“employ robust application control to block malicious libraries and payloads used in Dynamic Linker. Implement behavior-based endpoint detection to identify and prevent process injection activities.” And “also implement strict access controls, limiting administrative access,”
Because I don’t really know what this means, what should I do?
Firstly, this blog is mostly SEO spam and is probably one of the worst written articles I’ve ever seen. The article itself is more keywords than content. Even the headline is garbage, persisting after reboots is a normal feature of almost all most malware types, including rootkits. In fact, I’d say a lot of cybersecurity blogs are like this, hyping up mundane malware that presents no special threat for the clicks.
But I’ll break this down anyways.
The first bit about the dynamic linker, means doing things like restricting the files an app has access to, in order to prevent manipulation of how code libraries and modules are loaded, in order to prevent the injection of a malicious library. This can be done within the system, and often is by default, like how sudo refuses to load libraries it doesn’t like.
The second bit is literally just recommending you require a password to do admin things. Of course, there’s a lot more nuance to it. Access controls, controlling what user on a system has access to what can become a lot more fine grained, but for the kinds of malware that these articles report on, an admin password will stop them.
Thanks for the breakdown. I ofc use a root pwd different from my user PW (with sudo privileges) and often use appimages, as they don’t require privileges at all to my understanding. I do run a few binaries though, as for example for team speak or corectl they are the only ones that work for me.
How would I go about restricting the files a program can access? Make a whole new user just for that program, put “run as this user” in the .desktop file an manually set read/write permissions for every single file on the system?
This seems unpractical. Is there a best practise guide? Do I need to get into apparmor and stuff?
If im to noob to unterstand how to actually
“employ robust application control to block malicious libraries and payloads used in Dynamic Linker. Implement behavior-based endpoint detection to identify and prevent process injection activities.” And “also implement strict access controls, limiting administrative access,”
Because I don’t really know what this means, what should I do?
Is there a step by step guide somewhere?
Firstly, this blog is mostly SEO spam and is probably one of the worst written articles I’ve ever seen. The article itself is more keywords than content. Even the headline is garbage, persisting after reboots is a normal feature of almost all most malware types, including rootkits. In fact, I’d say a lot of cybersecurity blogs are like this, hyping up mundane malware that presents no special threat for the clicks.
But I’ll break this down anyways.
The first bit about the dynamic linker, means doing things like restricting the files an app has access to, in order to prevent manipulation of how code libraries and modules are loaded, in order to prevent the injection of a malicious library. This can be done within the system, and often is by default, like how sudo refuses to load libraries it doesn’t like.
The second bit is literally just recommending you require a password to do admin things. Of course, there’s a lot more nuance to it. Access controls, controlling what user on a system has access to what can become a lot more fine grained, but for the kinds of malware that these articles report on, an admin password will stop them.
Thanks for the breakdown. I ofc use a root pwd different from my user PW (with sudo privileges) and often use appimages, as they don’t require privileges at all to my understanding. I do run a few binaries though, as for example for team speak or corectl they are the only ones that work for me.
How would I go about restricting the files a program can access? Make a whole new user just for that program, put “run as this user” in the .desktop file an manually set read/write permissions for every single file on the system?
This seems unpractical. Is there a best practise guide? Do I need to get into apparmor and stuff?