Cryptolocker (was RE: Is tape dead?

jwsmobile jws at jwsss.com
Wed Sep 16 22:49:16 CDT 2015 

There were / are bugs in the mpg and jpg libraries that allow for remote 
execution that may or may not have been fixed.

If it can screw over cell phones running on Linux, it can screw you over 
if you are running on garden variety Linux.

Since we are all users on an ongoing basis of fossilized non updated 
systems, likely all of your older Linux systems have at least the mpg 
problem, and it is a fun one.  The only thing saving you is that you 
would need to target it at a specific binary target.

thanks
JIm

On 9/16/2015 6:29 PM, Jon Elson wrote:
> On 09/16/2015 01:10 PM, Chuck Guzis wrote:
>>
>>
>> Has cryptolocker ever invaded the world of Unix/Linux/BSD?
>>
> It would be much harder.  In general, browsers do not activate just 
> any file you would download.  There are weaknesses in various 
> graphical/video add-ons to browsers that may cause vulnerabilities. 
> But, in GENERAL, malware in videos, etc. would either do nothing at 
> all when sent to the add-on program, or get a message saying something 
> like "this script contains macros, executing it could be a security 
> risk:  Yes / No"
>
> I've been browsing quite fearlessly with Linux systems for about 17 
> years, and NEVER had any problem.
> Now, I've also had a Linux web server up for about 15 years, and have 
> had 2 successful penetrations.
> One was totally innocuous, they just added a phishing web site for a 
> bank, and it was easy to remove.
> Another attack put in a root kit, and it caused a major mess, 
> including me sending out some infected code to other people. (OOPS, 
> red face!!)  These were both done by cracking insecure passwords on my 
> system.  The best defense for that is running denyhosts, which counts 
> login failures from specific IP addresses, and cuts off all access 
> from that IP after a threshold.  I set it very tight, two failed 
> attempts within a month and you are out for a year.  It was VERY 
> interesting, exactly, to the HOUR, two weeks after I set this up, the 
> 1000 per day attempts to break in dropped to 3 a day.  This means the 
> botnets actively track how long the horizon on the login failures is 
> set, and they've been programmed to give up on any node that has a 
> horizon over 2 weeks.
>
> Jon
>
>

More information about the cctalk mailing list