Powerful Linux Trojan ‘Turla’ Infected Large Number Of Victims; Much Bigger Threat Than Previously Thought; Extremely Stealthy Virus Very Difficult To Detect
Mohit Kumar, writing on the December 8, 2014 website, TheHackerNews.com, notes that cyber “security researchers have discovered a highly nasty Linux Trojan that has been used by cyber criminals in a state-sponsored attack — in order to steal personal, confidential information from government institutions, military, and pharmaceutical companies around the world.”
“A previously, unknown piece of a larger puzzle, called “Turla,” one of the world’s most Advanced Persistent Threats (APTs) uncovered by [cyber] security researchers at Kaspersky Labs in August — remained hidden on some systems for at least four years. The malware was notable for its use of a rootkit that made it extremely hard to detect,” Mr. Kumar wrote.
“The German company, G Data believed that [the] “Turla campaign is linked to Russia; and, has in the past, exploited a variety of Windows vulnerabilities, at least two of which were zero-days, to infect government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries.”
“Recently,” Mr. Kumar notes, “security researchers from the Moscow-based Kaspersky Lab had detected the first Turla sample targeting the Linux operating system. The Linux component of the malware points towards a much bigger threat than was previously thought; and, it may also herald the discovery of more infected systems.”
“The newly discovered Turla sample is unusual in the that that it’s the first Turla sample targeting the Linux operating system that we have discovered,” Kaspersky researcher Kurt Baumgartner said in an advisory. “We suspect that this component was running for years at a victim site; but, do not have concrete data to support that statement just yet.”
“The modules of the Linux-based Turla malware is written in C and C++ languages, and contains code from previously written libraries. The malware uses hidden network communication and stripped of symbol information, which makes it hard for engineers to reverse engineer, or analyze,” the worm Mr. Kumar observed. “As a result,” he writes, “the Linux-based Trojan may have capabilities that have not yet been uncovered completely, as Baumgartner said the Linux component is a mystery even after its discovery, adding it can’t be detected using the common Netstat command.”
“In order to hide itself, the backdoor sits inactive — until hackers send it unusually crafted packets that contain “magic numbers” in their sequence numbers. The malware has the ability to sit unnoticed on victims computers for years. The Trojan contained attack functionalities including arbitrary remote command execution, incoming packet interception and remote management — even though it requires no root system privileges,” Mr. Kumar warns.
“Earlier this year, Kaspersky Labs researchers suggested Turla as Snake, which was built on the capabilities of Agent.Biz, the worm that came to the surface in 2008, when the U.S. Department of Defense sources claimed that its classified networks had been breached by an early version of the same virus, described by officials as the “worst breach of U.S. military computers in history.” Uroburos rootkit was also one of the components of the Snake campaign,” Mr. Kumar noted.
Mr. Kumar concluded, “Agent.Biz has since been developed with many advanced features that make it even more flexible and sophisticated than before. It was thought to have inspired other nasty malware creations — including Flame and Guass.”
Dan Goodin, writing on the December 8, 2014 cyber security website, Ars Technica, wrote – “Given the power and stealth of the backdoor — not mention its connection to one of the more sophisticated espionage campaigns discovered to date — it wouldn’t be surprising for the discovery to open the door to discoveries of more infections, or malware components.” “The research is ongoing,” Baumgartner said, “I would assume at some point this is going to bridge into another finding because of the way the backdoor is used.”
As I have written many times on this blog — the Internet is a wonderful invention that is helping spread knowledge to every part of the globe — nearly instantly. It has many beneficial aspects. But, one must always assume that the Internet is “dirty;” and, even when using the Tor or encryption — never assume that what you are doing can’t be seen by prying eyes — if they are determined to look. V/R, RCP