You are Here:
Linux Lite 4.4 Final has been released. See the Release Announcements section for more information.



I think I Might Have Russian Trojan Fysbis on my computer

Author (Read 3493 times)

0 Members and 1 Guest are viewing this topic.

I think I Might Have Russian Trojan Fysbis on my computer
« on: April 04, 2016, 08:31:14 PM »
 

Jan

  • New to Forums
  • *
  • 19
    Posts
  • Reputation: 1
  • Linux Lite Member

  • Linux Lite: 2.8 32bit

  • CPU: Pentium 4 530 (P) HT 3.0 GHz desktop

  • MEMORY: 512mb

  • VIDEO CARD: Nvidia (I'll look up the specs and write them in later)
I write this from my Windows 7 laptop as my desktop that has both Linux Lite and Linux Mint 17 has now become so slow over the past week that its almost unusable - and both systems are affected (or should I say, infected?).  Like most people, I thought I didn't have to worry about viruses and Trojans with Linux - but I see from these recent postings that a very nasty Trojan virus out of Russia is affecting Linux systems everywhere. 

Those reading this may wonder why do I suspect I might have Fisbis?  Well, the most obvious is the very sudden slow down in both Linux Lite and Linux Mint over the past week or so and all three browsers (firefox, midori, and tor) are constantly crashing even though I have only an ad-blocker add-on.  My computer is behaving like it has a virus or some type of malware - and I think it might be Fisbis. 

So how did I get Fisbis?  Well, on Feb 11, 2016, an article came out extolling the features of the free email service called Yandex - that comes out of, you guessed it, Russia.  (On Feb 15th, news hit the internet about the Fisbis Trojan - but of course I didn't know about this at the time.)  In the process of testing out Thunderbird on Linux Lite I didn't want to use my official email account, so i thought I would set up a separate free email account on Yandex using a POP3 on Thunderbird email.  Meanwhile, on the Linux Mint OS, I set up a Yandex free email account using a POP3 on Evolution email.   

The server for Yandex email - as well as their free Yandex web browser, unlimited online storage starting at 10 GB, integration with Yandex Disk, e-Cards, and a whole bunch of other goodies - it all comes out of Russia.  I have to admit, two weeks ago, as I was setting up the free email service (which was all I wanted anyway), I had a twinge of "Gee, should I be doing this????"  Of course, in the process of setting up your free email account you get to choose your wallpaper ....."Oh boy, what a swell looking picture of the Kremlin....." - and now my feet are getting cold, but I'm too far in, though I have to admit, the beautiful pictures of deep outer space - probably from the Russian Space Station - did make me feel slightly better and set my geekly heart a flutter.  Yup, they sure do know how to reel ya in.....

Of course, the easiest way to get rid of this would be to do a fresh install of both Linux Lite and Linux Mint and totally nix Yandex altogether - which is probably what I will do eventually. 

However, before taking this final step, is there any way to test my suspicion that I've been infected with Fisbis (or something else equally nasty)? 

Also, other than avoiding anything coming out of Russia, how can Linux users protect themselves from these kinds of threats?



 


Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #1 on: April 05, 2016, 04:55:31 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 6827
    Posts
  • Country: nz
  • Reputation: 629
  • Linux Lite Member
    • Linux Lite OS

  • Linux Lite: 3.8 64bit

  • CPU: Intel Xeon Dual CPU's E5645 2.4GHz 12 Cores

  • MEMORY: 16Gb

  • VIDEO CARD: nVidia GeForce GTX 960
This article here will tell you if you have that specific Trojan - http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ just look at Root install desc and Install as non-root file names.

Sent from my Nexus 6 using Tapatalk

 

Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #2 on: April 05, 2016, 06:23:27 PM »
 

stop0x0000000a

  • New to Forums
  • *
  • 18
    Posts
  • Reputation: 6
  • Linux Lite Member
I live in Russia and despite being not a fun of Yandex I really doubt  they infects their users with any kind of trojans.

if they would do that they simply lost the market.

I would suspect overheating, motherboard capacitors, power supply or something similar, i.e. start with memory test for instance.
It is always possible to reinstall the OS if the hardware is ok.
 

Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #3 on: April 05, 2016, 09:04:01 PM »
 

Jan

  • New to Forums
  • *
  • 19
    Posts
  • Reputation: 1
  • Linux Lite Member

  • Linux Lite: 2.8 32bit

  • CPU: Pentium 4 530 (P) HT 3.0 GHz desktop

  • MEMORY: 512mb

  • VIDEO CARD: Nvidia (I'll look up the specs and write them in later)
This article here will tell you if you have that specific Trojan - http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ just look at Root install desc and Install as non-root file names.

Thanks for your reply, Jerry.  I read the full article but I'm not clear on what I should do next.  I'm not computer savvy and much of the article is way way above my little "Linux-Newbie" head :) .  At the end of the article I'm wondering does this mean I'm supposed to type the words "IPS signature 14917" on the command line? 

Or, in order to find out if I have Fisbis on board, are you saying that I should use the Terminal and type the commands "Root install desc" and "Install"?

 

 

Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #4 on: April 05, 2016, 09:33:20 PM »
 

Jan

  • New to Forums
  • *
  • 19
    Posts
  • Reputation: 1
  • Linux Lite Member

  • Linux Lite: 2.8 32bit

  • CPU: Pentium 4 530 (P) HT 3.0 GHz desktop

  • MEMORY: 512mb

  • VIDEO CARD: Nvidia (I'll look up the specs and write them in later)
I live in Russia and despite being not a fun of Yandex I really doubt  they infects their users with any kind of trojans.

if they would do that they simply lost the market.

I'm sure the developers of Yandex offer it with good intentions.  But, as with many free services, there is often a catch - or a trade-off - data mining comes to mind.  Insofar as hacking, one would assume that Russian hackers would be most familiar with the vulnerabilities of Russian servers, emails and so forth, so it would make sense that if they're going to hack a system, they would hack what they know best.




I would suspect overheating, motherboard capacitors, power supply or something similar, i.e. start with memory test for instance.
It is always possible to reinstall the OS if the hardware is ok.



Thanks for the suggestions above.  I'll keep those in mind if reinstalling doesn't resolve the problems.
 

Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #5 on: April 06, 2016, 07:21:46 AM »
 

rokytnji

  • Friganeer
  • Platinum Level Poster
  • **********
  • 1257
    Posts
  • Country: us
  • Reputation: 134

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core2 Duo U9600

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Mobile 4
This article here will tell you if you have that specific Trojan - http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ just look at Root install desc and Install as non-root file names.

Thanks for your reply, Jerry.  I read the full article but I'm not clear on what I should do next.  I'm not computer savvy and much of the article is way way above my little "Linux-Newbie" head :) .  At the end of the article I'm wondering does this mean I'm supposed to type the words "IPS signature 14917" on the command line? 

Or, in order to find out if I have Fisbis on board, are you saying that I should use the Terminal and type the commands "Root install desc" and "Install"?

 



Just me testing for you on my Linux install. You can follow my steps

Code: [Select]
harry@biker:~
$ sudo -i
[sudo] password for harry:
root@biker:~# updatedb
root@biker:~# locate ksysdefd
root@biker:~#

Jerry can look my steps and confirm or deny my trouble shooting steps for locating installed trojan files is on the mark or not.'
The no return of info after the locate command tells me I am trojan free.
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop
Dell 755 > Desktop
Acer 150 > Desktop
I am who I am. Your approval is not needed.
 

Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #6 on: April 06, 2016, 07:53:24 PM »
 

Jan

  • New to Forums
  • *
  • 19
    Posts
  • Reputation: 1
  • Linux Lite Member

  • Linux Lite: 2.8 32bit

  • CPU: Pentium 4 530 (P) HT 3.0 GHz desktop

  • MEMORY: 512mb

  • VIDEO CARD: Nvidia (I'll look up the specs and write them in later)

Just me testing for you on my Linux install. You can follow my steps

Code: [Select]
harry@biker:~
$ sudo -i
[sudo] password for harry:
root@biker:~# updatedb
root@biker:~# locate ksysdefd
root@biker:~#

Jerry can look my steps and confirm or deny my trouble shooting steps for locating installed trojan files is on the mark or not.'
The no return of info after the locate command tells me I am trojan free.

Thanks for the instructions, rokytnji.  I just entered them and there was no return of info after I entered the "locate ksysdefd" command, so I guess that would mean I don't have a trojan per se, but is it possible I could still have a virus or some other form of malware infecting my system?   

 

Re: I think I Might Have Russian Trojan Fysbis on my computer
« Reply #7 on: April 06, 2016, 10:29:45 PM »
 

stop0x0000000a

  • New to Forums
  • *
  • 18
    Posts
  • Reputation: 6
  • Linux Lite Member
Thanks for the instructions, rokytnji.  I just entered them and there was no return of info after I entered the "locate ksysdefd" command, so I guess that would mean I don't have a trojan per se, but is it possible I could still have a virus or some other form of malware infecting my system?   

locate ksysdefd only looks for file named 'ksysdefd', if that trojan is so smart it would not take the same name every time.

The only reliable tool is hash sums for the whole system & recheck.
The bad thing is you should understand that you are doing, I know no ready easy-to-use solution.
 


Tags:
 


Linux Lite 4.4 Final has been released. See the Release Announcements section for more information.