Linux virus discovered after 10 years

@vasileios
I just read a very interesting article on a Linux virus that has just been discovered. Anyone else heard of this?

Hey @waynetb!
I had a deeper look into it. At first, allow me to say that based on the detailed results of the analysis within the article, it’s an obsolete virus. Unlike Windows, Linux is very specific on its library versions and their architecture.

Here’s what I mean:

First, this type of backdoor attack has to be initiated when connecting to a server. Then, via that server, the SMB protocol has to be engaged (access network drives). This could possible give access to a bad actor in regarding some filesystem access, depending on the privileges of the “intercepted” user. In short, this is closer to corporate espionage than an overall system backdoor.

The main reason is that when you run Linux on a single system, you do not engage SMB (Samba) unless you install it and start sharing files and folders. Even in that scenario, your system is not running an HTTP server to do so. Therefore there is no reason for concern.

Second and most importantly, this vulnerability is 32-bit, which means it latches onto 32-bit shared libraries. For a long while now, most of Linux distros are 64-bit, which consider 32-bit architecture to be foreign. You can verify this by opening up a terminal on a Debian/Ubuntu based distro and type in:

dpkg --print-foreign-architectures

The result will be:

i386

Which is the 32-bit architecture.

The only case that 32-bit becomes enabled in modern computers (in a 64-bit environment) is if it’s manually enabled and for the installation of WINE - and only for very specific functions. Still, a desktop/laptop system would not run an HTTP/SMB server protocol simultaneously on a 32-bit environment.

Also, there are no servers out there that run Linux on a 32-bit architecture. All of them have been 64-bit for many years now. :slight_smile:

6 Likes

Awesome Vasileios! Thank you Sir.

1 Like

Thank you both for the story and explaination!

I got the same i386 result using that command, good run down.

2 Likes

Is there any way to turn off the i386 architecture? I enabled it for wine but changed my mind.

2 Likes

Hey @Tacodogg!
My apologies for my slight delay. Deadlines, deadlines!

Yes, you can do so and remove all the i386 packages installed. To disable the architecture, type in:

dpkg --remove-architecture i386

Then test to see if it has become foreign:

dpkg --print-foreign-architectures

It should produce the i386.

Now, to remove all the 32-bit packages, first make sure you do not have an NVidia card with its proprietary drivers installed. The reason is because that driver installs some 32-bit libraries for games. If you do, revert to Nouveau for this process, then reboot to begin the i386 package removal. If you don’t, simple continue to the next step.

To remove all i386 (32-bit) packages, execute:

sudo apt purge `dpkg --get-selections | grep ":i386" | awk '{print $1}'`

This will look into your database for all files that include the :i386 identification (which holds true for all Debian/Ubuntu based distros) and purge them and their configuration files.

I hope this helps! :wink:

2 Likes

Thank you! It worked! I did not have a Nvidia card. Just an Intel one.

1 Like

Awesome @Tacodogg! You are most welcome! :slight_smile: