From owner-freebsd-questions@freebsd.org  Sat Nov 24 18:33:25 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AB061134CAE
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sat, 24 Nov 2018 18:33:25 +0000 (UTC)
 (envelope-from 4250.10.freebsd-questions=freebsd.org@email-od.com)
Received: from s1-b0c6.socketlabs.email-od.com
 (s1-b0c6.socketlabs.email-od.com [142.0.176.198])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1B4BC86A21
 for <freebsd-questions@freebsd.org>; Sat, 24 Nov 2018 18:33:24 +0000 (UTC)
 (envelope-from 4250.10.freebsd-questions=freebsd.org@email-od.com)
DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim;
 c=relaxed/relaxed; q=dns/txt; t=1543084404; x=1545676404;
 h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:to:from:date:x-thread-info;
 bh=ej/PsNAxTazqwIzHRFwIG6aCqTHQbLCVbsg3qOsdvao=;
 b=wFGru19PRrNL2t6oUWwu3pntDEZRtC0pVBnTxNto4swF6QT75Bew2wcUfW4oJBgtgi0xqkacZ9xI6VGFv0XHoM7v49qe5SAoQN8ITI8UZrr24c/ddqh85RhTKzjjxnAO2UhfB3HAJI5Yq6XIVYYQeAKaEeZnc9VXt7IqxzzzD90=
X-Thread-Info: NDI1MC4xMi4xYTEwMDAwMDBiZmVkYzUuZnJlZWJzZC1xdWVzdGlvbnM9ZnJlZWJzZC5vcmc=
Received: from r1.sg.in.socketlabs.com (r1.sg.in.socketlabs.com
 [142.0.179.11]) by mxsg2.email-od.com
 with ESMTP(version=Tls12 cipher=Aes256 bits=256);
 Sat, 24 Nov 2018 13:33:13 -0500
Received: from smtp.lan.sohara.org (EMTPY [89.127.62.20]) by
 r1.sg.in.socketlabs.com
 with ESMTP(version=Tls12 cipher=Aes256 bits=256);
 Sat, 24 Nov 2018 13:33:13 -0500
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
 by smtp.lan.sohara.org with smtp (Exim 4.91 (FreeBSD))
 (envelope-from <steve@sohara.org>) id 1gQcju-000Gnj-Re
 for freebsd-questions@freebsd.org; Sat, 24 Nov 2018 18:33:10 +0000
Date: Sat, 24 Nov 2018 18:33:10 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: freebsd-questions@freebsd.org
Subject: Re: New Virus that targets *.nix
Message-Id: <20181124183310.4fe909176af298ba30d91b3a@sohara.org>
In-Reply-To: <20181124175844.6115411.91608.68576@shaw.ca>
References: <DM5PR20MB210207A5208820C5F435CC1580D50@DM5PR20MB2102.namprd20.prod.outlook.com>
 <20181124175844.6115411.91608.68576@shaw.ca>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd11.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 1B4BC86A21
X-Spamd-Result: default: False [-2.62 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.89)[-0.893,0];
 R_DKIM_ALLOW(-0.20)[email-od.com]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 DMARC_NA(0.00)[sohara.org]; FORGED_SENDER_VERP_SRS(0.00)[];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.93)[-0.932,0];
 RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 DKIM_TRACE(0.00)[email-od.com:+];
 MX_GOOD(-0.01)[cached: mxbh.socketlabs.com];
 RCVD_IN_DNSWL_NONE(0.00)[198.176.0.142.list.dnswl.org : 127.0.15.0];
 NEURAL_HAM_SHORT(-0.65)[-0.646,0]; ENVFROM_VERP(0.00)[];
 FORGED_SENDER(0.00)[steve@sohara.org,4250.10.freebsd-questions=freebsd.org@email-od.com];
 RCVD_TLS_LAST(0.00)[];
 IP_SCORE(-0.14)[ip: (-0.31), ipnet: 142.0.176.0/22(-0.15), asn: 7381(-0.12),
 country: US(-0.09)]; 
 ASN(0.00)[asn:7381, ipnet:142.0.176.0/22, country:US];
 FROM_NEQ_ENVFROM(0.00)[steve@sohara.org,4250.10.freebsd-questions=freebsd.org@email-od.com];
 MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 18:33:25 -0000

On Sat, 24 Nov 2018 10:58:44 -0700 (MST)
Dale Scott <dalescott@shaw.ca> wrote:

> I don't know about everyone else, but considering my general lack of
> success running Linux shell scripts in general on FBSD, I don't think
> I'll  panic just yet. ;-) 

	If it's well written (and it sounds like it may well be) then it
has a good chance of being very portable indeed. If so then the only real
defense is to try and keep it outside the circle of trust and to remove all
keys not secured by passphrase, switch to two factor authentication or do 
something that frustrates credential stealing to contain it if it does get
in. It reads like the Morris worm on steroids, it has the potential to go
through insufficienty secure big server farms like a dose of salts.

	For now I'm hoping that not having any credentials on anything
reachable from outside is good for containment provided I don't let it
loose from email or a download which would be stupid. There are no email
or download clients here that will run an executable attachment of any kind,
I'd have to save it, chmod it and run it - nah not doing that.

-- 
Steve O'Hara-Smith <steve@sohara.org>