It already is pretty rampant, however most Linux admins have minimal if any detection strategy.
Additionally, while there’s plenty of binaries about like VoidLink, almost all campaigns against Linux hosts target SSH, or RCE vulnerabilities, and deliver shell scripts that orchestrate the attack.
Why compile a binary when the shell has everything you need? The threat models are pretty different between Windows and the *nix world.
When you look at botnet composition, they’re usually made up of outdated Linux hosts with SSH open with password-based authentication.
Seriously people, switch to key-based auth and disable password auth entirely.
Could you elaborate a bit on that? Like what would you suggest apart from the obvious things like updating, not downloading weird stuff and limit open ports to the minimum and stuff like that?
Basically that. Using software with firejail and apparmor. Making a security audit with lynis.
Getting more knowledgeable about open ports and what software is able to do.
I forgot but do browsers download binaries as executable?
One of the big issues with windows is the fact that it uses file extensions for determining file type, so EXEs can just be instantly run after downloading, which led to MSFT making the “Mark Of Th Web” attribute, which moved hackers into finding every type of bypass for MOTW.
I think straight bin downloads require you to chmod +x first, but you could also probably bypass it with any archive format like .tar.gz or opting for a .deb or .rpm.
The upside is that you really shouldn’t be downloading raw bins outside of the package manager, but there are a bunch of tools that only ship as appimages, so you’re kinda screwed if you download and execute from an untrusted source.
You are not the only thing capable of running binaries on your system. There’s always the possibility of something else being compromised that now has the capability to run this binary.
Security comes in many layers on top of each other and with software having to work together to plug all possible holes, not just the direct exploitation paths you are currently actively conscious about and using.
Isn’t it already the case to steal from companies? I don’t know if things like Shai Hulud 2.0 qualifies as malware. Companies are much more lucrative targets so I am not sure personal Linux is changing much.
Unfortunately, it’s only a matter of time until native Linux malware becomes more rampant
It already is pretty rampant, however most Linux admins have minimal if any detection strategy.
Additionally, while there’s plenty of binaries about like VoidLink, almost all campaigns against Linux hosts target SSH, or RCE vulnerabilities, and deliver shell scripts that orchestrate the attack.
Why compile a binary when the shell has everything you need? The threat models are pretty different between Windows and the *nix world.
When you look at botnet composition, they’re usually made up of outdated Linux hosts with SSH open with password-based authentication.
Seriously people, switch to key-based auth and disable password auth entirely.
Yeah, got me into Linux hardening.
Could you elaborate a bit on that? Like what would you suggest apart from the obvious things like updating, not downloading weird stuff and limit open ports to the minimum and stuff like that?
Well, whenever you talk about Linux, you gotta get real hard.
I use starch, btw.
Check this page, it’s mostly applicable to all distros
Basically that. Using software with firejail and apparmor. Making a security audit with lynis. Getting more knowledgeable about open ports and what software is able to do.
I also would like to know
I forgot but do browsers download binaries as executable?
One of the big issues with windows is the fact that it uses file extensions for determining file type, so EXEs can just be instantly run after downloading, which led to MSFT making the “Mark Of Th Web” attribute, which moved hackers into finding every type of bypass for MOTW.
I think straight bin downloads require you to chmod +x first, but you could also probably bypass it with any archive format like .tar.gz or opting for a .deb or .rpm.
The upside is that you really shouldn’t be downloading raw bins outside of the package manager, but there are a bunch of tools that only ship as appimages, so you’re kinda screwed if you download and execute from an untrusted source.
Sometimes! I’ve definitely had some executable files that have downloaded with the x bit flagged.
The weak link on Linux is the number of tools that trained the users to
curl ... | bashYou can kindly fuck off with this level of hand holding lol. Forcing me to +x by default is a massive pain in the ass.
Forcing you to +x is the opposite of handholding. Do you want sudo to wipe your ass as well?
You are not the only thing capable of running binaries on your system. There’s always the possibility of something else being compromised that now has the capability to run this binary.
Security comes in many layers on top of each other and with software having to work together to plug all possible holes, not just the direct exploitation paths you are currently actively conscious about and using.
Isn’t it already the case to steal from companies? I don’t know if things like Shai Hulud 2.0 qualifies as malware. Companies are much more lucrative targets so I am not sure personal Linux is changing much.
Reminder, that once a vulnerability is found, it disappears, FOREVERRRRRR
You don’t get that with windows.
That is indeed one of the unfortunate but inevitable results of the OS becoming more popular.