The officially official Devuan Forum!

You are not logged in.

#1 2021-05-02 18:20:34

andyprough
Member
Registered: 2019-10-19
Posts: 327  

RotaJakiro backdoor that's been found in some systemd packages

Anyone read the news on this RotaJakiro backdoor that was just discovered? It was found in 3 systemd-daemon packages:
https://blog.netlab.360.com/stealth_rot … ckdoor_en/

Sounds like it was very secretive, using rotating encryption to avoid detection. Might be the product of some state-sponsored hackery.

Here's a news writeup from TheRegister: https://www.theregister.com/2021/04/29/ … e_spotted/

Offline

#2 2021-05-02 18:26:00

andyprough
Member
Registered: 2019-10-19
Posts: 327  

Re: RotaJakiro backdoor that's been found in some systemd packages

Better writeup here in SecurityWeek: https://www.securityweek.com/stealthy-r … ux-systems

"C2" in the article refers to "command and control servers".

Offline

#3 2022-11-02 01:15:07

andyp67
Member
Registered: 2022-10-30
Posts: 228  

Re: RotaJakiro backdoor that's been found in some systemd packages

I really like theregister

When I install I dpkg -P apparmor
When I install X, I dpkg --force-all -P elogind libelogind0 libpam-elogind libpolkit-agent-1-0 libpolkit-gobject-1-0 libpolkit-gobject-elogind-1-0 policykit-1 policykit-1-gnome
Then I install libsystemd0 (which elogind removed,)
And nothing is broken at all, no apt-get sorry, nothing.
And then if I install a full-fat browser and it pulls all that in again I do the same again.

Offline

#4 2022-11-02 06:40:35

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: RotaJakiro backdoor that's been found in some systemd packages

Here's the follow up post about the purpose of RotaJakiro:

https://blog.netlab.360.com/rotajakiro_ … ceanlotus/

tl;dr: Linux copy of Mac's OceanLotus malware, probably funded by the Vietnamese government.

One liner to check infection:

# find / \( -name "gvfsd-helper" -o -name "systemd-daemon" \) -exec md5sum {} \;

The MD5 sums are available in the OP links.

Last edited by Head_on_a_Stick (2022-11-02 06:40:50)


Brianna Ghey — Rest In Power

Offline

#5 2022-11-02 12:58:22

xinomilo
Unknown
Registered: 2017-07-02
Posts: 315  

Re: RotaJakiro backdoor that's been found in some systemd packages

so, the backdoor was not discovered on systemd (source/binary) packages, just uses these names to hide itself : "systemd-daemon" and "gvfsd-helper" .
OP i think you should rephrase the title and description, it's completely wrong. (=clickbait).

Offline

#6 2022-11-02 14:24:50

andyprough
Member
Registered: 2019-10-19
Posts: 327  

Re: RotaJakiro backdoor that's been found in some systemd packages

xinomilo wrote:

so, the backdoor was not discovered on systemd (source/binary) packages, just uses these names to hide itself : "systemd-daemon" and "gvfsd-helper" .
OP i think you should rephrase the title and description, it's completely wrong. (=clickbait).

I have no edit privileges, the post is too old. Also it's not completely wrong, it's still mostly true, and if you had had systemd packages on your system when the post was made, then you, like a lot of other people who did have systemd packages at the time, would have likely checked them with a tool like HOAS's one-liner to make sure they weren't fakes that were carrying the RotaJakiro backdoor. Therefore, the post was both timely and informative. I reject your "clickbait" characterization. And if it is finally judged to be clickbait, then I hope we can all agree that it's pretty much the world's worst clickbait - exactly zero responses from anyone except my one post for more clarification and sources for nearly its first 6 months of existence.

Offline

#7 2022-11-02 14:28:32

xinomilo
Unknown
Registered: 2017-07-02
Posts: 315  

Re: RotaJakiro backdoor that's been found in some systemd packages

andyprough wrote:

I have no edit privileges, the post is too old. Also it's not completely wrong, it's still mostly true, and if you had had systemd packages.

checking is one thing, everyone should do with/without systemd. 
but saying that systemd packages contain backdoors is completely wrong.

these backdoors, have nothing to do with systemd other than using some systemd daemons name to hide from users/admins.

Offline

#8 2022-11-02 14:53:51

andyprough
Member
Registered: 2019-10-19
Posts: 327  

Re: RotaJakiro backdoor that's been found in some systemd packages

xinomilo wrote:

saying that systemd packages contain backdoors is completely wrong.

Ahh - which is why you need special tools to make sure your systemd packages aren't fakes and don't contain the RotaJakiro backdoor. Smart.

Anyway, as I said, I have no edit privileges. Go complain to the "nobody-cares-about-ancient-and-unpopular-off-topic-subforum-posts" department. I'm sure they will do something to satisfy your outrage, such as ban me, or drop a nuke on London to wipe out HOAS and his horrifying awk commands, or something.

Offline

#9 2022-11-02 15:00:22

xinomilo
Unknown
Registered: 2017-07-02
Posts: 315  

Re: RotaJakiro backdoor that's been found in some systemd packages

no outrage here, chill out.

just saying you wrote something wrong... you could have admitted it's true, but still dont.
and this nobody-cares-thread was revived today by others.. that's how i saw it, didn't search 6months back threads.. pff..

btw, you need special tools to check fakes/rootkits/backdoors on any system.

anyway, got better things to do than argue about obvious things, such as misinformation.

Offline

#10 2022-11-03 13:59:45

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: RotaJakiro backdoor that's been found in some systemd packages

For clarity: neither gvfsd-helper or systemd-daemon are supplied by any packages so the mere presence of such files are indicators of infection. And it looks like this is targetted at IoT devices rather than laptops & desktops.

EDIT: and I would agree that the title is erroneous and misleading; no systemd packages have been found to have a "RotaJakiro backdoor".

EDIT2: let's just call it FUD and leave it at that, eh? :-)

Last edited by Head_on_a_Stick (2022-11-03 14:04:26)


Brianna Ghey — Rest In Power

Offline

#11 2022-11-03 14:35:09

andyprough
Member
Registered: 2019-10-19
Posts: 327  

Re: RotaJakiro backdoor that's been found in some systemd packages

Head_on_a_Stick wrote:

For clarity ... gvfsd-helper ... systemd-daemon ... the mere presence of such files are indicators of infection

Sounds frightening, even downright spooky - apropos of this time of year. Better not ever use systemd. We'd better send a hazmat squad to do a controlled removal and destruction of HOAS's triple boot Windows 11/Fedora Gnome/Debian Sway machine before this terrible malware spreads further.

Offline

#12 2022-11-09 20:45:16

zapper
Member
Registered: 2017-05-29
Posts: 963  

Re: RotaJakiro backdoor that's been found in some systemd packages

andyprough wrote:

Anyone read the news on this RotaJakiro backdoor that was just discovered? It was found in 3 systemd-daemon packages:
https://blog.netlab.360.com/stealth_rot … ckdoor_en/

Sounds like it was very secretive, using rotating encryption to avoid detection. Might be the product of some state-sponsored hackery.

Here's a news writeup from TheRegister: https://www.theregister.com/2021/04/29/ … e_spotted/

To be fair, just looking at the draco desktop project's use of dbus in it, a while back... I may have mentioned this before, but G4JC, mentioned to me, that dbus actually fingerprints your hardware ID... even if at the time it didn't upload it, its possible they added that, so that it would be easy to make linux more finger-printable...

I would very much like it, if the majority of developers would wake up and realize, that redhat is no friend to the open source community... let alone the free software or as some call it the libre software community.

This might be further proof that my theory of EEE is dead and has been replaced by something much worse...

Embrace
Extend
Gain Complete Control

This is probably why corporations like Microsoft have mostly given up on trying to outright defeating their opponents...

I think now they decided, since we can't beat them, lets take advantage of them, till we can acquire them.

This all being said,  I read below, that you guys seem to think it is not like that because of the systemd developers...

Okay... but honestly,  no function like systemd, dbus, wayland, etc... should ever need to keep adding features like it is a rolling release bleeding edge project, constantly...

I think they do things this way, because it gives them plausible deniability that they are trying to take over the Linux ecosystem.

Considering they develop it, that also means, people have to go to them for support which means they can make a lot of money in addition to the above.

I am glad other alternatives exist to this mainstream corporate broken garbage...

Its good that systemd-free distros exist still, but to be fair,  I begin to wonder if its getting closer to time, to for not just Hyperbola, but other distros to go down a similar path... even if not on a fully libre level...  at some point, I begin to think, that it might be wise for other  non-systemd distros, to start ditching so much bloatware.

At least wayland for example, java would also be wise, given its security issues, etc...

Though I doubt getting rid of dbus will ever be on devuan's radar until someone makes a lightweight replacement that can make the original dbus, not needed.

Aka, like OpenWRT's ubus, only with the same support as dbus for everything.

Anywho, just some of my thoughts...

wink


Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

Offline

Board footer