Mutant Windows Malware?

FWIW :wink:

:mask:

3 Likes

…these checks might have been introduced by the malware’s developers while copy-pasting code from other ‘projects’…

If I were a betting man, my money would be on this.

5 Likes

It might very well be that. Good that people reporting on this plan to keep an eye on it:

For now, the code found is very simple, and could be part of a copy and paste effort when building the Python code, but in any case, we plan to keep it on our radar while researching new activity.
https://unit42.paloaltonetworks.com/pymicropsia/

Is AridViper Working on New Attack Vectors?

PyMICROPSIA is designed to target Windows operating systems only, but the code contains interesting snippets checking for other operating systems, such as “posix” or “darwin”. This is an interesting finding, as we have not witnessed AridViper targeting these operating systems before and this could represent a new area the actor is starting to explore.

[begin code]
else:
if os.name == ‘posix’ and sys.platform == ‘darwin’:
PathName = os.getenv(‘HOME’) + ‘/Library/Application Support/Google/Chrome/Default/’
if os.path.isdir(PathName) == False:
sys.exit(0)
elif os.name == ‘posix’:
PathName = os.getenv(‘HOME’) + ‘/.config/google-chrome/Default/’
if os.path.isdir(PathName) == False:
sys.exit(0)
return PathName
[end code]

For now, the code found is very simple, and could be part of a copy and paste effort when building the Python code, but in any case, we plan to keep it on our radar while researching new activity.

2 Likes

How do I protect myself against these malwares? I am usually not downloading anything from outside the arch repos and my university website. Can I call myself “safe”?

There is no reason to worry. First this seems to be quite limited in its scope (Windows and number of those affected). And pay attention to this part:

For now, the code found is very simple, and could be part of a copy and paste effort when building the Python code, but in any case, we plan to keep it on our radar while researching new activity.

So keeping at your cautionary usage, I would say that today you are as “safe” as you were yesterday.

Please note that my intention of posting the article was not to cause panic among the users. I just found the information interesting.

2 Likes

Hmm. Yes I understand. :v:

In general, what do linux users do to be safe from malwares or ransomwares? I had purchased antivirus subscription on windows which went waste because I don’t use windows anymore. But on linux, apart from being aware of the links I click and websites I visit, is there anything else I can do? As for the softwares, it all comes from the repos so I don’t worry about that.

Thanks!

You could use antivirus software with Linux as well. I check my system with clamav every once in a while. On my system clamav finds a couple of false positives which I doublecheck with https://www.virustotal.com/gui/

1 Like

This also match my practice as well. I do use Firejail to sandbox primarily the browsers I use. and I use Virustotal to scan links to the sites I am not familiar with. Occasionally I upload some file to be scanned as well. Unless you share files with Windows I don’t think that having anti- virus/malware is of much use. As I have understood, the don’t scan for any malware specific for Linux.

2 Likes

Thanks @pebcak and @mbod

Nice suggestions I have got. Will check clamav and firejail.

Just for reference. My last scan is just 2 days old:

########
# Start: Mo 14. Dez 13:13:40 CET 2020
# Start scanning: /usr/

# Detected Malware: 16
/usr/lib/firefox/browser/features/[screenshots@mozilla.org.xpi](mailto:screenshots@mozilla.org.xpi): Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
/usr/lib/firefox/browser/features/[screenshots@mozilla.org.xpi](mailto:screenshots@mozilla.org.xpi): Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
/usr/lib/firefox/browser/features/[webcompat-reporter@mozilla.org.xpi](mailto:webcompat-reporter@mozilla.org.xpi): Sanesecurity.Foxhole.JS_Zip_2.UNOFFICIAL FOUND
/usr/lib/firefox/browser/features/[webcompat-reporter@mozilla.org.xpi](mailto:webcompat-reporter@mozilla.org.xpi): Sanesecurity.Foxhole.JS_Zip_2.UNOFFICIAL FOUND
/usr/lib/firefox/browser/extensions/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi: Sanesecurity.Foxhole.JS_Zip_2.UNOFFICIAL FOUND
/usr/lib/firefox/browser/extensions/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi: Sanesecurity.Foxhole.JS_Zip_2.UNOFFICIAL FOUND
/usr/lib/firefox/browser/extensions/[uBlock0@raymondhill.net.xpi](mailto:uBlock0@raymondhill.net.xpi): Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
/usr/lib/firefox/browser/extensions/[uBlock0@raymondhill.net.xpi](mailto:uBlock0@raymondhill.net.xpi): Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
/usr/lib/firefox/browser/omni.ja: Sanesecurity.Foxhole.Zip_fs197.UNOFFICIAL FOUND
/usr/lib/thunderbird/extensions/{847b3a00-7ab1-11d4-8f02-006008948af5}.xpi: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
/usr/lib/thunderbird/extensions/{847b3a00-7ab1-11d4-8f02-006008948af5}.xpi: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
/usr/lib/thunderbird/omni.ja: Sanesecurity.Foxhole.Zip_fs186.UNOFFICIAL FOUND
/usr/lib/thunderbird/omni.ja: Sanesecurity.Foxhole.Zip_fs186.UNOFFICIAL FOUND
/usr/share/nmap/scripts/http-vuln-cve2012-1823.nse: {HEX}php.exe.globals.414.UNOFFICIAL FOUND
/usr/share/webapps/nextcloud.bak/core/css/guest.css: Sanesecurity.Phishing.Bank.2912.UNOFFICIAL FOUND
/usr/share/webapps/nextcloud/core/css/guest.css: Sanesecurity.Phishing.Bank.2912.UNOFFICIAL FOUND

# End: Mo 14. Dez 15:30:48 CET 2020
# End scanning: /usr/

These are all false positives, verified with https://www.virustotal.com/gui/

1 Like

So you upload these files one by one to virus total to check if they actually are harmful or not? Or is there another way?

Will clamav scan for anything linux-specific as well?

A couple of times that I ran it (on my home directory), it always came up with a couple of potential threats, always related to some file from an addon or an extension. Uploading to Virustotal showed that those were false positives.

virustotal has an API that you can use in scripts: https://developers.virustotal.com/v3.0/reference#overview

I have created a first draft script for my personal use almost a year ago. But I always forget to use it :wink: Still doing manual upload.

2 Likes

If you run the clamtk (that is the gui), there is an analyze function that you can use. It Will then upload a file to Virustotal, I believe, and present the latest result of scanning if it has been done before by comparing the shasum. If not, I believe it will wait for the new scan to be finished and then, it will present the result. There is a date associated with the occasion and the engine used.

2 Likes

Yes I believe so. It all depends on the signature database you use. I also use the clamav-unofficial-sigs : https://github.com/extremeshok/clamav-unofficial-sigs

With that and the official signatures I am pretty sure it covers all known Linux specific stuff.

2 Likes

That’s great to know!
I will have a look at github’s page.
Thanks!

This is all available as AUR package

2 Likes

:+1:t5: perfect!