Looking At The New Linux Trojan

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

Technical detail:

[AMuse]

It installs a backdoor which listens for incoming connections on UDP port 5503 or higher, and allows remote attackers to connect to, and take control of, an infected system.

Unless it also reconfigures my firewall to allow incoming traffic to port 5503 and higher and fiddles with my hosts.allow file, I'm not particularly concerned. Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about.

Re:Technical detail:

[Josuah]

A lot of computers are set up with loose UDP. All those computers, which are quite a few, would let incoming traffic go to 5503 if a local program opened the port.

Re:Technical detail:

[pjgunst]

Any properly administrated linux box has a decent iptables / ipchains script. If not, it's about time to read the docs.
From what I've read in the article, tripwire should be able to detect an infection. Not so much to worry about, I guess.
... and of course nmap to scan for open 5503 ports (damn, it's now illegal to do so here at our university).

How hard can it be? Trojan writers will have to come up with something a little more intelligent to bring down the majority of the linux servers out there.

Re:Technical detail:

[l0wland]

It installs a backdoor which listens for incoming connections on UDP port 5503 or higher

I know that Hotline Servers use ports 5500 - 5504 for their serving activities. As this virus is targeted at Linux-servers mainly, I don't know what this can cause to HXD- or other servers that use the Hotline-protocol.

AFAIK you can change the range of ports used in the Windows-/ Mac-versions of Hotline. If the possibility is given, I'd suggest to change that in HXD too. But don't forget to inform your registered clients first : )

Re:Technical detail:

[Some+Dumbass...]

Uh oh. Does anyone know how to play online games like Unreal Tournament and Quake III without opening the appropriate UDP ports to incoming packets (from the game servers, of course)? Since UDP isn't stateful, I can't use connection tracking, can I?

I bet that if crackers do start scanning Linux boxes for this trojan, ports like 7777-7778 (UT) and 27015-27106 (QIII) will be primary targets.

Re:Technical detail:

[SilentChris]

"Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about."

Except if it's a home machine with no personal/financial information on it, is connected to a cable line that can't do any damage sending data up its 128K upstream, and is running a few rudimentary firewall, you don't have much to worry about. Some people take their security WAY too seriously.

This will be interesting..

[PopeAlien]

This could be interesting- It'll be interesting to see if just because there are more linux/apache servers out there, that means this thing will spread more and do more damage than Code Red. Or perhaps the linux machines will be better maintained than the NT machines.. We'll see.

Re:This will be interesting..

[wysoft]

Or perhaps the linux machines will be better maintained than the NT machines..

I wouldn't bet on it. I think more kids are running stock RedHat boxes at home than NT/IIS.

Re:This will be interesting..

[mengmeng]

No, it won't be very interesting, unless if a whole lot of Linux users decide to run random binary attachments all of a sudden. This trojan is not propagated in the same way as Code Red at _all_. Code Red was a worm, this is a trojan. It doesn't self-propagate at all.

Re:This will be interesting..

[mr_walrus]

not only do the linux users have to be braindead
enough to run binary attachments, presumably
they would have to be reading their mail
as "root" to infect appropriate files.

i certainly dont read my email as root.

Re:This will be interesting..

[sfe_software]

I agree. Even the article tried to hint that this could be as bad as Code Red, but that's simply bogus...

Code Red required no action on the part of the user/administrator other than having an unpatched system. This requires someone to be careless.

This is further mitigated by the fact that, likely, the majority of infected machines won't be infected with full root access, rather it would be some random unpriveleged user who infected the machine.

And even further, compare a typical Linux administrator to a typical NT administrator. 'nuff said. We patch our boxes, read security bulletins, run firewalls, and don't run random attachments.

Re:This will be interesting..

[tsa]

Don't be so naive... I know quite a few Linux users who don't care much about security and have their boxes directly connected to the internet. I don't know anyone who reads all his/her e-mail as root, though.

Re:This will be interesting..

[bigbadwlf]

No kidding!
The article even mentioned (more than once) Apache and how many servers on the net run it.
So what? Unless I missed a paragraph, Apache has nothing to do with it!

Re:This will be interesting..

[kiwipeso]

I'm the only user of my Mac OS X box, I read my mail as root. However, seeing as I can't get my cable modem to talk to OS X, I'm only running OS 9.

Re:This will be interesting..

[seann]

how do they read root@localhost ?

Re:This will be interesting..

Forward it to the sysadmin(s), who may or may not even log in on that particular box regularly. Reconfiguring a box is the only reason to log into it as root.

Re:This will be interesting..

[Yorrike]

Honestly....

Not only would you have to be reading your e-mail as root in order to get an infection that did anything MAJOR, you'd also have to be nigh on brain dead to run e-mail attachments.

Furthermore, how many professional Apache boxes are in a situation where anyone can run e-mailed attachments, anyway?

This will not cause any major damage. The circumstances for infection are just too rare and require carelessness not associated with regular Linux users.

Re:This will be interesting..

[firewort]

Waitaminute-

1) Why use Mac OS X as root? It sets you up as Administrator (less than root) and allows you to create lesser user accounts.

2) My Mac OS X box talks to my cable modem just fine, and did so at installation time when I told it I would like to connect to the internet.

So either you're a super-troll and I've just fed you, or you're smart enough to get root on OS X (no easy task) but dumb enough to not get the cable modem up and running with one click.

Re:This will be interesting..

[ichimunki]

Security is hard stuff to get right no matter how diligent you are. Let's not overestimate the average Linux admin. I've got examples (myself included) of people who hadn't learned everything they needed to know before putting a Linux box into a dangerous position. However, I will grant you that Linux is just by nature harder to exploit with this sort of thing. I almost have to think this is a proof of concept to demonstrate to the world how ineffective an email-based virus is on a Linux platform.

Re:This will be interesting..

It has nothing to do with Apache or Linux. If I wanted to give root access to an openBSD machine to the public I could. If you configure it that way yourself or execute a program that does it for you it matters not a bit. Code Red and for that matter lion was built into the system. I do not find it interesting and there is nothing to maintain. Don't execute code that comes in the mail anymore than you would provide setuid root shells to the public.

In other words it does not attack a system it attacks idiots.

Re:This will be interesting..

[uchian]

Here's one point though...

Quite a few people might download a binary from the internet, switch to root and install it. It would only require the trojan to be included in the make script somewhere for it to have been run as root.

In other words, the threat is not from email, it's more from people being careless about what they download from the internet, and where from.

Re:This will be interesting..

[Herstel]

Don't be so naive... I know quite a few Linux users who don't care much about security and have their boxes directly connected to the internet. I don't know anyone who reads all his/her e-mail as root, though.

Frankly I don't believe it, you, or they are not telling the truth, modern window managers and many X apps are impossible to run as root out of the box. For instance, just to start kde2 as root more tweaking is necessary than just creating user account.

Re:This will be interesting..

[Stephen+Samuel]

Urg:
The guy said that he did not know of anybody who read email as root. Another way of putting it is: anybody who knows enough to get rid of the warnings about running KDE/GDM as root probably knows not to do random stuff as root.

That having been said, I do, sometimes read email as root-- but using Mail. Reading emails with attachments is always done as a lesser user. If it's not a plain-text email it shouldn't be going to root. If it's going to root, it should be readable on a dumb tty, serial console, or my palm pilot connecting through a sattelite phone from Botswana.

If I'm going to be brave/curious/stupid enough to run a random executable that arrived in the mail, I think that I'd set up some sort of sandbox user to do it with. (You don't expect me to risk my regular user account on a random executable, do you?)

One nice thing about UNIX is that Single User usage is the degenerate case of Multi-User mode, where N==1.

Re:This will be interesting..

[fors]

Anybody who uses root as their primary account in any Unix type system needs a serious lesson in security and safety. Of course given any reasonable time frame they will get one. Either they will get owned or they will screw up their system so bad they can't recover it.

Re:This will be interesting..

[Herstel]

Ok, sorry for misunderstanding.

Re:This will be interesting..

[tsa]

I always forward mail for root to my 'normal' account. That way you never have to read mail as root.

Re:This will be interesting..

[kiwipeso]

I need to be root for some of the apps I'm running.

I only got my cable modem last week.
I've yet to get the installation assistant running after already setting up my system.

However, I could burrow my dad's 75 gig drive, backup my main 30 gig drive and remove the UFS partition which is mostly empty space.
Then I could setup OS X for my cable modem.

Re:This will be interesting..

[Herstel]

I always forward mail for root to my 'normal' account. That way you never have to read mail as root.

I know, that's what I am doing too. I am pro-user and anti-root as much as possible. Probably you wanted to reply to someone else.

Re:This will be interesting..

[firewort]

Let me backpedal a bit.

Sorry I insulted you. Can't you set those apps to run be run by a lesser user?

Or, can't you set them to start as root? What are these apps that you have to be root for?

What machine are you running on that doesn't like the installation assistant?

I tell it I have DHCP for my IP address, and I don't give it any more information than that. I unplug my cable modem (moto surfboard, if it matters) and let it sit for a minute to clear any IP leases it has from Roadrunner. (unplug-replug won't do it, it grabs the same IP and doesn't reassign to the computer.)

I plug in the cable modem, let it do it's flashing light dance, reboot Mac OS X to rehup networking (not an niutil guru yet.)
And it all works.

lvmarks@mac.com

Re:This will be interesting..

[tsa]

That could very well be, I never understood this Reply thingy in /.. Maybe it's because I always read /. using lynx.

Re:This will be interesting..

[kiwipeso]

Root is usually needed for installation.

The insatll agent won't run after it's already been setup, it has nothing to do with the machine?

I don't trust DHCP for IP.

I'm just going to backup what I need to and restart.

Re:This will be interesting..

[kiwipeso]

Install assistant only runs at first startup.
Have since formated and installed systems 9.21 & 10.4

I use manual config for IP address.
You must have dynamic IP for your cable/DSL modem.

It works, but netscape 6.1 x is slightly slower.
At least I got Apache going well.
It even supports french and german browsers, so I'm going to do some translating.

I'm just waiting...

[cperciva]

I'm just waiting for the first linux worms which install a trojaned copy of gcc (see "trusting trust").

Re:I'm just waiting...

Then its author should be awarded as the writer of the
most powerful install tool out there!
Wow! Automatic and unattended remote installation
of GCC... I want this!:)

Is it really that bad?

[dytin]

The Trojan contains self-replicating virus-like capabilities and has similarities to the Windows-based Back Orifice tool, putting Linux boxes at risk of remote control.

Ok, does anyone remember Back Orfice as being a major threat to the Windows operating system world? The only people that have the potential to be infected by this new virus are those that are dumb enough to run the program. If you get an email from someone, and there is an attached program to it, most people wouldn't run it. I don't think that this virus has any potential to be a threat because Linux users are generally smart enough to not run every program that they get sent to them.

Re:Is it really that bad?

[matrix0040]

I don't think that this virus has any potential to be a threat because Linux users are generally smart enough to not run every program that they get sent to them.

Well if you're aiming at getting linux to the desktops then you're clearly aiming to get a good userbase of such "dumb" people. Those who come from a M$ background might be used to running email attachments (probably even cribbing on why can't it run automatically) So such trojans can cause a havoc and scare away such users.

Re:Is it really that bad?

[dytin]

Windows has hundreds, if not thousands of different trojans and email viruses that have been written for it. Not every one of them gets to be as widespread as the 'I Love You' virus or Code Red, but nonetheless they exist. The fact that there exists a poorly written email virus/trojan for the Linux operating system is not a true threat and really shouldn't deter anyone from using Linux. No matter what operating system you use, the threat of malicious code will exist.

Re:Is it really that bad?

It's even easier than that. Most Windows users, including administrators, run programs by clicking on shortcuts. You can replace a convenient shortcut (like, say, the IIS Admin tool or the backup software) with one that runs BO2K, replaces itself with the original shortcut, and then runs the correct program. You still have to place BO2K and the modified shortcut files on the system, but there are many holes in Windows web server software that will give you this level of access.

Unix/Linux users generally run programs directly, which makes this sort of hanky panky much more difficult. In addition a well-configured web server won't run under an account that has permission to write to /bin, /sbin, etc., so even if there is a hole in the software it can't be used to replace common and important utilities. When you're root it's also a good practice to run programs with their full paths (i.e. run /bin/ls instead of just ls), or at least always put the standard locations (/bin, /sbin, etc.) before the local ones (/usr/local/bin, ~/bin, etc.) in $PATH.

Re:Is it really that bad?

Man , who are you fooling.
I have buddies who went to win2k after KDE
crashed on them for the inth time. Linux is still
ubergeek stuff for most folks, let's see if this thing spreads with the newbies and pennypinching
sysadmins who run a single nix MTA to save a
buck and then forget about it(cuz you can).

It's an email virus!

[Proud+Geek]

Come on, the impact will be minimal or not at all. Although theoretically you COULD run this email attachment if you receive it, how many Linux users are stupid enough to do that? Technically Linux is just as susceptible to these things as M$ Windows, but we have one big advantage: the majority of Linux users are not morons around computers.

Re:It's an email virus!

but we have one big advantage: the majority of Linux users are not morons around computers.

Yeah, cause it's too complicated for morons to use. There's something to be proud of.

Re:It's an email virus!

[emc]

I find your arguement rather enlightening.

You are claiming that just because someone runs a particular OS, they are either of higher or lower intellectual potential.

Have you not ever heard of "Best tool for the job"?

Granted, I think we can all admit that a Viper GTS-R is an incredible car, but using it to pick up groceries is rather... dumb.

...the funny thing is that I know many people who admin NT and/or Linux... the funny part is that the NT people know EXACTLY why they run NT. The majority of the Linux admins do it either because Linux == Free Beer or because "they think it's cool to run a server".

I think if you take a realistic look around, you will actually be surprised...

...and OpenBSD is my tool of choice.

Re:It's an email virus!

[dytin]

I think what he is saying is that while there may be many Windows users that are smart enough to know what they are doing, there are many dumb windows users as well. This large population of dumb users allows for the virus to propogate very quickly. Whereas, although there may be some dumb Linux users, most are rather smart. Thus in the Linux world, there is not an adequate environment for virises such as this one to spread.

Re:It's an email virus!

LOL. From what I see, you're actually praising Windows. If dumb people can use it, it must be easy to use. Conversely, dumb people can't typically use Linux.

Gotta love it. Even when you try and bash MS, you praise them. Who is dumb again?

Re:It's an email virus!

[GreyPoopon]

You are claiming that just because someone runs a particular OS, they are either of higher or lower intellectual potential.

The parent article was probably poorly worded, but I don't think that was what the author meant. I think the message to be conveyed was that the vast majority of less capable computer users have chosen to use the Windows platform, at least partly because they don't know any other choices exist.

The majority of the Linux admins do it either because Linux == Free Beer or because "they think it's cool to run a server"

Actually, I don't consider those who run a Linux server just because they think it's cool to be an admin. I used to run a Linux server just for tinkering and I surely didn't consider myself an admin.

So, if you lay aside that group, you'll probably be suprised to see that a large portion of the real Linux admins out there run that OS for three reasons: 1. They don't want to have to frequently reboot an NT server, 2. They can run a whole bunch of Linux servers from a single distribution copy, and 3. They can get more reasonable performance using Linux on older or cheaper hardware.

Re:It's an email virus!

[dytin]

A dumb person may play chutes and ladders for fun, while a smarter person might play chess. Just because you have to be smart in order to play chess does not make chess bad.

The same is true in operating systems. Just because it is easy doesn't make it good.

Re:It's an email virus!

[emc]

Well, I was thinking particularly of several people I know of, who work for still-in-business "dot com" types of businesses.

#define HUMOR
In my years of experience in Sili Valley, you get to know the stereotypes of who runs what. Linux zealots are typically younger, with less experience; Solaris fans are older; AIX freaks are semi-fascist; and HPUX admins are just lazy. BSD folks are my favorites... BSD sysadmins have girlfriends, linux admins have spare parts & "geek code". BSD folks hang out, drink beer, and have a good time. Linux geeks have "install parties"
#undefine HUMOR

Face it, Exchange is a very well designed and packaged tool. Linux has NOTHING that can compare. On the other hand, Apache on NT sucks... but in reality, that's Apache's fault, for not being multithreaded. It's all about the benj^H^H^Hest tool for the job...

I think that you're probably pretty close with #2 and #3... Cheap beer, if not Free beer.

Re:It's an email virus!

[seann]

I think you have just done about the worst generalization I have ever heard, and I now belive that the IQ of anyone who reads will be lowered by 2%.

Re:It's an email virus!

You are claiming that just because someone runs a particular OS, they are either of higher or lower intellectual potential.

But... I think Code Red proved his point pretty damn well.

Re:It's an email virus!

[Lars+T.]

Yeah, sure, so what do you call those people who say that there can't be any Viruses for Linux? Target group.

Re:It's an email virus!

Har - tell Apple that - their entire marketing strategy is based on that fact!

Re:It's an email virus!

How about ONLY tool for the job? The reason most people are running NT server is because they HAVE to, because some particular killer app is only compiled to run under NT. Either that or they are M$ line-towing toadies and can't see there's a better way.

Furthermore, while in soapbox mode, your car analogy is defective - administering a server is a bit different than driving a car - If you can drive a Yugo, you can drive a Porsche. However, if you know NT your're not even qualified to log in under Linux and vice-versa, due to the major differences in these O/S'es.

I'm posting this anonymously, because any anti-anything comments these days are getting automatically modded down as trolls. Haven't the lamers doing moderation lately ever heard of SARCASM?? They must have been born without senses of humor. Must all of my posts be gushing streams of *pure bullshit* (but POSITIVE bullshit!) to get any kind of respectable modding? WTF???

Re:It's an email virus!

the majority of Linux users are not morons around computers.

...yeah, you're just morons around most other things.

Doesn't seem like a big deal

[dephiance]

This really doesn't seem like a big deal. The virus does not hide very well; it modifies executable files, creates a file in /tmp, only runs as the user that executed the virus. Although it has potential to spread easily; how many *nix users run arbitrary code (attached executables in e-mail)?

Ulterior Motives at vnunet?

Hmmm...I went to read the story there, and when the page loads *bammo*; there's an pop-up ad for M$ server obscuring the page ... and since I'm not running gator (or equivalent), I'm pretty sure that's from the site itself....
Needless to say; not trusting the source, I skipped that particular article.
Has anyone else had that happen with that site and that story?

Re:Ulterior Motives at vnunet?

Net2Phone (installed by default with Netscape 6.1) will do exactly what you're talking about (popup ads).

Might grab Ad-Aware and check your machine for problem software, if you're running Windows. Otherwise, I have no idea what you did. I get no popup windows on /., ever.

Re:Ulterior Motives at vnunet?

Here's another link from the site:
http://www.vnunet.com/News/1124075

I don't think they really know what they're talking about. Just because an e-mail message contains code that can run on both Windows and Linux doesn't mean it'll be able to *infect* windows and linux machines.

What file did they find did this trojan infect?

[BrookHarty]

It says initially surfacing in the /bin directory, ok what file? What distro? What rpm? What .tgz do I have to watch out for? Little more info please. I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.

Re:What file did they find did this trojan infect?

offtopic my ass.

Re:What file did they find did this trojan infect?

[Yakman]

I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

Oh yeah? What about a (for example) debian admin who does "apt-get update" or whatever and theoretically has a trojan "ls" installed as an update.

Re:What file did they find did this trojan infect?

Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it.

I guess that's why they call it a trojan, and not a worm.

Sheesh, bad journalism.

Sheesh.

Re:What file did they find did this trojan infect?

how is this offtopic?

Re:What file did they find did this trojan infect?

[gimpboy]

that would imply that the debian servers were some how compromised. this is not impossible, but fairly unlikely.

that would be like installing a patch from microsoft that was infected with a virus.

most people have to trust someone and for those who dont there is always the sourcecode.

Re:What file did they find did this trojan infect?

[mrseth]

I heard This actually happened. Supposedly one of MS's windows update servers was infected w/ Code Red.

http://www.theregister.co.uk/content/56/20545.ht ml

Re:What file did they find did this trojan infect?

[Master+Bait]

What file did they find did this trojan infect? It says initially surfacing in the /bin directory, ok what file? What distro? What rpm? What .tgz do I have to watch out for?

Exactly. I think this 'trojan' is strictly FUD. Who ever heard of an Linux executable being emailed without being a tar.gz. This whole thing is suspicious and lightweight.

Re:What file did they find did this trojan infect?

Yes, sure as compiling the sourcecode cannot mean compiling the viruscode itself. This source argument is just dumb and until someone finds out about a problem thousands of Linux users can be affected. You use tcpd ? Fine - its home server got compromised once, too. Go figure and make backups on a regular basis. Linux is not secure and nothing else is 100 per cent. One admin working in security for a huge company said once The ones who state their machine were never broken into just were not able to find out about it.

Re:What file did they find did this trojan infect?

[LilGuy]

Sheesh, bad journalism.

You expected something else from the internet? Fact is the only reason I use /. for my news is because of the comments users post.. not necessarily the stories or great journalism. I think all news sites should be like /. because that's the only way you get most of the story correct.

Anyway, enough ranting back to /.ing

a similar story in history

[Tregod]

"...a guard at the top of the castle gates spots something in the distance, just beyond the walls. What could it be? Its...a giant wooden penguin! Imediatly, guards from different corridors of the castle rush to percieve what appeared to be a gift from the gods. All at once, they hoisted the behemoth bird onto a make shift wagon and hauled it within the castle. After much celebration and talk of good tidings, the kingdom lay it's head to rest. Later on that night, the wooden bird's bottom opened, releasing thousands upon thousands of Bill Gates' shock troops, sent to terrorize the castle and townspeople."

Re:a similar story in history

[sinster]

Of course. Being paranoid bastards, the open source inspired defenders of the castle take one look at the wooden penguin and burn it to the ground, crying, "I'm not taking that until I read the EULA!", "Where're the blueprints?", and "Bah! I hate precompiled statues."

Re:a similar story in history

[seann]

precompiled statues?

has anyone done a survey on lego kids, opposed to action figure kids?

maybe the kids who played with lego belive firmly in open source and the kids who like GI JOE prefer windows :>

Re:a similar story in history

GI Joe is Ultra-Gay. Think about it: You're a boy, and you're PLAYING WITH DOLLS.

When I was little, I played with GI Joe, and Barbie, too, kindof. They melt really pretty. :-).

Re:a similar story in history

Nope, I played with LEGO tons and I'm into Windows..

Re:a similar story in history

[seann]

I swear boards are not ment to have people like me on them.

Or all moderaters are gay and out to get myself.
(Highly agree on the later)

Re:a similar story in history

They're not dolls, they're action figures! Besides, Legos provide good fortification to the GI-Joe base.

Re:a similar story in history

"Bah! I hate precompiled statues."

Of course, it was labelled as a petrified penguin...

Re:Not that bad?

As opposed to reading /. with head firmly placed in colon; as the parent poster obviously does

Re:Not that bad?

[newt]

It isn't a worm, it's a trojan. It can't spread without the active participation of the, uh, victim.

Personally I don't quite understand what the big deal is.

I just wanted to point out

[loraksus]

That Code red "easily detected and patched"?
The real problem is stupid sysadmins, how many servers (or computers in general) out there are susceptible to exploits that are years old..

Damn, some skript kiddie tried to hack my box but had the netbus server running on his box. It was kinda amusing for a while there..

Not a big deal.. but then...

[matrix0040]

Since the virus runs as the user who executed it, the chances of it causing havoc on a web server (like code red did) are minimal. Even on a normal linux box, the admin will be smart enough not to run an email attachment (it's not as simple as double clicking to run it) and if some "dumb" user runs it then it's no big deal. The systems isn't comprimised.

But this could be a big issue when linux is used in offices (where the "dumb" people work) not everyone is a *nix guru.

Re:Not a big deal.. but then...

[GreyPoopon]

Since the virus runs as the user who executed it, the chances of it causing havoc on a web server (like code red did) are minimal. Even on a normal linux box, the admin will be smart enough not to run an email attachment (it's not as simple as double clicking to run it) and if some "dumb" user runs it then it's no big deal.

I was going to post something to the same effect. Thanks for beating me to it. :) Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?

Re:Not a big deal.. but then...

[ninjaz]

Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?

It's the setuid bit, not the sticky bit you need to worry about. Sticky bit on a regular file was a way of old to keep such executables in VM instead of having them flushed. (On directories, it means only the owner of a file in the directory or root can rename and delete the file, even if other users have write permission on the directory.)

Quoth chmod(1):

STICKY FILES
On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files.

And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.

That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)

Also, firewalls that only allow connections to be initiated to needed services can be of assistance. Apparently such a firewall would help in this case, but an attacker can set up a remotely intiated proxy or kill off the real daemon that's supposed to be running and replace it with a 'custom' version.

Re:Not a big deal.. but then...

[sydb]

And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.

However, last time I looked, the user requires root privileges to make the file setuid root. And you can't copy setuid root files from one place to another as a non-priveleged user whilst retaining the setuid bit.

So no, this bit is not a concern when combined with trojans, given reasonably normal security practices.

Re:Not a big deal.. but then...

[scorppete]

You've stated, .... " That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)."

On checking the permissions on 'mount', I noticed on my machine that it was set up as setuid and changed it. What other executables can I check for?

Sorry about the newbie question, I recently switched to Linux and I'm trying to learn something. :)

Re:Not a big deal.. but then...

[jmkf]

You can find alls setuid files by reading the fine man page of find as your favorite user != root. In case of a symple system w/o cyclic directories do:
cd /
find . -perm +6000
and you will find all files that suid or sgid
and find all files that do this in directories that can be read by you as being your user.

Re:Not a big deal.. but then...

[ninjaz]

Using the find command mentioned in another comment, have a look at all the setuid/setgid executables. If you see something you know that machine isn't going to use, you can either remove its package, or unsetuid/setgid it.

Eg., if the machine is a webserver which will never be connected to a printer, you can get rid of lp, lpr and friends.

If you don't know what a program does, check the manpage. If it doesn't have one, try a websearch or unsetuiding it to see what breaks. (In my experience BSD has the best manpage availability and quality - eg., even each kernel driver has its own manpage.)

Cute kittens

[Graymalkin]

The problem with saying "oh yeah this is easy to detect/fix" is that you're not looking from the standpoint of non-linux geeks. I've never really had a problem with trojans or virii on any of my Windows machines because I know how not to pick them up. They're headaches because most people don't know how to avoid them. The same goes with all the people who picked up a copy of RedHat and run around as root because they don't know any better. Linux is only as secure and efficient as the people using it. Weenie.

Re:Cute kittens

The problem is moderators who give points away for someone comparing apples to oranges.

The update by H makes it very clear just how difficult it would be to propogate the virus. Unlike certain Washington-state-based products who's scripting language is as much a liability as it is an asset.

No, we're not jumping on you because you're some slobbering MS freak, but because it's clear you don't understand some of the strengths of *NIX based operating systems.

Which is yet another oranges to eggplant comparison you imply. That is, that someone who has root access who is entirely blind to security, accounts and paths as are most MS and MAC users. Yes, installs such as Mandrake and RedHat have made it easy to install, but it still requires enough know-how not to know about not working and playing in root.

That said, your post also conveniently ignores several tools available in any *NIX platform to indentify and crush rogue processes. So even if the virus isn't detected during the download, a virus scan of the file, and a launch of the application from root, there's still process sniffers and logs that with a little help from cron can put the smack-down on the run away stow away.

Yes, granted, this is all base don the fact that those who _INSTALL_ the *NIX os have to understand a bit more about the operating system. Yet how different is that than asking our office clerks to understand some of the hazards of VB macros ?

Enjoy your points.

Re:Cute kittens

[garcia]

I have seen less and less people trying to IRC as root, trying to use root all the time, etc... The distribs I have used in recent years RH and Debian (don't remember what Slack did) ask you to create a user and that you use that...

People running around as root are probably not going to get an email attachment, change it to a binary and run it... I would wonder if they would even know how to do that.

The other point is that most of the Linux community is well informed. It would be a lot less of a problem b/c we know what the hell is going on. If you see something odd happening you would immediately fix it.

Knowing what port is runs on, etc is all helpful information that will stop most of the attacks from happening.

Re:Cute kittens

Pro or Con Linux, or M$, it would help if moderators understood the subject matter before marking a remark interesting.

This particular post SHOULD have been marked down as a troll. It's clear the pompous-ass author is taunting Linux authors.

Re:Cute kittens

[Graymalkin]

You make good points but none of them are worth a shit. You do not take into account all of the people who watch TechTv and were told by Leo Laporte that running Linux was a cool and smart thing to do. These people know shit about computers but found themselves a Linux for Dummies book and actually got RedHat or Mandrake installed on their system. I don't give a fuck about this particular trojan but I was making a point about all of the linux users that DON'T know something odd is happening. Do you really know what every single line in /var/log/messages actually means? And saying the linux community is well informed is the most bullshit thing I have ever heard of. The people that run around in root will find a way to run some foreign program that they got in their mail. The next trojan will be sent as an RPM or be in a tar.gz that gets included by a rogue header. You wouldn't recognize a trojan out of thousands of lines of code, don't give yourself that much credit. The Linux community is the most pompous overzealous group of computer users I have seen in a long time. They are NOT well informed they are well hyped.

Re:Cute kittens

[beanerspace]

You make good points but none of them are worth a shit.
Interesting example of an oxymoron. Even more interesting your prediction as to the nature of the next trojan, as one could easily replace .rpm with .exe and .tar.gz with .zip. Only in the ammended case, one doesn't even have the advantage of looking at the code.

The point being, trojans and viruses are designed to catch us asleep at the switch. With some switches and situations being easier to catch than others. Which is why no system is entirely foolproof as long as we mere mortals sit behind the keyboard.

The Linux community is the most pompous overzealous group of computer users I have seen in a long time.
Well, I must disagree. Though there has been a 10 year remission, the screes of the Atari ST users still ring sourly in my ears.

Hah

[James+Foster]

"but it certainly isn't good"

Ya think?!?

This explains a lot...

[ASCIIMan]

Now we know why slashdot has been down so much the last couple days.

The Worst Thing Of All

[katana]

At this time, the Remote Shell Trojan source code is not known to be available.

This...thing violates the GPL and everything Open Source stands for! They could sell it commercially, and not even contribute back to the code base! That's just so, so, so non-Stallman that it makes my middle finger itch!

Partial isinformation

[sigwinch]

Unless it also ... fiddles with my hosts.allow file, I'm not particularly concerned.

Whoa, cowboy! /etc/hosts.allow only affects friendly programs that bother to parse it (e.g., inetd, or programs that use tcpwrappers). An unfriendly program is free to ignore it.

However, your advice to use kernel firewalling is sound. 'Defense in depth' is the only way to go.

Re:Partial isinformation

[mAIsE]

This really sounds like microsofts spin "just as bad as code red". A corporate child trying to smear their competition to say 'we aren't any worse than everyone else'. I wouldnt be surprised to see microsoft push an issue like this to try to discredit linux. I would be seriously interested in what the link between microsoft and this supossed 'SECURITY' company is.

First they ignore you, Then they fight you, Then your win.

Does it self-compile?

[Corbin+Dallas]

I thought not. So what platform is this for? x86?

So this thing infects Linux running on a specific platform, and only when the victim decides to run a strange, unknown binary attached to an email.

Next.

bout frigging time

maybe this will finally silence the L1NU> RULZ \/\/1nd0w5 5uX shills that have plagued /. for so long. Eat that, bizznatch!!

Re:bout frigging time

[sydb]

No it won't, because those 'shills' (whatever that means) are still right.

Re:bout frigging time

You sir are a troll, and the moderator that rate you "insightful" is a stupid ass m$ drone.

Re:bout frigging time

dict says a shill is "a decoy who acts as an enthusiastic customer in order to stimulate the participation of others." Obviously he didn't know what a shill was either since he misused the word. Of course, Windows doesn't have a dict (say that three times fast), which once again shows that you pay more and get less.

Re:bout frigging time

Probably true but remember that the safest operating system on earth is still Sinclair's ZX Spectrum BASIC, never has been rooted, so eat this Linux and Windows users.

Re:bout frigging time

WTF, we need all the M$ drones we can get on here to balance out the ego imbalance that Linux users suffer from...

Don't worry, this is no Linux Code Red

[Xenna]

For starters to get infected with this animal requires activity on the part of a user on the Linux box.

Code Red required no user activity at all. A typical orphaned Linux box standing around in a corner would not be at risk, the same machine running IIS would have been a sitting duck for CR. There are a lot of orphaned servers out there with standard Redhat or IIS installs. These are the real danger. Any remote-root security holes on these popuplations are cause for real concern.

I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

Regards,
Xenna

Re:Don't worry, this is no Linux Code Red

[WildBeast]

Which proves my point. Linux for Servers, Windows for Desktops. It's the perfect combination, that's what I do anyway.

Re:Don't worry, this is no Linux Code Red

[giantsquidmarks]

This "virus" is just an exploit. A successful virus most often takes advantage of a chain of exploits.

The next remote hole that pops up can be combined with this technique to produce an interesting effect.

1. cause remote hole
2. infect with "worm/backdoor/trojan/whatever"
3. rinse repeat

Re:Don't worry, this is no Linux Code Red

I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

Am I the only one that thinks the phases "Windows" and "no risk" should not be refering to each other?

We trust our severs with linux, but not our email. We'd rather use a product known to get hit by the Virus-of-the Week(TM)!

Re:Don't worry, this is no Linux Code Red

[Xenna]

Am I the only one that thinks the phases "Windows" and "no risk" should not be refering to each other?

A Linux trojan is no risk to a Windows system, pretty obvious, isn't it...

We trust our severs with linux, but not our email. We'd rather use a product known to get hit by the Virus-of-the Week(TM)!

Security is never the only motivation in deploying a product or OS. We can easily replace NT servers within our organisation without starting a user-revolt. For the desktop, this is not a realistic option. BTW: the Linux mailserver does an excellent job of filtering out Outlook viruses. Not that we use Outlook, we use Netscape Messenger, but I'm not sure how long we can keep that up. This is the real world ;-)

Regards,
Xenna

Re:Don't worry, this is no Linux Code Red

[isorox]

At uni most people that wouldnt know a mouse from a monitor happily use webmail (minerva.ex.ac.uk) on their personal computers - check out that. I dont know anyone using outlook - and this is normal people like history students, not comp sci*.

When they are actually on campus, they have a choice of eudora, simeon (I think), elm (ssh/telnet into an irix server), or webmail.

Why use outlook?

(* the majority of Exeter, UK's comp sci students dont know a mouse from a monitor either!)

Re:Don't worry, this is no Linux Code Red

[Xenna]

We use Netscape Messenger in combination with IMP for webmail, but I haven't noticed people using webmail while they're in the building. It's mostly used when away from home.

We require a mail-client that supports IMAP properly on windows clients. So we're basicly limited to Messenger and Outlook. People are already starting to ask for Outlook, and understandably so, because Messenger is not that great, really. I'm no Outlook/Windows advocate, you don't have to convince me...

Regards,
Peek

Re:Don't worry, this is no Linux Code Red

[mpe]

I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

They'd also need to be running as root.

Re:Don't worry, this is no Linux Code Red

[archen]

Yeah, I read "could be as bad as Code Red" and I thought, Hmm.. this could be interesting. But I mean a trojan like this for Linux isn't much of a threat if you ask me. And I mean it has to be run as root, I'll use a conservative figure (which I grab out of thin air) and say that at least 80% of Linux users aren't that stupid, and the ones that are probably couldn't get the trojan to work right anyway.

Simply put, even novice users of Linux tend to be the people who wouldn't just run some attachment that someone e-mailed to them. Most windows trojans perpetuate themselves via the nil security on windows, along with people who don't know anything about the computer and just point and click anything. Like it or not, in order just to set up Linux, you have to know about the computer. I imagine that some Linux distros make running linux very easy, but these people I would say, are in the minority. Totally incompatant Linux users (with root access) are simply too sparce for this to be any real problem. "Worse than Code Red" my ass.

Re:Don't worry, this is no Linux Code Red

[sjames]

A Linux trojan is no risk to a Windows system, pretty obvious, isn't it...

Not to worry, soon enough, MS will find whoever released the triojan and force him/her to sign an agreement to develop exclusivly for the Windows platform. Bill just hates when other platforms get supported first.

This is nowhere near the level of Code Red

[ceuxy2]

Maybe I'm missing the point, but Code Red was a MAJOR problem as it was able to use a remote IIS exploit to gain the permissions it needed. Thus it was able to make full use of computational speed to replicate (no user interaction required).
This trojan needs users to individually execute it, AND those users need privileged permissions for it to have a major effect. This will not result in the massive waves of infection that we saw with Code Red.
Hell, all linux needs now is to make friendly software that installs this easily ;-)

Re:This is nowhere near the level of Code Red

[WildBeast]

It wasn't exactly an IIS exploit, it was the Index Server plugin for IIS exploit.

Re:Not that bad?

[mengmeng]

Excuse me? Code Red automatically infected any servers which were vulnerable to its particular exploit that it randomly connected to. This trojan must be run by the user. It has no automatic way of propagating itself to other systems. So how is this like Code Red again?

Show us the actual thing

[gsliepen]

Why should I believe this Qualys firm? They do not say where they found this code. They do not even mention that someone else found this trojan. It seems a little unlikely to me that the first appearance of a trojan would be at a security firm, unless it originated there.

Most important though, they do not show an actual binary which allows me to verify their claims. The only thing they give me is a detection program, I would check THAT for trojan code if I were you! Actually the detection and cleaner program come in source code, and appear to be what they claim to be after a quick glance.

Re:Show us the actual thing

[sydb]

Yep, I've thought for a long time that the anti-virus software companies have a lot to be gained by writing viruses themselves (I'm using a loose definition of the word 'virus' here).

A few years ago I was perusing the virus database of a large anti-virus company. They categorised virii in various ways, and one of the attributes was where it had been found. The majority were 'laboratory only'.

Now, what does that mean? If it's only been found in the 'laboratory', then it must have been created there.

I'd be delighted if someone who knows can enlighten me as to what 'laboratory only' really means.

Re:Show us the actual thing

Exactly. No details whatsover about where this virus was spotted nor how it begins its infectation.

So, a normal user runs a program, which goes and mangles a bunch of binaries in /bin? Not on any Unix platform I know...

Also, they make the leap that it's even more dangerous because Apache is so popular -- Apache doesn't live in /bin, so how did it get drawn into this???

The whole thing smells like Microsoft inspired FUD to me...

Re:Show us the actual thing

Of course they do not put up the binary. I wrote a trojan(-ish) program for Unix systems myself a while back which, upon testing it on my friends, turned out to be quite effective. It even got experienced users to hand it the rootpassword.

The program would sneakishly obtain the root-password from the user by giving him/her the choice of entering the password, or pressing the reset switch on the computer.

After obtaining the root password possibilities are endless. What this program did was create an explanatory file in the /-directory to prove that the system had been compromised, and it e-mailed itself to root@localhost from root@localhost to prove that it could have harvested e-mail adresses and sent itself to those addresses.

I have never made this program available for download, because it was quite a trivial program. Any programmer with a little bit of Unix experience could write it, and most of them would chose to do with it what I did; nothing.

If I would have made the program publically available chances are that a slew of kids would have grabbed it, modified it, and sent it out into the world with malicious intent.

I want to sleep at night.

Re:Show us the actual thing

[billh]

Just a WAG here, but it could be that may virus writers just write them for fun and fame. Write a quick virus, put in your name or the name of something you are interested in, send it off to the virus labs from an anon account, and you are in a virus database ad infinitum. No real harm done.

Re:Show us the actual thing

"In the lab" does indeed mean that this has not been detected where it can be found by the general public, it has not been unleashed. "In the wild" means it has been.

Apparently there are people who write viruses as a hobby (I guess it's safer than collecting guns...), they send the best (if that's the right word to use) ones off to the anti-virus companies, I imagine anonymously.

The anti-virus companies are forced by their business model to name them, catalog them, and detect them. They publicize the viruses on their web sites.

The hobbyists can get a kick out of showing their fellow hobbyists (they may possibly have friends too) the viruses that they wrote without ever hurting anyone, in the same way gun collectors can get a kick out of showing off their bazookas without actually firing them.

IIRC, the ILOVEYOU virus was not released purposely, i.e. the writer tested it, it send the emails and was propagated against the writer's intentions. viz the email address and other clues to the author in the comments...

Re:Show us the actual thing

[masq]

I take lab viruses to mean "It's been submitted for addition to their database, but they have no reports of it being active "in the wild"".

It's a really common conspiracy theory that anti-virus companies write viruses; my friends and I have discussed this for years. And I can't disprove it, and simple economic principles lead me to believe that it actually happens. It's just "good business" to create a steady need for your product, you know - gotta keep up with the Gateses'! ;-)

I dont get this ...

[kuiken]

"The Trojan is most dangerous if it is executed by a privileged user as it inherits the credentials of that user, effectively allowing it to take full control. "

"Qualys also warned that the size and scope of the Trojan could be massive. Over 58 per cent of websites worldwide currently use Apache servers for which Linux is the most popular platform"

Any sysadmin opening a bin on an production webserver deserves all he gets.
Plus the fact that most FW/routers will block the incoming udp connection makes even an infected box "safe"

Uh.. Code Red was autonomous.. This isn't.

This is spread via email. It requires someone to actually execute it. Given how difficult it usually is to even view attachments with our email software, this idiotic program WILL NOT wreak havoc in the same manner as Code Red.

Duh! Hello? Anyone home? Code Red attacked vulnerable servers remotely, without human intervention. The "trojan" this article is talking about is NOT AN AUTONOMOUS WORM.

Cripes. Why do I even bother?

Re:Not that bad?

Am I the only one here that realizes that this "threat" is completely bogus? Any body with any intermediate programming skills can code a program like this. First of all it's not a worm. It doesn't self-replicate onto OTHER servers. Second.. Unless you run as root all the time there really is no danger. The virus does NOT exploit some back door. It can do NO MORE DAMAGE than what an unpriviliged user can do. It can not affect major web-servers because no sane administrator sits on a web server reading his mail and running random attachments as root. Things that pose real threats are WORMS that spread using an exploit throught the net. That's the real danger. Trojans are just an annoyance...

Trojan 101

[gnovos]

void main() {

doTrojan();
doMainApp();

}

There, I just wrote myself a new "Linux Trojan". The thing is, a "New Trojan" is actually nothing new at all. Basically, all you need is a bit of code that seems userful to the user, a bit of code that the user never gets to see, and a user to run it. I can write a perl script that will happy crank out "New" trojans by the trillions. Disk space is the pure limit to the number of perfectly unique "Linux Trojans" I can make.

I know a lot of people will use FUD like this to point out that Linux has it's flaws too, but that is complete garbage. A trojan is not a threat to a competent user on a machine with even the barest levels of user authentication and security. It is only a threat to the naive or the foolish.

Re:Trojan 101

[enneff]

Or, check out my more advanced trojan:

int main() {

return doStuff();

}

Can't even see it ;)

Re:Trojan 101

[WildBeast]

You're right, but when a trojan comes out for Windows you'll be the first to say how insecure Windows is.

Re:Trojan 101

[gnovos]

Nice point. Now tell me if you can see this difference: Running a "trojan" as a non-root user on a Linux machine vs. running a trojan as any user on a windows 9x machine. Which one is going to cause more damage?

Unless the Linux user has done a chmod -R 777 / recently, the windows user is going to be in serious trouble while the Linux user is fine. Why is that? Because Microsoft has some serious mental problems when it comes to security in thier non-NT environments.

A trojan is not news. Horribly gaping flaws in security models may be, but the trojan itself is one out of a hundred trillion million trojans just like it.

Re:Trojan 101

[seann]

I'm waiting for the headlines on CNN, "It seams linux is now vulnerable to code red"

You have a very good point, user-level security on a UNIX machine eliminates 99% of the problems via running a trojen. Lack of security on a windows desktop creates 99.9% of the problems with trojens.

Fricken condems.

Re:Trojan 101

A more harmful one...

int main(void)
{
system("mount -t iso9660 -o ro /dev/cdrom /mnt");
system("wine /mnt/setup.exe");
}

Re:Trojan 101

[(void*)]

Of course. All programs run with permisions set to read-all and write-all in Windows 9x.

Now for the obligatory aergument by analogy:

The Linux filesystem and user permision are like a government. What they set up is a something akin to a "legal system" in the computer. Sure, malicious programs can try subvert that (which this program TRIES TO BE, BUT IS NOT SUBTLE ENOUGH). When such a rogue program is detected, this system can help you to diagnose programs, isolate the infected binaries and "jail" them. In Windows 9x, there is no government, there is only chaos.

Re:Trojan 101

[WildBeast]

I used to run win9x, if it's so insecure, how come I never did get infected? Besides, if you ever worked in tech support, you would know how much trouble some people have just to enter their username and password. It's crazy. Besides, now all MS OS's are going to be NT based.

I know a lot of Linux users who always use the root account.

Re:Trojan 101

"I used to run win9x, if it's so insecure, how come I never did get infected?"

How many executable/scripted email attachments did you run/autorun? None? Well, you have better Win9x hygene than MANY users I personally know (and counsel to Get With The Program and not do that!!).

Re:Trojan 101

>I know a lot of Linux users who always use the root account.

Bullshit. What dist are they running? Most modern dists FORCE you to create a user account. If these people truely use root then they are idiots, plain and simple.

From the sound of your email I would bet that if you DID work in tech support you were one of those clueless idiots purporting to be "experts".

>Besides, now all MS OS's are going to be NT based.
AFAIK, XP will only allow you to run everything as an adin level account-- am I wrong?? Who cares if it's NT based if they do something as stupid as all fuck as that??

"I used to have sex all the time without a condom. If AIDS really exists why didn't I get infected?" ..because you have to have sex with OTHER people..

Re:Trojan 101

[Karellen]

How many times...?

main() RETURNS INT!!!

Stop reading Schildt.

Now write both of the following declarations out 100 times each.

int main(void);
int main(int argc, char ** argv);
:-)

Re:Trojan 101

[masq]

> I used to run win9x, if it's so insecure, how come I never did get infected?

How do you know you didn't?

With a good hack, the mark *never* knows. And with Win9x, it's still fairly difficult to confirm an intrusion when it's done creatively (ie. not a prepackaged kiddiot attack). I mean, the logging *sucks*, the 9x help files *suck*, there are very few tools included with 9x, and most of those are CLI, so the typical Windows user feels out of place using them in a GUI world, etc.

I don't really approve of the steeper learning curve of GNU/Linux, but it is better security than an OpenBSD firewall set up by Theo himself. The learning curve, and the linux community DIY ethic, FORCES new people to get on the net and learn about their system - and it's not too long before every newbie hits a webpage detailing security on their favorite distro. KNOWLEDGE is the only sure protection. Well, that and a .357 Magnum Colt Python...

But I have to go now, my MSN Messenger just automagically alerted me to a new Active X enabled Hotmail message coming from Russia! I'm excited to run that unscanned executable. It's big, so it must be good. Maybe it's pr0n.

Give me a break...

[toupsie]

I have 12 to 24 hits a day from unique IPs that are Code II/III probes (hundreds all combined). To compare this worm/virus/trojan to Code Red is just plain old marketing hype. Linux to me is a server OS (quickly ducks). I use Mac OS X as my desktop OS -- its a personal thing (Darwin + Quartz + Aqua + X > Linux + X). The last thing I would do is open an e-mail attachment on a server that doesn't receive or need e-mail (duh). Code Red didn't need e-mail, it just needed a newbie with Windows NT/2000 w/ an unpatched IIS installed to spread -- which most of my probes come from (at least what nmap tells me).

This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.

Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.

Re:Give me a break...

[WildBeast]

Of course, it makes you wonder why would a newbie go ahead and dish out $1200 to get Windows 2000 Server.

[The Great Anonymous French Calembour]

trojan: C'est trop gentil.

Tried there tool...

[StarTux]

Just for the hell of it I tried the tool that they proivide to test for it.

Well it would not run, as it said that this exploit does not work with IP addresses with 0 in it, weird.

Plus you need permission to write to the /bin directory, normally only root can do this. And if someone is running as root they may have many more problems than just this trojan.

Just seems a spin to "ready" the Linux market for their anti-virus ware IMHO.

StarTux

Worms dont happen to Mac web servers EVER!

Worms dont happen to Mac web servers running WebStar.

EVER.

Thats why no reports of ANY exploit has ever been published regarding the secure Mac OS. !

consult bugtraq if you doubt this.

C Language alone is not the sole reason but the types of STRINGs used in ANSI C libraries certainly adds risk.

Worms dont happen to Macs because Mac programmers rarely have buffer overrun problems because mac apps typically NEVER use null terminated strings and intead use "pascal" style strings that have a bounds of 255 and a marker in the front.

Additionally mac programmers tend to know that there is no false sense of security because all code is running at supervisor level so programs, like Webstar, are careful not to do foolish things.

Mac programs and executables NEVER can run merely from a data file named with a suffix such as .exe because macintoshes do not have file suffixes. The mac OS (9,x and older) uses a four byte file type designator that the user never sees and cannot be set carelessly.

A further reason macs are more secure than unix (hundreds of documented exploits) and Win NT (almost as many exploits documented over the years), is because the mac does not have a command line shell and has no path to hijack. No command line and a modern type of interprogram communication prevent the silly weaknesses in other OSs.

Yet another reason the Mac is secure is vecause a mac program (either 68k or PowerPC) needs TWO files to execute and not one file. The second file is called the resource fork and it is genreally an invisible file kept tightly associated with a file. classic internet apps do not create or allow creation of these resource forks as side effects of merely storing data files. Macs are very secure from infiltration by dynamic creation of apps by rouge products on a server

Another reason macs have NEVER been broken into running the WebStar server is because the mighty Mac OS Webstar server, (which typically costs over 400 dollars unfortunately), avoids ever executing cgi code files from directories where they ought not to be. A clever set of directory and folder control prevent the webserver from being hijacked unlike earlier versions of apache.

The US army switched to Webstar webservers on macs when MS NT webservers kept getting hacked.

There are thousands of major webstar servers out there. I think many are colocated at reprahduce.com cages.

And mac NEVER get hacked. EVER. and NEVER have, even with public challenges and reward money.

Sure, there may be some defects that might get discoverred one day, and surely any mac not runnning mac os such as ppcLinux, or the new Mac OS X (freeBSD derivitive) are hackable.

But face it. Macs have NEVER been hacked and that is because of modern and sound design principles.

Myself and other mac programmers I know have NEVER shipped a product containing a single null terminated C string, and do lots of paranoid error checking as well.

Unix is hackable not because of open source, not because of popularity (both of which help) but because of all the things I mentioned here.

Also, parts of the older Mac OS itself is written using pascal strings, in fact the original ROMs were written using only pascal compilers and some assembly, and no C. But string overruns alone are not the ONLY reasons mac servers have never been hacked, (command line, dual fork, no extensions, etc etc).

Wake up and quite being bigoted.

Re:Worms dont happen to Mac web servers EVER!

[seann]

you really wrote an annoying article there mentioning "macs have never been hacked" alot.
You said "macs have never been hacked" way too many times.
I would of not wrote this had you not mentioned it so much that "macs have never been hacked".
Why would somebody use a PC if "macs have never been hacked" and why hasn't somebody made a web server box, that only servers web pages, via a harddrive that can't be hacked, just how "macs have never been hacked".
This would be interesting, saying "macs have never been hacked" will be like saying "macx have never been hacked".

Re:Worms dont happen to Mac web servers EVER!

Nobody writes trojans for Mac.
You'd never find enough to infect enough for a decent DDoS attack.

Now please vacate the soap box for those who actually have a point.

Re:Worms dont happen to Mac web servers EVER!

the point is simple, use a mac is you do not like to be exploited and hacked!

Re:Worms dont happen to Mac web servers EVER!

Silly one, The reason it is reiterated is because linux-locving slashdot losers always say "maybe the millions of ultilized macs have not been hacked, because they represent less than 5% of the servers, and there are more linux servers". In fact If I type it once they set the post to -1. If I type it 5 times it usually stays at 0.

They never raise it above 0 unless I post actual semi-exploitable anti-mac info in the post which I do not wish to do because I do not want to harm the mac by arming hackers with ideas to use.

Science is not a popularity contest.

No mac servers have ever been hacked and "rooted" and that is why the us army switched to them.

And they never regretted it.

Re:Worms dont happen to Mac web servers EVER!

[seann]

stop being an ac ;)
you sound like an intelligant fool unlike the majority of the people here

Blame it on the rain

[WildBeast]

everytime a Trojan comes out, people blame it on dumb users, on unsecure OS's, etc. I don't see anyone blaming the author of the Trojan.

I say, find the author and prosecute him.

Re:Blame it on the rain

[Jacek+Poplawski]

> I don't see anyone blaming the author of the Trojan.

Becouse he is not so important.
if system is weak, and users are dumb - there always will be an "author of Trojan" who can make mess in the world for a while.
Trojan can exist becouse system/users, not becouse one author.

Re:Blame it on the rain

[WildBeast]

Does it mean that we shouldn't stop him? Hey the human body isn't secure, you don't see me going killing people and blaming it on people's existence.

Their will always be killers, does it mean that the cops should live him alone?

Their will always be diseases, does it mean that researchers should just stop?

Not an Apache worm

[cyberdonny]

Just pointing out the obvious for those of you who might have been fooled by the summary's language:
Contrarily to what the summary hints at through the mention of Code Red, and Apache, this is not an Apache worm. It's a trojan that you actually have to execute yourself in order to be infected. Thus, if you don't blindly execute e-mail attachments, and download programs from untrusted sources, you should be safe. Moreover, the trojan is rather primitive and doesn't try to manipulate the file modification dates to hide its presence. Thus a simple ls -ltrc /bin and ls -ltr /bin should reveal its presence.

Re:Not an Apache worm

[forged]

Plus if you're logging in as root and then run that executable, then you really ought to be shot in the head.

Bottom line: this will never spread like good'old MS-DOS virus days :-)

Sensational bollocks

[kimihia]

Nothing but sensational trash. It is nothing like Code Red. I'm not an expert, but from the shabby detail in the article I can see several reasons:

• Market share - vulnerable installs of Linux are not widespread enough to reach a critical mass. CR became huge because every second host practically was running a vulnerable install. (So I exaggerate the number - but evangelism aside, there aren't THAT many vulnerable hosts out there.)
• No scanning attack - it stays on the local system
• No privilege elevation - its only a user level root shell. Someone could potentially upgrade that via another buggy daemon or a ptraceable kernel, but otherwise you are limited to Jim Bob's shell. Still a concern, but not as bad as r00ting.

They shouldn't compare it to Code Red. CR was a disaster because a company called Microsoft encouraged people to install trash software that shouldn't have passed QA.

They should instead compare it to, say, an Outlook virus because it spreads via email:

The replication process of the Remote Shell Program can only effect binary files within the access privileges of the user who launched the originally infected program.

Have a read of Michael Parenti's Monopoly Media Manipulation and see how many of the points you can spot in press release.

A lot of sensational bollocks.

These journalists must be desperate for attention.

[hebble]

First: why is Apache mentioned AT ALL? It sounds like this thing only "spreads" (if you can even call it that) when someone is brain-dead enough to READ their EMAIL as a user who can WRITE to IMPORTANT BINARIES! That has nothing whatsoever to do with Apache. Is it just to support the idea that there are a lot of Linux servers?

As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant. The email-vector mechanism can't even take advantage of address books, since Unix mail clients are so far from standardized.

I don't have much faith in the analysis

[phaze3000]

It also installs a backdoor in the infected host, listening on UDP port 5503 or higher. An attacker could connect to this port via TCP

Wait, so it listens on a UDP port, but it can be compromised using TCP? Do the people that analysed this actually bother proof-reading, or do they simply not understand what they write??

Re:I don't have much faith in the analysis

[Lord+Bitman]

it listens on UDP. When it recieves the UDP request which contains the IP address and Port of the attacker, it will open a TCP connection to that IP & port. So it listens on a UDP port and the system gets compromised using TCP.

Re:I don't have much faith in the analysis

Re-read the parent's quote, that's not what the quote said. The quote said, listens on a UDP port, attacker connects via TCP. Nothing about the intermediate step of trojan establishing the connection.

That's why I also don't have much faith in the analysis.

Re:I don't have much faith in the analysis

[Lord+Bitman]

Try reading the article before replying to the summary. It really wasnt that long.

err...

Try KDE 2.2

What's with this Windows/Desktop shit?

Re:err...

[WildBeast]

I tried KDE 2.2, much better than GNOME but no match to WinXP.

It's a Virus not a Worm.

[AftanGustur]

Why on earth do people think that this code can infect machines remotely over the Internet ? Does it say so anywhere in the article ?? No !!

From the article:
The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system.

It's simply a trojan that you will have to get in mail or on a floppy and execute YOURSELF.

Then it will infect other executables on your system, but in no case will it be able to infect any other systems without human assistance (i.e. executing a binary on that computer).

Whoever thought this is even remotely as scary as Code-Red is in need of some serious medication.

Infection not Likely

[Adrian+Lopez]

The following steps would lead to an infection:

[Save As: not_a_tojan_i_swear]
$ chmod 777 not_a_trojan_i_swear
$ su
[password: god]
/home/darwin# ./not_a_trojan_i_swear

If after doing all this your system blows up in smoke it's nobody's fault but your own.

Re:Infection not Likely

[Adrian+Lopez]

Please, no jokes about "chmod: not_a_tojan_i_swear: No such file or directory" ok?

WTF?

There are hundred new Linux trojans every day. Why does Slashdot suddenly report this one in particular? Are they advertising the security firm Qualys?

A new one has been found!

[friscolr]

Advisory # 44526

FOR IMMEDIATE RELEASE

Overview

The Really Silly Command Virus identified by Blackant Systems has the potential to remove all files from a hard drive. It was recently spotted in the wild a few days ago when a junior sysadmin logged in as root on a production server and executed a shell script he had been emailed from a user known only as script_kiddie@hotmail.com.

Impact

Given a detailed analysis of the source code behind this virus, it is possible that the Really Silly Command Virus may eventually mutate into a self-propagating worm.

Recomendations

Blackant Systems reccomends that every sysadmin who would run shell scripts from untrusted parties be shot.

In order to determine if your email may contain this new virus, please look for the following first few lines in a shell script:

#!/bin/sh
#1337 script by script_kiddie!!!
#props to all my homies!!!!
rm -rf /

#this doenst seem to work yet...
mail $0 $1

If you find a file with similar lines, do not execute it on your server, but remove it immediately. Blackant Systems will be releasing a utility to identify stupid sysadmins shortly.

Re:A new one has been found!

[WyldOne]

#!/bin/sh
#1337 script by script_kiddie!!!
#props to all my homies!!!!
rm -rf /

#this doenst seem to work yet...
mail $0 $1

Remember you have to mail _before_ you do the rm. Thats why the mail portion doesn't work. ;)

What counts

[Faux_Pseudo]

I don't mind if there are trojans nad virii for linux as long as they are GPLed and Open Source.

I'm sorry but i felt it had to be said even if I loose karma

Re: Code red WAS?

[Lord+Bitman]

I wish people will stop using the past tense when talking about Code Red. There are STILL unpatched servers out there!
Is this only happening in My IP block, or has everyone just decided to ignore it?

As for "Important Binaries" I think you overlooked that it isnt just Important Binaries which are being written to. It's also your current working directory, so if you run the program and then switch to say, a program you were working on, there's another insance.

No this is nothing like Code Red, and yes the site linked to is crap. (notice that they ask for a phone number before letting you download the check? Hmm, I wonder what /that/ could be about)
But It's still nice to see a security message on slashdot every now and then.

As the good ol' saying goes....

[Blowit]

the ONLY way to protect yourself from a trojan is to unplug it from the 'Net. Trojans are becoming cross platform as an OS is to Java.

Re:As the good ol' saying goes....

"Trojans are becoming cross platform as an OS is to Java."

???????? I've seen exactly ONE reference to a cross-platform worm, one which carries both Windows and ELF payloads. Where do you get this "becoming cross platform as an OS is to Java" stuff as if monthly reports of cross-OS attacks were being reported?..

Re:Not that bad?

[WolfDeusEx]

That fact is that code red is worse than this worm. I will tell you why. Code Red (and CR2) spread its self with no user intervention. This worm needs a user to run the infected program. Also if I do run an infected binary, it will not infect /bin or anywhere else because I don't run as root.

Another reason this worm is not that bad is because it will not be creating the same type of bandwidth usage that code red and sircam did. Basically this worm/virus does shit unless you are that stupid to run a binary attachment that you get from someone you don't know.

James Middleton needs to brush up on TCP/IP

[CunningPike]

From VNU's second article:

> It also installs a backdoor in the infected host,
> listening on UDP port 5503 or higher.
>
> An attacker could connect to this port via TCP and ...

This is impossible. TCP and UDP are independent protocols sitting on IP. You can't talk to a TCP port with UDP (or visa versa).

According to qualys' actual release, an incoming UDP packet will trigger the compromised machine to initiate an outgoing TCP connection. Similar effect, but different net traffic.

Re:James Middleton needs to brush up on TCP/IP

[Meorah]

> It also installs a backdoor in the infected host,

> listening on UDP port 5503 or higher.

>

> An attacker could connect to this port via TCP and ...

I'm pretty sure he meant to say "...connect to this port via the TCP/IP protocol...", which is still kinda iffy, but sounds better than "...connect to that new fangled internet thingie..."

Come on, you've got at least a TINY bit of nerd in you if ya read /. You understand how your brain can think one thing and your fingers type another. And as a bug alert, it makes sense that you wouldn't proofread it because you want to get the thing out. Yeah, its a lame excuse, but more valied than any other proofreading excuse.

These Linux viruses are lame!!!

[Futurepower(tm)]

These Linux viruses are lame!!!

You have to remember to disable your firewall. And you have to remember to disable any tool which checks file sizes and CRCs; such a tool is part of the Linux-Mandrake default install.

If you want a really respectable virus or Trojan, you will have to run Windows.

Re:a similar story in history Version 1.1a

[Lars+T.]

"...a guard at the top of the castle gates spots something in the distance, just beyond the walls. What could it be? Its...GPL'ed source code for a giant wooden penguin! Imediatly, guards from different corridors of the castle rush to percieve what appeared to be a gift from the gods. All at once, they hoisted the behemoth bird onto a make shift wagon and hauled it within the castle. Being paranoid bastards, many of the open source inspired defenders of the castle take a look at the source code, but others, not so patient, want to see that big wooden penguin, and just compile away. Later on that night, the wooden bird's bottom opened, releasing thousands upon thousands of Bill Gates' shock troops, sent to terrorize the castle and townspeople."

His arm has grown long indeed....

[nagora]

...if he can throw virus alerts all the way from Redmond.

This "alert" is clearly bought and paid for by MS. The idea that a machine running Apache is "vunerable" to a trojan that depends on a superuser saving and running an email attachment of unkown origin (or a normal user somehow setting the suid bit on the attachment) is so stupid that it can't be stupid: it must originate with someone that has a vested interest in spreading FUD.

Let's see now, who do we know that doesn't like Linux, is having a major launch of a new version of their OS and is known for sponsoring "research" that shows that Linux is the tool of the Devil? Hmm.... Is it Bill, the mild mannered janitor? Could be, could be!

TWW

Re:His arm has grown long indeed....

[BigBlockMopar]

The idea that a machine running Apache is "vunerable" to a trojan that depends on a superuser saving and running an email attachment of unkown origin

Indeed. Ironic, isn't it, that this is essentially what the majority of Outlook users do when funky stuff appears in their e-mail boxes.

Interesting how the author of this warning is attributing the same level of intelligence to Apache sysadmins as one attributes to a donut-eating secretary who festoons her machine with screen-mates and horsehead screensavers.

I noticed also that the first pop-up ad which hit me after I opened the article at vnunet.com was for Microsoft's Enterprise Server software. And Vnunet's logo has the same font and feel as the top of a page at microsoft.com.

This feels like a M$ publicity stunt. It's time to shut the bastards down somehow.

Apologist

Okay, now that you're "Insightful" and everything you must feel really good. Too bad you didn't think this thing through though. Don't feel bad though, neither did the idiot moderator who gave you your precious point.

Thing is, there aren't any popular email clients for the linux platform which would do such ass-backward things as running an attachment because the idiot user doubleclicked it, much less do those clients have built-in virus code runners which would allow the virii to masquerade as documents. Nor are the "file extensions hidden" for the protection of the innocent.

The amount of people "running around as root" on their newly installed is luckily about the same as the amount of complete idiots who habitually leave their doors unlocked because they don't know any better. With corporate installations the number is a big round zero.

Asshole.

Re:Not that bad?

[TandyMasterControl]

Oh REALLY? And it's a trojan by the way, not a self propagating worm or a virus. That is to say, you have to run it intentionally.
If I send 'rm -fr / ' to you in a spam email which I also send out to thousands of others and tell you to paste it and execute it in a rootshell, that "certainly isn't good" to quote the original poster, but the chances of any people doing as I instruct and hosing their systems is minuscule bordering on infintesimal (and those people were already going to destroy their systems anyway through one way or another because they are truly idiots).
This trojan, without a means to autoexecute through Outlook-style email clients which just don't exist on Linux, without the hope of being saved from email automatically as an executable file, which just doesn't happen on any Linux email clients I've seen, and without an assurance of root access, like it would have on windows, on all the systems run by people who are dim enough to somehow become infected, has all in all about as good a chance as my random email idea at becoming a nuisance on the internet. IOW: next to none. There just isn't going to be enough of a medium for it to grow on its own.
The antivirus company --er, I meant to say-- the virus writer was wasting his time when he created it.
I hope he had a good excuse like being home sick from work with nothing better to do.

If you really believe that "this makes every download untrustworthy" then copy the next paragraph below to a file on your PATH, chown to root.root and change the mode to 7555. Now find it in your file manager and double click it. Man, it makes your system really FLY! WHOO-AHH !! You should have no trouble believing that one either.

dd if=/dev/random of=/boot/vmlinuz* count=3600

links

[mike260]

Original here: http://www.acm.org/classics/sep95/
Description here: http://www.tuxedo.org/jargon/jargon.html#back door

BTW, why is slashcode telling me I've violated the postercomment compression filter when I attempt links?

Re:links

Those aren't links, they're text with too much punctuation to be English sentences. Original and Description are links.

The New Linux Trojan!

[bgarcia]

Harry: Just a few more lines to be debugged, and it'll be finished!

Cindy: Oh Harry, You're so smart! It really turns me on!

Harry: Oh wow!

Cindy: As soon as you finish that, I'll think up something to allow us to Celebrate!

Harry: Oh, WOW!!!

<horse braying>

Singers: "TROJAN MAN!!!"

Trojan Man: Looks like you two are planning to... exchange private keys?

Harry & Cindy: Well... Uh... I don't...

Trojan Man: Try new Linux Trojans! The Condom for the virus conscious!

Harry & Cindy: Thanks Trojan Man!

Trojan Man: My job is done here!

<horse braying>

Trojan Man: Yes, we'll find a philly for you some day...



Hey, geeks can dream, can't they?

The newbie made a CD copy at work.

[Futurepower(tm)]

I can answer that. The newbie made a CD copy at work. Then he made copies for all his friends.

Re:The newbie made a CD copy at work.

Another scenario is a young kid or newbie might hear or read from forums that Win2K is more stable than Win95/98/ME and decides he wants to run that, so he finds a way to get a copy and loads it.

There goes my breakfast...

Now look what you've done! I've gone and spewed
cereal all over my keyboard!!!

Absolutely ***classic*** post!

"exchange private keys...?" heh heh..

This trojan is worse than lame. It is disgusting.

[Futurepower(tm)]

This trojan is worse than lame. It is disgusting. To be infected, you have to spend hours finding someone who will give you an infected binary. Then, if I understand the article correctly, you have to remember to run the binary as root.

If you really feel you need a Linux infection, and can't find an untrusted source for a binary, I have provided a much easier one below:

This is a UNIX email virus. It works on the honor system: If you're running a variant of Unix, please forward this message to everyone you know and delete a bunch of your files at random. Thank you for your cooperation.

OK, let me get this straight

[icqqm]

1) You have to be reading your email as root (unless of course you're stupid enough to have some other user write access to /bin files)
2) You have to download, chmod +x and run a binary program from an email, presumably one that doesn't come from someone you know
3) You have to be stupid enough not to notice that /bin/ls was changed seconds after executing said binary

...

Can anyone say "stupid man's trojan"?

Re:OK, let me get this straight

[Karellen]

That's a really dumb `ls` replacement if it doesn't notice when it's being run on itself and give false information back about its last modified time. (Like just look in the same directory and give the same date/time as 'cp' or some such)

addresses?

[l0rdt]

from vunet
> The program displays some virus-like qualities
> such as self-replication via email
Where does it take the addresses?
Does it infect sendmail?
> it commonly arrives via binary email attachments
... and you need to execute the attached code
ROTFL
it sounds like the old "Albanian virus" joke.

Excuse me, but ....

[shaunak]

"I don't think it's that bad, since the infection can be easily detected, "

As opposed to Code Red(Tm) being next to impossible to detect.
Yeah right.
Step right up, Ladies and Gents, and see for yourself extreme prejudice in action.

Pathetic

[Professor+J+Frink]

Firstly the reporting on this is totally over the top for the actual risk involved and goes about mentioning totally unrelated factors (ie Apache. Apache is not involved at all, and something like this is just as likely to work on desktop systems as on servers, it doesn't rely on any server type activity apart from a network connection).

Secondly this 'really nasty trojan' fits the way me and my friends have discussed re Linux viruses and trojans, it goes like this:

• Write something that will set up a connection and allow *you* in, or a shell script of some sort to screw around with a system, you know, the usual sort of thing you want to do someone else's system when you're a 15yr old dick.
• Attach it to an email.
• Send it off to people with the wording "Hi! Here's a great new program. Save it. Use chmod 777 on it. Then copy it to /bin/. Oh, and you'll have to do it as root. But don't worry, it's really fun!"
• Sit back and wait as maybe a dozen people at the most fall for it.

Just how is this new trojan any different? Anyone for years now could have done this, but haven't. Why? Because it needs pretty complicated user intervention and people running things as root (something they're repeatedly told not to). If unix email clients become as screwed as OE then it might be time to start worrying.

Bad as Code Red my arse. CR was a worm that propogated itself, you didn't need to be actively stupid to contract and spread CR.

If someone releases something which attacks a currently running service, infects it, and propogates itself without any user intervention then I might be interested. Like Raman and Lion. They were real concerns for admins and they did sod all damage in the grand scheme of things.

Besides, this thing is stopped dead by a firewall.

If it's truth then.....

[jsse]

Dear V-nuts,

Good job boy. Your propaganda, not matter how incredibly retarded it is, has created great deal of FUD among idiots, I mean 'general public' in our own word.

However, it caught me by surprise to find out this line:

Over 58 per cent of websites worldwide currently use Apache servers for which Linux is the most popular platform.

I think we've paid more than enough to bury your honesty and self-esteem.

It's to our great disappointment that our first deal is also our last. It's an important lesson for you. So long sucker.


B. Gates.

Consipiracy theory ... NOT

[Pat__]

Do not attribute to malice what can be explained by stupidity.

Who ever wrote this article is just plain silly!

Re:Consipiracy theory ... NOT

[nagora]

I would normally agree but in this case the level of stupidity is too great to credit. It is more likely that they did it off their own bat rather than actually being paid by the Beast, but no security expert would really rate this trojan as a threat unless they were biased.

plus, M$ has a track record of this sort of thing.

TWW

it's not so autoreplicant...

[desix]

I remember that one of the first rule that a real sysadmin has to follow is that he/she must never execute untrusted binary programs as root, but only with an unprivileged account, now I can't imagine a sysadmin that receive a mail from someone with a binary attachemnet and he immediately run it as root, probably he will issue this command
# mv binary_attach /dev/null

Re:it's not so autoreplicant...

[VB]

This is dangerous:
# mv binary_attach /dev/null

Please:
$sudo rm binary_attach
would be preferable. Some recent RH converts still don't know what a device file is...

Microsoft Zealot

[Ada_Rules]

This warning has to be written by some Microsoft
Zealot that it trying to show that Linux as issues too. The simple fact here is that there is NO bug in Linux or Apache required for this thing
to infect you. Code Red was using a bug/exploit
in a Microsoft product. This program uses a
bug in users heads. These users have to be root
to be really scary. These users probably have to
run a mime decoder to get the executable. They have to run the program (that makes no promise of
seeing Anna Kornacova so why would any geek waste their time).

Has anyone even seen an attempted attack?

[PrimeEnd]

We all saw hundreds/thousands of attempted Code Red attacks. We got hundreds of sircam emails. Has anyone seen a single instance of this trojan arrive in their email?

As has been repeatedly pointed out, it would take a complete idiot to save an unknown binary file, chmod it, and run it as root. But you would have to *get* the binary before you could do that. Most of the talk about Linux virii and trojans is very hypothetical. Independent of all the theoretical reasons why they don't occur widely on Linux there is the empirical fact that there has never been anything affecting the same percentage of Linux systems that Cod Red or Sircam did for MS products.

This case seems no different. All the hype is little more than a scam by an anti-virus software company.

Whatever!

[Jason+Earl]

In other words this trojan is likely to affect the vast hordes of Linux users that always log in as root, use their Linux box to read email, and who automatically install and run binaries that the receive off the Internet.

All five of them.

Seriously speaking, this is one of those areas where Windows users see how easy it is to use email to trick Windows users into triggering trojans and they figure that Linux must be similarly vulnerable. It isn't.

First of all, most Linux users, even new Linux users, don't do much of their work logged in as root. In Linux it is trivial to use su or sudo to become root as necessary, and this particularly trick is one of the first that most Linuxers learn. Second of all, Linux does not make it easy to run foreign executables. No Linux client I can think of allows you to simply click on an attachment and automatically run it. Besides that, even if the person does run the executable how does it spread. Windows email viruses rely on the fact that they can programatically access the Outlook address book. Even Windows users who use Eudora or Netscape Messenger are immune to this trick. Under Linux the question of how the trojan is going to email itself to my friends is even more difficult. There are literally hundreds of mail clients that see active use. Your trojan would need to parse many different kinds of text based address books (heck, there are probably three different Emacs packages that one could use as an address book).

And when all was said and done the chance of this trojan spreading are nearly nil. After all, even if one Linux user got infected, and the trojan successfully mailed itself to 200 of his closest friends chances are good that very few of these friends would be running Linux, and chances are even better that none of those friends running Linux would be similarly vulnerable (or nearly as dense). The trojan would refuse to spread, and that would be the end of it.

Comparing this trojan to the Code Red worm is laughable.

It's the users who make Linux as secure as it is

[Joohn]

It's true that you need to run this as root for this to be able to do any serious damage. And the fact is that most Linux users know better than running unknown binaries as root. So it will probably not cause much damage, most likely, almost non at all I'd guess.

But what about the day in the future when everybody uses Linux, that is, "normal" people, who doesn't know much about computer security? Then, I think, most people will run it as root, and then a trojan like this would do damage. I really can't see my mum taking care of booth a root account and a user account nowhere in the future.

So, my point is that the reason Linux isn't much affected by trojans like this one, is because of the knowledge of the users. The day Linux becomes as big on the desktop side as windows, it will most likely be as exposed to this sort of trojans as windows is.

Blah Blah

[Greyfox]

The typical newbie does run as root all the time and claims that although 30 years of accumulated sysadmin wisdom says never run as root it's different because he knows the risk he's taking and it's acceptable. Said typical newbie also tends to give all his friends accounts on his system (Oh! I've got a multi-user system! I'll give all my friends accounts!) Said typical newbie usually changes his thinking after the first few times his system is compromised and used to store and forward gigabytes of live goat porn.

Comparing a few newbies potentially being stupid enough to run an executable recieved in E-Mail as root to Code Red is quite a stretch.

It`s not so new

Go to http://packetstorm.securify.com and download one of the many bindshell or other kinds of backdoors, compile it and send the binary to a moron, and see if you get mentioned here next week.

Trojans that comes with Linux

Linux already comes with a new software. There are more than a few that I can think of, but the most effective known to me is currently,

rm -rf /

rm is meant to be an utility to remove files but it is actually a trojan in disguise. Using it under the right conditions and your whole linux machine will be wiped out. It would be quite impossible to recover from this trojan!

Fix: To fix this trojan, you will only have to carried out the following steps
(1) go to the directory where rm is located. It is usually in /bin If in doubt, use the find utility to locate it

(2) type in the following command rm -r rm

The trojan will be removed. Good luck to you.

No Evidence No Crime

Umm just use Fin or Null scanning and you'll be fine. Nmap is very proficient(sp) with these scans, if Syn is logged Fin, Xmas, Null will keep you under the radar and out of sight.

NMap

correct me if i'm wrong :}
CAEthaver2

--mikeeusa--

>> Any properly administrated linux box has a >>decent iptables / ipchains script. If not, it's >>about time to read the docs.
>>From what I've read in the article, tripwire >>should be able to detect an infection. Not so >>much to worry about, I guess.
>>... and of course nmap to scan for open 5503 >>ports (damn, it's now illegal to do so here at >>our university).

Linux Email Virus

[Francis]

I got this in my inbox once:

• This is the Linux email virus. It works on the honor system. Please randomly delete some files from your hard drive, and forward this email to your friends.

Impact on Linux

[Registered+Coward+v2]

To me , the real issue here is whether this trojan will have much of an impact on Linux boxes, but its impact on people's perceptions of Linux.

If the popular media picks up a story that "LINUX USERS FACE DEADLY TROJAN (film at 11)", it will help create a perception of vulnerability, and its a small step to go to "and since Linux is freely distributed, who knows what can lurk in that copy you download..." While techies familar with Linux will have a reasonable grasp of the true threat and how to overcome it, what about the deciosn makers who are deciding what to implement at their companies? The ones that set budgets and decide what IT will implement (and IT may not have much of a say in the decision) will remmebr "Linux - oh yeh, that's the system that got hit with that DEADLY TROJAN."

Not enough details...

[Error27]

Perhaps I'm stupid for not buying Qualys virus checker but this whole thing sounds bizare. What is the subject of the email? What does the email say?

I have tried many of the linux email programs at one time or another--pine, elm, mutt, postilion, balsa, tk-rat, kmail, evolution and sundry others to numerous to recount. And lets face it people, for proper email viruses you need an advanced Microsoft email client. Outlook is a good example.

First there is the problem of automatic or almost automatic execution. Linux email clients have not yet achieved the same optomistic attitude towards code in email attachments as Outlook. However, anyone who has used Linux is already familiar with this and I do not need to elaborate.

Then, because Linux lacks any sort of standards (http://microsoft.com for more information), there is no easy way to send emails out to everyone on the persons list. The easiest thing would be to use perl. But even this is poses problems and the Qualys guys don't mention anything about perl or how it sends the emails out.

Personally, I really doubt Qualys knows what it's talking about. Look at how many times Qualys has been talked about in the context of linux. Compare that to a reputable Linux endeavor. :P By the well know usenet-troll formula, Qualys is on it's last leg.

And also... Any security company should know that the only way to clean an infected computer is to reinstall. Installing more close source software on top of the close source virus seems like a silly thing to me.

(Not that I think Qualys would deliberately do something wrong but they don't seem competent enough to analyse this virus thouroughly or program a bug free fix).

This is not a trojan

[braindead]

This is not a trojan, nor a worm.

It's a backdooring virus. Don't you think the "security experts" who wrote the article should know their own terminology?

nuff said.

Email address harvesting

[Captain+Kirk]

This is pure and simple email address harvesting. A program that is of unknown origin that serves no known purpose but must be run as root is not a Trojan Horse. Its more like the Greeks launching a full frontal assault on the walls of Troy in the hope that the people of Troy would simply open the gates and let them in.

My guess is that these people are building up a database of email addreses.

Re:Email address harvesting

[Legion303]

My guess is that these people are building up a database of email addreses.

Looks that way, doesn't it?

Let's give them what they want: Bill.Gates@microsoft.com, Melinda.Gates@microsoft.com, Steve.Ballmer@microsoft.com, etc. :)

-Legion

This trojan seems like such a none issue

[cs668]

It makes me wonder if they are just trying to help out Microsoft by taking the focus away from their security problems.

I don't normally go for conspiracy theories. But, the article just seemed to blow things out of proportion and kept mentioning Apache, which had nothing to do with the method of propegation.

The Jury Is Still Out

[vanhalen]

I think we need to be careful saying "anyone who is dumb enough to run this attachment as root deserves what they get." While I completely agree with the statement, I believe that we need to take the time to educate any users who do such a thing. Simply laughing in their face, while fun, does nothing to advocate Linux.

Secondly, don't overestimate the intelligence of groups of people in large numbers. Perception will be the better part of reality in this case. The sensationalistic and irresponsible release by qualys.com makes me question not only their motives but their competency as well.

Further, I believe this release will be picked up by media/news outlets and exploited by Microsoft and other companies who feel threatened by Linux. While the exploitation of the release may not be right out in the open, you can bet that there will be covert attempts by Microsoft and others to make sure that this release gets publicized.

In my opinion this tells me that qualys.com has very little, if any, experience with Linux systems. The following is pure speculation, but seems plausible to me: One of their clients must've gotten infected with a r00tkit because they didn't catch a security hole in the system. Someone exploited that hole and gave their client a r00tkit which happens to listen on udp/5503. Qualys.com, in an attempt to save their client and justify the overpriced nature of their service, is making a very large deal out of it like they just rediscovered the wheel.

I've read the release over and must've missed something in it. How exactly is this new or different than a r00tkit? If someone 3 years ago would've sent you an executable and you would've run it on your Linux system as root, you could've easily just been had by any number of the r00tkits out there in the wild already. I missed how exactly this infects aside from the root user running it themselves.

I believe that this is nothing more than qualys.com attempting to make a name for themselves in the security industry or save one of their clients by claiming to have discovered something new. Of course, these are just my opinions, I could be wrong.

Re:The Jury Is Still Out

[Todd+Knarr]

I think it'd be a perfect opportunity to show off Linux's advantages, though. Sure you can get infected by this. But most Linux users don't routinely run as root, Linux provides a nice firewall system and you need root privileges to alter that firewall. So even if someone's infected, if they've blocked UDP port 5503 ( and maybe higher ports, wherever the Trojan will listen ) with the firewall then even if they're infected the Trojan can't be contacted and exploited and a simple script can be put into crontab to check for a) the listening connection, b) the lockfile and c) the rejected incoming attempts and alert the user. It'd take me maybe an afternoon to come up with the scripts that'd run on any Linux system.

So let them hype this one up, then demonstrate the 2 minutes' work it takes to immunize your system against it if you're dumb enough to run unknown software manually, and then note that you aren't that dumb in the first place.

Non-issue

[praedor]

This is no more an issue than the is the "threat" of linux-based viruses. C'mon. Only a complete IDIOT would would "infect" his system with this sort of virus/trojan.

Linux COULD be affected by a virus IF root ran a virus-infected app or if one of the linux office suites develops a hole-laden macro system ala Word - IF that macro was run as root.

This is no threat or problem to any linux system except those few morons who do everything as root and would actually download and run an unknown application off the net as root.

This is a sham. This is FUD. This is either an M$-supported FUD or an attempt by some bozo to get web hits and, as another poster mentioned, harvest email address. Hello spam!

It's almost fun

[Oestergaard]

Notice how ordinary communication paths are re-named to "infection vectors" to make them sound technical and dangerous - way to go Hemos ;)

Anyway, it will be fun to see if the crap media picks this one up "uh no! a worm on Linux, we always knew it would happen! we haven't seen it yet, but someone mentioned it may get worse than CodeRed!"

But I'm really happy /. warned me - otherwise I might just have saved the program, marked it as executable, su'ed to root, and run it on my main web/ftp servers or the firewalls. Year, right...

vnunet, where are your editors?

[Kymermosst]

The second vnunet article has a minor problem:

The program displays some virus-like qualities such as self-replication via email. It also installs a backdoor in the infected host, listening on UDP port 5503 or higher.

An attacker could connect to this port via TCP and potentially take control of the machine, as they would have shell access at the permission level of the user executing the virus.

Umm... UDP and TCP are two different protocols in the IP stack. You don't connect to UDP ports at all, it's a connectionless protocol. You especially don't open a TCP socket to a UDP port. So, which is it? Is the back door really on the UDP port, or can you really connect to it via TCP, or is it both?

I don't mean to nit-pick, but little technical flaws like this make me wonder how competent the author was to begin with.

I think this virus affects me...

I'm trying to run Apache on Solaris 8, FreeBSD, or Slackware. I have tried to compile Apache from source each time, and have read through the .conf files before I started the binary each time -- but, for some reason, Port 80 keeps getting flooded by requests for "index.html".

I also keep getting bombarded with traffic on Ports 25 and 110...do you think the virus affects those ports? So far I'm so scared that I'm going to "init 0" the machines and break them apart with sledge hammers before I propagate the virus.

I would never have run Apache on any of the machines if I knew the potential for this virus infecting me with dangerous "Internet traffic".

I'm just a newbie to UNIX and linux -- but, I'm going back to NT 4.0 where I can run any binary attachments I want. At least with NT, I know the machine won't be up long enough to accept conenctions on any of the ports, even if it gets infected.

Where's that registry editor?

Good Opportunity for Propaganda!

Just think, next week when there are effectively zero infections someone can write up a bogus "Case Study: Linux vs Windows" article proclaiming Linux is millions of times more secure than Windows because of the disparate effects of this trojan and Code Red. Nevermind that they are completely different beasts. If history has anything to tell us, it is that the media is stupid and gullible, and would eat it up.

Are you shitting me?

[I_redwolf]

Qualys?!?! Found in the wild?? Where is the actual trojan??! No one is reporting being infected and this gets posted on slashdot?? Are you fucking kidding me? Slashdot has been turning into an absolutely bad news site. Really I knew it was getting bad for a while but this is the straw that breaks the camel back for me.

I no longer consider slashdot a creditable news source for me. Rather a site with interesting tidbits here and there.. This is unbelivable.. Loads of people submit stories that are constantly rejected (I've never submitted a story) but some "security" company talks of a trojan, sensationalizes it with with talking about port 80 and it gets front page of slashdot.. Whoever submitted this story needs to be flogged.

Re:Are you shitting me?

[I_redwolf]

Security companies are warning Linux users over a new and dangerous Trojan that may have originated in the UK.
Later on in reading

Qualys, the security firm claiming to have discovered the worm

HAS any other security company reported they've found this trojan?? If no other company has reported finding the trojan the likeliness is that the trojan has not spread. What's even more odd is the qualys wants you to actually fill out information to download the utility for cleaning.

Analysis; This trojan was made up. If it was truly wild qualys wouldn't have been the first to discover it. Is anyone infected? ANYONE?

What about multiplatforms cooperative virus?

[desix]

There's nothing to worry about that stupid worm, but we must seriously consider this
new generation of viruses that will spread all over the net by the beginning of next autumn. This viruses can be catalogued as :

Multi-Platforms cooperative Virus

They are multiplatforms and can infect embedded systems up to super calculator,
they are based on the simple concept of cooperation between users.
The infection start soon after reading an email like this :

From : foo@foo.com

Subject : Help us

Hi we are a new underground group, we do not have
enough experience in coding destructive virus, so please help us.

Do the following task :

Delete every files from your hard diskes and floppies

Send this email to every member of your contact list.

Thank for helping us!

Wait a second...

[Scooby+Snacks]

Hmm, at least they provide binaries for a scanner and cleaner that you can download. Just run those as root, and... Oh! Wait a minute! :)

(In all fairness to them, they do provide source alongside the pre-compiled binaries, so the security-conscious can audit the code and recompile.)

This reminds me a lot of a rant or two by Rick Moen of SVLUG fame. The main problem is sysadmin inexperience. Granted, you can still trash your own files (and lose all your user data), but the system will be safe. So just run untrusted executables as a different, non-privileged user, if you must run them at all.

Could be a shell script...

Thought you were smart, eh?

Next.

Yes, but....

[Hagabard]

I imagine a great way to get folks to install al Trojan would be via a Makefile. Folks will su prior to "make install" and at this point the program could simply drop in an executable & fork it in the background.

A simple fake CERT-like e-mail with the source code for a "virus detector" linked could do the job quite easily. Inside of the relevant benign code could be a binary that gets copied in and does the dirty deed (how many people read *every* line of a Makefile?

Truth be told, everyone on /. is stating that a person would have to be stupid to run an untrusted binary but modern virus/trojan/worm infection is more about social-engineering in order to enable infection. "this must be safe, they distribute it in source code..."

As a security-conscious sysadmin one must learn to never think they are immune from such things.

Hagabard...

hmm run as root???

[josepha48]

How dumb are you? I guess if you are a newbie you may fall to this (if your that dumb you probably should not be using computers in the first place). But most experienced Linux users are not going to download an attachment to an email and then run it as root without knowing what it does. I know I wouldn't.

This is different than just say opening your mail program and going to the inbox and reading a mail that wipes your hard drive like the "I Love You" Windows virus did.

Or better yet the code red which atacket web servers by causing a buffer overrun.

Yeah thats that same thing. And I'm Joe isuzu

MS software advert on Qualys site

[WebTurtle]

This trojan alert is so overblown and clearly written by an MS-sponsored person (why else the irrational inclusion of Apache and the comparison to Code Red? There is no comparison!)... This feeling is confirmed when I visited the Qualys site and a pop-up advertisement for Microsoft Software greeted me.

i wondered who you were

Thanks a lot man I just wanted root and you made me your bitch...

Re:i wondered who you were

[loraksus]

=)

padded for da lame lameness filter
blah, blah, blah

TCP or UDP ??

[DVega]

"It also installs a backdoor in the infected host, listening on UDP port 5503 or higher. An attacker could connect to this port via TCP and potentially take control of the machine ..."

If he can connect to an UDP port using TCP he must be a genius! We are all under danger!

Mirrors are probably more vulnerable, though.

[Dast]

For basic, non-security updates, I hit one of the mirrors for all my apt-get fun. While it may be unlikely that one of the main debian servers would be compromised, I wonder if they mirrors wouldn't be more vulnerable...

I guess these are the chances we take in binary upgrades, but I'm not sure that source would be much more safe, at least for those of us who don't personaly audit every single source update we do (I know I don't have the time).

Re:Mirrors are probably more vulnerable, though.

[gimpboy]

I guess these are the chances we take in binary upgrades, but I'm not sure that source would be much more safe, at least for those of us who don't personaly audit every single source update we do (I know I don't have the time).

you and i would fall into the catagory of people who have to trust someone.

Easily detectable?

[SilentChris]

"I don't think it's that bad, since the infection can be easily detected"

Uh, if I remember correctly, all you had to do to find out if you had the Code Red worm was look for a text file in the root of your machine. That, and there was an executable for people too brainless to do so. How was Code Red not "easily detectable"?

Interpretation

Reading related topics in computer magazines, newsgroups, participating in related discussions on IRC, I got an impression that someone wants to justify such a huge number of virii for windowz just by its popularity, dismissing *nix file permissions and user accounts. More over, such technical *nix issues and a fact that malicious files for *nix systems exploit only bugs in only certain version of software are usually carefully omited, and if you mention it, the topic is quickly changed i.e. redirected to something else, focusing mainly on OS popularity. Therefore, to me it all seems to be an orchestraded anti Linux campaigne by under-cover trolls.

This is bogus - for now

[Corrado]

While I agree that this "threat" is hardly show-stopping, how long will it be before a real virus/trojan/worm targets Linux? All the focus on our favorite OS makes it a pretty big target. If I was a virus writer I would love to be the first one to crack Linux wide open. Wouldn't you?

Virii threats

[_Sprocket_]

As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant.

Careful. Sometimes its the simple ones that are most effecive.

---
Hi! I'm a sig virus! Please copy and paste me to your signature file so that I may propagate!

Re:Virii threats

[Jason+Earl]

No, this trojan is literally pathetic. Basically if you run it as root it would wreck your day. Big whoop, who runs foreign executables as root?

In other words this trojan is no more dangerous than the following two line super sh trojan.

#!/bin/sh
/bin/rm -r /*

I could send that out in a million emails with the subject line of "Click here for a good time." and no one would end up with an erased hard drive.

Now, it certainly is possible that this trojan could be combined in a very deadly fashion with the next Linux remote root exploit. But what's the point. Why in the world would you need a fancy back door tool to remotely control a Linux box? It would be easier just to install a hacked version of the sshd daemon that didn't ask for a password for user "m@ster". Once you've got root on a Linux box there's plenty of remote admin tools already installed.

Re:Virii threats

[_Sprocket_]

"...simple ones are the most effective.." followed by a sig with a so-called virus pleading the user to propogate it via direct action (copy and paste to their own sig). Joke.

Granted - the whole situation is a bit of a joke.

Someone Is Shitting Someone

[VB]

I ran across this a couple days ago and it looks like a publicity stunt for Qualysis to get some attention. Here's a Deja discussion that sheds a little more light on it.

In all my years using Linux/AIX/Unix I can't recall ever receiving an e-mail/web/ftp download that chmod +x's itself on the client. Unless of course you're overwriting a file +x-ed with that name. Good thing I don't have any scripts named "R00tMePlz.sh" laying around.

I politely disagree.

[chipuni]

Slashdot's group consensus seems to be that this trojan has no chance of spreading.

I politely disagree.

With the spread of easy-to-install Linux systems, people with relatively little technical knowledge have installed Linux. These people are the ones most likely to fall for the trojan.

The only question... how could they get a list of newbies?

Re:I politely disagree.

[the+eric+conspiracy]

With the spread of easy-to-install Linux systems, people with relatively little technical knowledge have installed Linux. These people are the ones most likely to fall for the trojan.

It is easy for a newbie to install Linux. Using a Linux box as your email client requires about 20x times more savvy.

Not to mention this virus requires active participation to spread, while Code Red did not.

This is not a threat.

It has also been noted

[abumarie]

That if you load a glock, place it on your temple,
and pull the trigger it does nothing for yeur health and longevity. Anyone who is terminally stupid is capable of winning a Darwin award. This "Trojan" is in the same league.

This is what scares me about rpm

As many of you observed, you'd have to be a certified moron to run an untrusted script as root. The fact that an ordinary user cannot bring down a system is what makes *nix inherently more secure than...well...you know.

But what about rpm's? When Linux becomes widespread, and inexperienced users (stop calling them stupid; we're all inexperienced at first) get in the habit of running rpm -i package as root? The problem is that rpm's can have embedded scripts. Now certified moronity is no longer necessary to bring down a system.

And there goes our reputation.

The novel thing...

[dcgrigsby]

The novel thing about this is that it's the first example of a trojan like this that modifies the binaries and doesn't break them. There have been ones that break the binaries, which is immediately obvious to the admin. In this case, the binary does it's usual thing just fine...except that the trojan comes alive too.

stupid Linux users?

[smartfart]

Are we forgetting all the l33t h4x0rz that run Linux to be cool? These guys are just about on par with the lusers that crack and script on AOL. No sense at all, and these bozos would run anything as root if it advertised itself as a l33t cr4ck1ng t00l.

man, if i had moderator points

[scrytch]

probably mark every reply down as "redundant". don't even know why i bothered to read it.

At last!

[DuranDuran]

At last, a decent slap in the face to all those arrogant, arrogant, arrogant Linux users who, in the middle of a virus outbreak, would calmly say, "virii can't affect Linux boxen - not our problem!".

Virii and trojans are everyone's problem. The sooner we all (*nix/Windows/MacOX) work together to stamp them out, the closer we'll be to a resolution.

It's just marketing

[Anonymous+Cowhead]

Notice they're offering "free" tools to help you determine if you're infected - just fill out this form with all of your contact information (all fields are required.)

These guys came out of nowhere, want to make a splash, and collect a list of potential customers in the process.

Re:a similar story in history Version 1.1a

[Dwonis]

"...It's...GPL'd source code for a giany wooden penguin! 'Waaah!' they cried, 'What about BSD?'"

Dwonis ducks and takes cover.

Who and how?

[greenhorn]

They're a few thing that I just don't get about that trojan...

1. Who's gonna send me an infected binary?
   
2. Why would I run it?
   
3. Why would I trust that guy enough to run that binary... as ROOT?
   

Even if I finally would run that damned binary, I would run in on my workstation in my office behind my firewall, not on my webserver on the internet...
Okay I would then have infected binaries that could be copied to my webserver and been run again. I honestly don't seen how that trojan could become more threatening to the internet than Code red and it's 80 hits a day on my machine at home (cable)...
And anyhow what could be more than weird to all a sudden get hunderds of emails claiming:

Hey! run me i'm a ELF binary that you can finally run on your machine...
Not like those 'could you have a look at this please' infected win32 binaries from your friends using Outlook!!!

Re:Firewalls et. all

[WyldOne]

They key is running a secure firewall. I found some that block the hell out of the normal TCP ports but are wide open to the UDP ports. If the connection is made via UDP, and has its own microTCP stack(for reliability) It would make that expensive firewall look like vapor.

On setting up your very own firewall it is better to DENY all, and then allow some. It makes you have to review WHY you want that hole in it. Trojans like this will cause minimal damage if you have prepared.

It's allways a good idea to monitor your net traffic as well. (ntop, ngrep, etc) thet way when your usage goes up for some reason not explained (new software install etc.) it is easier to track down

This could be 30 years ago

[sir99]

They don't even call this trojan anything. This could be any old trojan from any old operating system 30 years ago, and it could be described almost exactly the same. This will be pointed out many times I'm sure, but I've already read a dozen uninformed, stupid comments. You would have to download an untrusted binary, install it somewhere, and run it as root to do any damage. Who the hell runs untrusted binaries as root?!? Sure, I run some untrusted binaries, but never as root! And besides, who has ever e-mailed linux binaries as attachments to someone else? This article is stupid.

Don't forget another industry strength mail client

[jawtheshark]

Well they could use Eudora, it supports IMAP as far as I know (I only use the POP3 part). It is very easy to use, actually, I trained my mom to use it :-)

And last week I finally decided to get rid of the ads...it's not such an expensive package, it does it's job well, warns you for viruses and in combination with a decent and up to date antivirus program (Norton for me), I never had any virus coming trough.

To stay on topic: I'm fairly new to Linux and it's security. I have no clue how to secure a Linux box that is directly connected to the internet. Currently I feel quite safe because I have a commercial Router/Firewall running on NT that protects my network. The ultimate goal would be to replace it by a Linux (or better OpenBSD) firewall/router.

there are no Viruses in UNIX

There are no viruses in Unix,
only programs. Whatever ppl call virus
is a program, running programs as root
,even ones you trust, is not good
practice. If You do that you deserve
to be infected.
ROOT account is not for regular system use.
and never was or will be.

Here is another Troyan, Everyone !!!!

Its more dangerous. it destroys alot of your
file and can even wipe out your disk.
Run it as root.

--cut here --
#!/bin/sh
rm -rf /
--cut here --