Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blocking the Wirenet Trojan

Similar presentations


Presentation on theme: "Blocking the Wirenet Trojan"— Presentation transcript:

1 Blocking the Wirenet Trojan
(blocking perhaps the first Linux trojan) Presented by Dave Mawdsley, DACS Member, Linux SIG September 19, 2012

2 What is the preliminary info?
1 What is the preliminary info? Excerpts (and taken liberties) from: Linux users targeted by password-stealing 'Wirenet' Trojan by John E Dunn, Techworld, 12:58, 31 August 2012 “Technical details of Wirenet.1’s operation and technique for spreading are sparse for now, but the company (Russian antivirus firm Dr Web) reports that the backdoor program targets browser passwords for Opera, Firefox, Chrome, Chromium, and as well as applications such as Thunderbird, SeaMonkey, Pidgin. Under Linux it copies itself to the ~ / WIFIADAPT directory before attempting to connect to a command and control server hosted at using an AES encrypted channel. That at least offers a simple way of blocking communication and any further payloads....”

3 So Here's My Temporary Solution
2 So Here's My Temporary Solution Using terminal under root, append hosts.deny with: cd /etc; nano hosts.deny Next, at the bottom of the file add the following line: (note space) ALL: Save the file and exit root. Verify that hosts.deny is okay with: cat /etc/hosts.deny Last verify that hosts.allow doesn't allow with: cat /etc/hosts.allow

4 A Perhaps Better Linux Solution
3 A Perhaps Better Linux Solution If you're using IPTABLES, append the following entries in the appropriate sections would probably be a good idea: # iptables -A INPUT -s j DROP # iptables -A OUTPUT -d j DROP

5 Fixing the hosts file in Windows Computers
4 Fixing the hosts file in Windows Computers Open Notepad as an administrator and navigate to C:\Windows\System32\drivers\etc and select All Files (*.*) rather than .txt documents. Then open the hosts file. Add the following separate lines in the document: # Wirenet Trojan Save the hosts file and exit Notepad.

6 Another Point of View in a Posting
5 Another Point of View in a Posting David Dreggors I am not sure I would call this FUD, that would imply intent to be misleading. I believe Dr. Web (and this author) simply use "Linux" as a generic term for any distribution running the Linux kernel and more specifically the GNU toolchain and applications. Also, when dealing with the masses you have to remember that the lay person is confused way to easily by too many specifics and you have to be more generic in statements like this. While elitists and purists may take severe issue with that notion, they also should recognize that giving the idea that GNU/Linux is way to overly complicated to understand by the novice users is not helpful either. When was the last time you heard anyone chastised for calling a certain vehicle a car? You simply don't hear anyone shout out "It's a Porsche! That must be FUD because they did not properly describe it in it's entirety!" No offense meant, just sharing some thoughts.

7 6 In Conclusion... It's highly likely that the ip address (Dino Strzeminski, Jaracza 3/49, Warszawa, POLAND) will be blocked and that another ip address or a group of them may become the replacement for the command and control server of the trojan. It might be useful to verify that the following folder is NOT on your Linux computer: /WIFIADAPT All this is another reminder to NOT be running under root in Linux unless it's really necessary because the hosts.allow and hosts.deny and other system files could be modified by the trojan. Finally, all Linux, Mac and Windows users need to “stay tuned” to tech reports about the Backdoor.Wirenet.1 trojan.

8 Blocking the Wirenet Trojan
(blocking perhaps the first Linux trojan) This LibreOffice.org Presentation 'wirenet.odp' can be downloaded from


Download ppt "Blocking the Wirenet Trojan"

Similar presentations


Ads by Google