoof]

Just a point of note. If you run Debian you can install debsums

apt-get update
apt-get install debsums

and then validate all installed programs and/or configuration files (includes a option to automatically reinstall changed programs if that takes your fancy) ... see https://blog.sleeplessbeastie.eu/2015/0 ... -packages/

I personally try to run a pristine system - apply changes/updates and save immediately after booting ... otherwise not saving. But have more recently switched over to not using sfs's (but instead have all files fully extracted into the save space and a empty main sfs). That's just so I can boot either frugally (changes not saved, unless I run a script to save things), or boot like a full install (all changes immediately stored i.e. that I use to apply certain Debian updates that otherwise wont install under a frugal boot). Running debsums periodically helps ensure that the system still has its integrity. debsums runs to completion pretty quickly, haven't actually timed it but of the order of less than 5 minutes.

If a virus/malware changed busybox then debsums would most likely spot that change as it uses MD5 validation.

[greengeek]

I piggy-back on a non-encrypted strong local wi-fi signal.

I would probably not worry about the risk from Mirai as much as I would worry about the risks from using unencrypted wifi.

I am tralking just about the present case, Mirai. My query was purely practical: could my computer be infected with this malware, and what should I do about it, if anything.

I could be wrong but my guess is - yes a puppy PC could be infected especially if it was online quite a bit, and also if it used a savefile that would retain the cnc interface code across boots. What should you do about it? - there is probably nothing you can do at present.

So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?

Yes. In fact Mirai doesn't seem to go looking for the data on your machine - it seems to hijack a machine just to piggyback off it's internet connection and cause havoc to someone else via a DDos attack. The risks to your data can occur anywhere along the data path between you and the bank. In my opinion an insecure wifi connection would be by far the weakest part of that chain.

I am not running a router. As I said before, I am using a wi-fi signal.

But that wifi signal is still running through a router - even though it is not your router it is still a router. The fact that it's brand, model, and ownership is unknown to you does put your data at risk.

Yes, what I am doing is very dangerous (using an unknown wi-fi signal coming from an unknown router). But life is fraught with danger where I am (Buenos Aires, Argentina), so trusting to an unknown wi-fi and router is just a drop in the bucket (albeit a particularly scary one)

To be honest I really feel that none of us really have as much security as we believe. I know people who maintain the Southern Cross internet data cable that runs from New Zealand to the U.S via Hawaii and based on their comments I am sure every data packet is transparent to a number of individuals and agencies along the way.

I know I should have my own internet connection and not use strange wi-fi signals, but even the local ISPs here are untrustworthy.

I suppose the best advice comes back to regular changing of banking passwords in that case. At least any data that gets trapped on one day can be made irrelevant the next.

Where in this forum can I get that [puppy root password change] information?

I will post back if I can find it but it can be hard to find information sometimes. Have to get the keywords right.

I have Carolite set up so that there is never a "save" until shutdown, and then only as an option. I realize that using savefiles is risky, but the alternatives are simply too complicated for me. As to mounted drives, my only one is the bootable USB pendrive that Carolite is on. I don't even mount my computer's HDD.

Thats handy having the save option then. That lets you shutdown without saving. If you wanted greater safety you could always temporarily hide the savefile and run without it, or even make another new one that you could use only for banking sessions (ie only containing the minimal changes required to get online quickly).

there is some safety in using Puppy-on-a-stick, working in RAM, and not using the HDD.

Agreed.

Actually, most of the time the only changes I make are to bookmarks, and the whole browser could be kept separately from the puppy files.

Maybe you could look at using "portable" versions of your preferred browser. That way you could even have two setups - one browser used solely for banking sessions (with tighter security settings, minimal bookmarks and no browser history or cookies) and another browser setup for general internet surfing and bookmark/cookie retention.

Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai.

I doubt you would notice it unless you were comparing router staistics between infected and non-infected session. And of course you don't have access to the router anyway. If your Puppy was infected with Mirai all you might see is more network icon activity.

if you happen to run across a way to detect this malware, I'd appreciate a heads up.

Sure, I will post back if I see anything. I quite like the Sophos "Naked Security" website for that sort of info:
https://nakedsecurity.sophos.com/2016/1 ... ck-on-dyn/

[greengeek]

I have not reviewed these threads properly but here are some links regarding the option of changing the root/root uname/password defaults in Puppy Linux:

http://www.murga-linux.com/puppy/viewto ... 3f789d0a19
http://www.murga-linux.com/puppy/viewto ... 60840a8eae
http://www.murga-linux.com/puppy/viewtopic.php?p=228821
http://www.murga-linux.com/puppy/viewto ... 8dabb6b89d
http://murga-linux.com/puppy/viewtopic.php?t=97769

EDIT : This post by Galbi appears to offer the method by which the root password can be changed:
http://www.murga-linux.com/puppy/viewto ... 300#790300
How much that actually increases security I cannot say....

EDIT : Anyone who likes the idea of a Puppy that does not have root access may be interested in this post from the beloved and well missed "nooby":
http://puppylinux.info/topic/making-a-f ... an-be-root
Quote from one of the contributors:

Nothing is more disgusting than not being able to kill the Xorg server by C+A+BS

It's an emotive discussion.

[8Geee]

Greengeek:

the 4th link is the one for the delta root pswd.

Regards
8Geee

[Mike7]

Hi, rufwoof.

If you run Debian you can install debsums. . .and then validate all installed programs

Coupla questions here:
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?

Mike7

[Mike7]

greengeek-

I would probably not worry about the risk from Mirai as much as I would worry about the risks from using unencrypted wifi

It worries me, believe me. But I've been using the signal for five years and so far nothing too bad has happened, just some browser redirections and Youtube hijacks (knock wood).

my guess is - yes a puppy PC could be infected especially if it was online quite a bit, and also if it used a savefile that would retain the cnc interface code across boots.

What is a cnc interface code and how is it stored?

there is probably nothing you can do at present.

Figures.

Mirai doesn't seem to go looking for the data on your machine - it seems to hijack a machine just to piggyback off it's internet connection and cause havoc to someone else via a DDos attack.

Yes, hijacking IoT devices is a nasty trick. But it was bound to happen.

In my opinion an insecure wifi connection would be by far the weakest part of that chain.

The solutions for me are not good and all are expensive. Plus, like I said, the usual Internet connections here are just as bad as the unencrypted wifi signal, maybe worse in some ways (like banner and popup ads from the ISP, and even worse abuse). Satellite is the best solution here, and a friend in my building has it. But it costs a fortune.

But that wifi signal is still running through a router - even though it is not your router it is still a router. The fact that it's brand, model, and ownership is unknown to you does put your data at risk.

True. It's certainly nowhere near as secure as my Verizon fiber optic+router in New York. Not secure at all, really. Highly dangerous, even. But life is dangerous. However, I don't think any of my financial institutions would accept a large transaction from the website. Heck, I even have trouble using my debit cards <grin>. And just the fact that my computer, and this unencrypted wifi signal, are in Argentina is some sort of security, because no one trusts anything coming from this country.

I know people who maintain the Southern Cross internet data cable that runs from New Zealand to the U.S via Hawaii and based on their comments I am sure every data packet is transparent to a number of individuals and agencies along the way.

A rather frightening thought, for sure. And with the U.S. Gov hacking the whole world through ISPs (PRISM, etc.), there's no way to be secure. I mean, do you trust all the employees of the NSA who have access to everything not to use the data to steal?

I will post back if I can find it but it can be hard to find information sometimes. Have to get the keywords right.

Thanks. I wouldn't know how to look.

If you wanted greater safety you could always temporarily hide the savefile and run without it, or even make another new one that you could use only for banking sessions (ie only containing the minimal changes required to get online quickly).

Yes, there are a number of options. I was in the middle of working through them not long ago, when there was some tragedy and I got sidetracked. I seem to recall that the best idea appeared to be to password-protect the pendrive partition where the changesfile is kept. And really the only changes I am making now are to bookmarks as I have Carolite pretty well configured the way I want it. Some times I just copy the new bookmarks to a text file and do a no-save at shutdown. That's probably the safest procedure of all. But I'm going to password-protect the 2nd, vfat partition on the pendrive and maybe keep the whole .mozilla folder there.

Maybe you could look at using "portable" versions of your preferred browser.

Yes, I am looking into shinobar's portables.

you could even have two setups - one browser used solely for banking sessions (with tighter security settings, minimal bookmarks and no browser history or cookies) and another browser setup for general internet surfing and bookmark/cookie retention.

I presently do not save any browser history, cookies, or cache when I exit Firefox, which I do frequently during the day to renew the IP address. And only bookmarks are saved when I shut down the computer. But, as you say, a separate browser for sensitive transactions would be best. Maybe even a separate pendrive with a virgen Carolite and a more secure browser than Firefox, which has become too bulky and complicated to be made secure.

you don't have access to the router anyway. If your Puppy was infected with Mirai all you might see is more network icon activity.

Sad but true. That unencrypted wifi signal is a grave danger. I have no way of even knowing if I'm being hacked. Terrible.

I quite like the Sophos "Naked Security" website for that sort of info:

Thanks for that URL.

Cheers.

Mike7

[Robert123]

Mike,

Have a look at Palemoon I use in older puppies I use - is faster than FF.

Also 8Geee has a very secure of FF27 he has configured he uses in his updated slacko 570


https://archive.org/details/firefox2701

[Mike7]

greengeek-

Thanks for the links to changing of the root pswd. I will review all this, although from a first look it seems that only the command for changing the user's password is given (code: passwd) and not a command for changing the name of a user. I guess that as things stand that cannot be done (which I suppose is what all the nooby discussion was about, although I didn't really understand it all).

As an aside, before settling on Puppy and Carolite I tried out Slitaz (among other distros). Slitaz is not set up so that the user is root, and you have to sudo everything. It really is a pain in the butt and is what turned me off to Slitaz, which in other respects is a very fine OpSys. The fact is that doing sudo all the time isn't so terrible. It's the implied insult (that one is too incompetent to be root) that is so annoying. After all, if one is installing Linux it must be assumed that one has some brains and a little knowledge, no? And forcing the use of sudo is no protection from screwing things up.

Quote from one of the contributors:

Nothing is more disgusting than not being able to kill the Xorg server by C+A+BS

It's an emotive discussion.

Nothing wrong with a little emotion <grin>.

M7

[musher0]

Hi guys.

FWIW, if there seems to be fishy behavior on your Internet line, your
connection icon in the tray of all Puppies has a "disconnect" option (see
attached picture) that you can click.

As well, there is also the manual solution of physically disconnecting the
ethernet cable or turning off the router. You can turn off the machine, of
course, but it's not absolutely necessary for this purpose. To state the
obvious, a non-connected computer cannot connect to anything, thus a
non-connected computer cannot infect anything.

Besides if you want to conduct some forencsic work, you may want to
keep the machine on. If you turn the machine off, the virus might
disappear from RAM with the electrical current.

When the Miral description says it's "using busybox" to propagate that
virus, that's pretty vague, because busybox is a compact rewrite of
about one hundred GNU utilities. It would be not only interesting but
essential to know which one of those is the actual culprit.

AFAIK there are two "busyboxes": a minimal one included in the initrd
used during the kernel boot process and the one used once the "shift
root" (chroot) has occurred.

If we know which of the busybox sub-utilities is to blame, it should be
simple enough to substitute it with the real and complete gnu utility it's
intended to replace. PuppyLinux, BTW, already does that for a number
of them.

Finally, there is no mention of the Miral infection on the Busybox site
https://busybox.net/news.html. If it was as dramatic as it sounds, the
developers there would have already provided a corrective, or working
on it, no?

In the meantime, rufwoof's debsums solution seems like a good idea to
tone down the paranoia!

In short, let's keep our heads and we'll see this through.

BFN.

[Mike7]

Robert123-

Have a look at Palemoon I use in older puppies I use - is faster than FF.

Thanks for reminding me about Palemoon. Actually, I have a list of alternative browsers that I have been intending to try. It's just a matter of finding the time (grrr).

Questions: Is Palemoon as secure as an updated and reconfigured Firefox? Can it resolve these new-thing websites that are written for mobile devices? Will ublock work with it?

Also 8Geee has a very secure of FF27 he has configured he uses in his updated slacko 570

Interesting. My Carolite came with FF26, but it automatically updated to FF38 when I clicked on Help>AboutFirefox to check on the exact version number. Now I have spent maybe 100 hours reconfiguring FF38, and the thought of changing versions yet again, either updating or returning to an earlier one, makes me shrivel up inside and think about going to live with the Inuit in Greenland.

Question: Do you think 8Geee's reconfigured firefox2701 would work in Carolite-1.2?

M7

[musher0]

Hello again guys.

If you read the last part of the article mentioned by green geek, you'll
find that Mirai uses:
telnet
ssh and
busybox tftp

To play it safe you could install the inetutils from the GNU foundation.
https://lists.gnu.org/archive/html/info ... 00004.html
(5th paragraph on that page), to replace the busybox tftp and telnet.
As to ssh, Puppy is offering the full ssh, not the busybox one.

As well the article says that Mirai can leave traces detectable by lsof,
the source of which is available here:
https://people.freebsd.org/~abe/.

There is already an older version of lsof available on this forum:
search for "lsof" as the first search parameter and "musher0" as the
second search parameter. Here:
http://murga-linux.com/puppy/viewtopic. ... 682#844819

For your convenience, the latest version of lsof (lsof-4.89) is attached.
Please install the libtirpc-1.0.1 first, then the lsof-4.89 utility.

This complete lsof will replace the existing busybox lsof symlink that may
exist on some newer Puppies. (Older Puppies do not have lsof at all.)

To see all running connections on your Puppy, open a terminal and type

Code: Select all

lsof -i

(see attached pic).

So, sorry to go against the paranoid instinct, but instead of panicking one
could try to see if lsof shows traces of Mirai residues on your machine.

BFN.

[Mike7]

musher0-

if there seems to be fishy behavior on your Internet line, your
connection icon in the tray of all Puppies has a "disconnect" option (see
attached picture) that you can click.

Right you are. And I have had occasion to do that (although on my Frisbee tray icon it's "disable" and "enable").

I wonder where you found the jpg image for the icon popup.

there is also the manual solution of physically disconnecting the
ethernet cable or turning off the router.

Not for me, unfortunately, as I am wireless to someone else's router.

You can turn off the machine, of course, but it's not absolutely necessary for this purpose.

Yes, and it's slower than disconnecting from the wireless network.

Besides if you want to conduct some forencsic work, you may want to
keep the machine on. If you turn the machine off, the virus might
disappear from RAM with the electrical current.

A good thought. I never liked shutting down when a computer I was using became infected. It leaves you in the dark. You never know what's going to happen when you boot back up (some malware only corrupts system files when booting). Better to disconnect from the Internet and track down the malware.

When the Miral description says it's "using busybox" to propagate that
virus, that's pretty vague, because busybox is a compact rewrite of
about one hundred GNU utilities. It would be not only interesting but
essential to know which one of those is the actual culprit.

Yes.

If we know which of the busybox sub-utilities is to blame, it should be
simple enough to substitute it with the real and complete gnu utility it's
intended to replace.

This occurred to me, but greengeek says that there is as yet no exact information on how Mirai uses busybox.

there is no mention of the Miral infection on the Busybox site

I find that very strange, to say the least.

If it was as dramatic as it sounds, the developers there would have already provided a corrective, or working on it, no?

There's something fishy about all this, that's for sure. Could it be that the busybox people are so flummoxed that they won't say anything, or simply too embarrassed that a massive DoS went through their program?

In the meantime, rufwoof's debsums solution seems like a good idea to tone down the paranoia!

I'm waiting for an answer to whether a Debian utility like debsums will work in Carolite. And frankly I don't know how to install it. It's not listed in Carolite's package manager.

In short, let's keep our heads and we'll see this through.

As greengeek says, there's precious little we can do about it anyway. It's too bad that the hackers chose a Linux program for their dirty work, but that was inevitable. The features of Linux that make it right for IoT are just what the hackers were looking for. And what could be better, within Linux, than exploiting busybox? These hackers are fiendishly clever.

M7

[musher0]

Hi Mike7.

My reasoning is as follows:
Assuming that these sons-of-a-gun are specifically using busybox as their
vector, if we provide the real inet utilities instead, they're cooked.

If their code is, for example

Code: Select all

busybox -telnet

and that command does not exist, only

Code: Select all

telnet

, they'd be getting nowhere.

That still needs to be proven, of course -- they could as well use the
"name" of the utility, regardless if it's busybox or not, but you can't go
wrong installing the real lsof for starters.

The real lsof is a very rich application for all sorts of uses. Type

Code: Select all

lsof -h | more

and you'll see!

Maybe rufwoof can provide us with more info about debsum.

~~~~~~~~~~~
(Thinking out loud here!)
In the meantime, if it's only to check if checksums of the executables
have changed, we could probably come up with a script saving the results
using cksum or md5sum and then use the diff compare utility on two
columns.

The first run would create a first column for reference on Puppy install.
Subsequent runs would appear in the second column say a few hours
later or the next day, or whenever you like.

The parameter is not fresh in my memory, but you can ask diff to show
only the differences between two texts or tables. So if you had
differences, you'd know your system integrity has been compromised.

And even with what little we know about the Mirai parasite, we know it
targets certain executables, so we could do a speed check on those. It
certainly wouldn't take five minutes, if we target, only maybe 20 seconds.

That list, coupled with results from lsof, would give a pretty good idea of
the integrity of the Puppy at any given time during our computing session.

BFN.

[Mike7]

musher0-

If you read the last part of the article mentioned by green geek, you'll
find that Mirai uses:
telnet
ssh and
busybox tftp

Sorry, but what article is that? (I couldn't find anything about busybox in the Sophos article.)

To play it safe you could install the inetutils from the GNU foundation. . .to replace the busybox tftp and telnet.

Will that run on Carolite (Carolina), do you think?

As to ssh, Puppy is offering the full ssh, not the busybox one.

I'm a little confused. Are you suggesting disabling the busybox ssh somehow and installing an ssh pet from a repository?

For your convenience, the latest version of lsof (lsof-4.89) is attached. Please install the libtirpc-1.0.1 first, then the lsof-4.89 utility.

Will these both run in Carolite-1.2 (Carolina)?

This complete lsof will replace the existing busybox lsof symlink you probably have on your Puppy.

My Carolite-1.2's busybox doesn't contain lsof. In any case, why would there be a symlink?

instead of panicking one could try to see if lsof shows traces of Mirai residues on your machine.

Good idea.

M7

[musher0]

Hello again, Mike7.

Well, I have a lsof on this Puduan-6 Puppy, but it's a symlink to some
busybox code. Back in the day, no Puppies at all had lsof. So this is sort
of an improvement!

Busybox works like that: it recognizes the symlink and executes the
corresponding part in its code. It's sort of like when you add parameters
to a script. Busybox is a meta-application with various parts: only the
lsof-specific part of busybox is used (to keep the lsof example).

For more examples, open your /bin directory, hover the cursor over the
symlinked files, and you'll see lots of names of utilities that are symlinked
to busybox.

About the article, I mean this one:
http://securityaffairs.co/wordpress/509 ... i-elf.html

BFN.

[Robert123]

@MusherO works in slacko 5.31

[musher0]

@MusherO works in slacko 5.31

Thanks, Robert123.

[rufwoof]

Hi, rufwoof.

If you run Debian you can install debsums. . .and then validate all installed programs

Coupla questions here:
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?

With Debian Stable the idea is that there's a central repository that you solely use. Where all programs/packages are individually stable and work well with the other packages. That means you run older versions of programs, but that work ok and (maybe) have had patches applied. If that central repository is sound, then any system using some/part of that (selected programs) is also sound. It also means that every package has its md5 checksum stored in a central repository so you can validate that what you actually have installed compares to what should be installed.

DebianDog puppy and/or any other pup that installs using the debian repository can use debsums, as all its basically doing is checking that a package md5 matches. debsums can check individual packages, or the complete system including configuration files, however my guess is that complete system checks wouldn't work for systems that used some packages/programs from here and there (elsewhere), like typical puppy's do.

Like for scanning for rootkits, I tend to just boot frugally, install debsums or the rootkit scanner, run/scan and then reboot without saving afterwards. I do that pretty infrequently and as a comfort thing whenever the fancy takes. Personally I try and take the opposite view to most and consider all systems to be weak/breached, for instance as though my home desktop pc was a local public library pc. Most of the stuff I do I couldn't care less if anyone else saw/had access to that, for things that I want to keep secure such as online banking connections/passwords I boot/use a more secure setup. But obviously whilst blasé about general use I'm not totally casual and wouldn't want for instance something like Mirai to be installed/running.

Typically there are two busybox's, one inside initrd that you need to uncompress and run through cpio to see the content of, and the main busybox (some pup's might use the same busybox for both). Running 'busybox' command alone will show all of the commands that have been compiled into that busybox. Your /bin files may be sym links to the busybox version, or might be separate stand alone programs. Even if there is no sym link for a program to busybox you can still run a busybox program ... for instance my system doesn't have lzop installed (a compression/decompression program similar to gzip) as a separate program nor does it have a sym link to it within busybox, but it is in busybox, so I can run busybox lzop .... to run that. One way to validate the integrity of the busybox would be to check its md5sum against the original version i.e. if the local version had been hacked/breached then that md5sum would differ to the original.

[bark_bark_bark]

Questions: Is Palemoon as secure as an updated and reconfigured Firefox?

It's more secure than an updated firefox.

[musher0]

Edit, Nov. 2, 2016.
Kept for archival purposes. Please use the new version in this post.
Thanks.
~~~~~~~~~~~~~~~
Hello again.

Feel free to test this script:

Code: Select all

#!/bin/sh
# /usr/local/bin/md5sums-diff.sh
# To check sums of executables and compare them if different.
# (c)  musher0, 2016/10/30. GPL3.
# Feel free to improve on this script.
#
## Usage: make a first run with
# < md5sums-diff.sh prep > on a pristine Puppy you have just installed.
# After that first run, you'll use the syntax
# < md5sums-diff.sh check > to find out if your executables are intact.
##
####
BuildTablE () {
> $LisT
for i in /bin /sbin /usr/bin /usr/sbin /usr/local/bin
do echo $i >> $LisT
   md5sum $i/* 2> /dev/null >> $LisT
   echo . >> $LisT
done
}

case "$@" in
	prep)LisT="";LisT="/root/my-applications/md5sums.lst.orig"
		BuildTablE
		;;

	check)LisT="";LisT="/root/my-applications/md5sums.lst.chk"
		BuildTablE
		aA="`md5sum /root/my-applications/md5sums.lst.orig | awk '{ print $1 }'`"
		bB="`md5sum $LisT | awk '{ print $1 }'`"
		if [ "$aA" != "$bB" ];then
			diff -y --suppress-common-lines /root/my-applications/md5sums.lst.orig $LisT
# This will show the files that have a different md5sum.
		else
			echo "
	The binary files have NOT been tampered with.
	Your Puppy OS is ok.
"
# Otherwise no files are shown, you simply get an all-clear message.
		fi
		;;
esac

Thanks in advance.

It's an application of the concept I was talking about earlier, here.

Finally, there's nothing to worry about concerning the "changed" example
in the picture: I simply edited the script above a little to see if the script
would detect the change. I then restored the script to its pristine state.

BFN.