Linux Is Sick, Look Out For Turla

December 10, 2014 11:06 AM

When I checked Facebook at 7 in the morning (my latest ritual) trying to catch up on anything relevant in my little world, a post about a trojan on Linux made me drop everything and check it out. Literally rubbing the sleep out of my drooping and drunk-with-sleep eyes I woke up to a harsh truth: There is a bug/trojan powerful enough to be written about in Linux, anLinuxd in other news, I just lost bragging rights.

One of the few things I get to brag about (and I do it a lot) is the fact that Linux is impregnable. Chiding the others who’d use anti-virus software, I’d tell them how I’ve never used one in years. My shield is cracking and it’s because of a bug, The Turla, if you want to put a name on it. Argh!

Not to be underplayed in any way, the Turla is a silent trojan that infects Linux, draining all sorts of private/sensitive information (it doesn’t really need any root privileges). What’s horrific – it’s been happening for four years.

Linux is still robust, a fact I will attest to, but I guess it is hard for me to feel vulnerable after this piece of news hits the headlines in the alternate OS universe. The Turla, an APT (Advanced Persistent Threat), a complex worm based on a 14 year old code is now in need of a cure since affecting embassies, pharmaceuticals and government systems for over four years now.

Anti-virus software giants Symantec and Kaspersky Lab’s researchers who first detected Turla on Windows, discovered that many PCs across 45 countries have been affected mostly through unpatched zero-day exploits. Further, the Lab also discovered that parts of this trojan affected Linux, intercepting incoming packets and run incoming commands on the system without any elevated privileges. Still unclear about how many Linux users this virus has affected, the depth it has sunk to is yet to be revealed.

While we’re waiting for a work-around and I call it one (not comfortable using the word “anti-virus”), here’s what Kaspersky Lab has to say, “The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.”

Don’t assume that just because you aren’t in a country that isn’t a threat, you’re safe. Linux users everywhere beware. This virus is the precursor to an undeniable truth: We are no longer safe. Not your average user focused virus bundled with faux software, this finessed, adaptable and complex virus knows who it wants and goes after it (for all I know, it might’ve got you and me already). At least, we’re doing good, in that Linux is now slowly rising in usage like I dreamt back in April, but as they say with the rose come the thorns.

No expert in security or suggesting a measure, I quote the internet when I ask, rather implore Linux users to avoid the darker side of the web and stay away from downloading/running scripts, apps, or binaries from untrusted sites or PPAs.

Practice safe computing and wait for the Linux gods to figure out a potion to give mere mortals, but until then don’t infect others, just let them know there’s a bug/trojan/virus (whatever you want to call it) in town and they need to look out for a cure/miracle in this case.

Give Kaspersky’s blog a visit for updates.