Shulou(Shulou.com)06/02 Report--

This article shows you how to defend thousands of Linux hosts when they are blackmailed. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Foreign security media have reported a Linux blackmail virus named Lilocked. So far, the blackmail virus has infected more than 6000 Linux hosts with an encryption suffix of .lilocked. Russian security researchers believe that Lilocked is likely to be spread through CVE-2019-15846, the latest remote execution vulnerability in Exim's mail forwarding software.

In fact, this blackmail virus has appeared since mid-July this year, but the "mediocre performance" at that time did not attract public attention, but there has been a sudden increase in the amount of infection recently and there is a trend of outbreak of infection.

Using the Google search "# README.lilocked" keyword, you can relate to about 6340 results, that is, nearly 6340 of the known Linux hosts on the public network have been blackmailed by the virus, but in fact, the number of Linux hosts extorted must be much higher, because there are still many hosts that are not connected to the network or are not associated with the search engine.

Using zoomeye to detect the ports of these hosts, it is found that most of the mail services are enabled, which makes it possible to infer that Russian researchers have a basis for the claims of Exim vulnerabilities.

Blackmail Tor address is: y7mfrrjkzql32nwcmgzwp3zxaqktqywrwvzfni4hm4sebtpw5kuhjzqd.onion, similar to Sodinokibi, need to enter key to jump to the corresponding blackmail contact interface, hackers prompt to decrypt the file, you must send 0.03 BTC to the wallet address 1KxvqPWMVpCzjx7TevBY3XbMeFNj85Keef.

So, what's the difference between the blackmail virus under Linux and the blackmail virus on the Windows platform? How do you defend yourself? In fact, no matter what platform the blackmail virus works, it is similar:

Kill software detection-> language-specific national immunity-> generate encryption key-> traverse directories other than system file paths-> encrypt files with specific suffixes-> delete backup files-> exit.

However, the Linux blackmail virus usually takes one more step than the Windows blackmail virus, that is, it will take advantage of the loophole to extort power before starting, including this time the Lilocked extortion virus, and also uses an undisclosed vulnerability to upgrade itself to root permission before encrypting. The following is a demonstration of the operation with or without root permissions using the open source Linux blackmail virus GonnaCry. The function of GonnaCry is relatively simple, using the AES algorithm to encrypt the contents of the file, and then modify the host desktop.

Under ordinary user privileges, GonnaCry can hardly complete the encryption operation and can only encrypt a few temporary files.

When running with root permissions, GonnaCry is encrypted successfully, and the doc files in the home directory are encrypted into files with the GNNCRY suffix. It can be seen that the Linux blackmail virus runs with or without root authority, and the result is completely different.

Because the authority control of the Linux operating system is very strict, it is impossible to manipulate other users' files unless they are in the same user group. For example, if a blackmail virus is entered through a redis vulnerability, then its owner is the redis account (assuming applications launched by redis users), and it will not be able to read and write files of other users such as root, user1, user2, etc. This is why Linux malware is looking for ways to raise rights.

There are many Linux rights raising vulnerabilities in EXP on MSF. The blackmail virus only needs to integrate the relevant core code to achieve rights enhancement. After being promoted to root permissions, it can read and write arbitrary files. Of course, if your root password is a weak password, the blackmail virus does not have to raise rights through vulnerabilities, just blow up the password to run with root authority.

In fact, for the above situation, the Linux system has made corresponding countermeasures, that is, SELinux and AppArmor. The main role of these two is to adopt the strategy of MAC to minimize the resources that can be accessed by the service process in the system (the principle of minimum permissions), and even root users can not manipulate files at will. There are also related tutorials online, and if the rules are written properly, they can be used to prevent blackmail.

Finally, summarize some suggestions on how to defend against blackmail virus on Linux platform:

1. Try not to run Web applications with root privileges.

two。 Apply important patches in time to prevent applications from being exploited by vulnerabilities.

3. Root accounts enhance password complexity and avoid being blown up.

4. Turn on SELinux, AppArmor and other functions to protect important documents.

5. Deploy terminal security software for protection.

The above is how to defend thousands of Linux hosts when they are blackmailed. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.