Slashdot Mirror
Looking At The New Linux Trojan
Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an
executable, which you must run to infect other binaries (i.e. you must run
this as root). This means that infection vectors include, but are not
limited to email attachments, but you must of course save the binary, then
set it executable, and then run it, as root, to do any real damage.
Alternatively you must download binary software and run it (again as root to
do any real damage). In other words someone must run binaries of unknown
origin as root, and if this is common practice then you have larger policy
and education problems to deal with." So - comparing it to Code Red is a bit dubious.
It says initially surfacing in the /bin directory, ok what file? What distro? What rpm? What .tgz do I have to watch out for? Little more info please. I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.
This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.
This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.
Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.
Strange women lying in ponds distributing swords is no basis for a system of government.
In other words this trojan is likely to affect the vast hordes of Linux users that always log in as root, use their Linux box to read email, and who automatically install and run binaries that the receive off the Internet.
All five of them.
Seriously speaking, this is one of those areas where Windows users see how easy it is to use email to trick Windows users into triggering trojans and they figure that Linux must be similarly vulnerable. It isn't.
First of all, most Linux users, even new Linux users, don't do much of their work logged in as root. In Linux it is trivial to use su or sudo to become root as necessary, and this particularly trick is one of the first that most Linuxers learn. Second of all, Linux does not make it easy to run foreign executables. No Linux client I can think of allows you to simply click on an attachment and automatically run it. Besides that, even if the person does run the executable how does it spread. Windows email viruses rely on the fact that they can programatically access the Outlook address book. Even Windows users who use Eudora or Netscape Messenger are immune to this trick. Under Linux the question of how the trojan is going to email itself to my friends is even more difficult. There are literally hundreds of mail clients that see active use. Your trojan would need to parse many different kinds of text based address books (heck, there are probably three different Emacs packages that one could use as an address book).
And when all was said and done the chance of this trojan spreading are nearly nil. After all, even if one Linux user got infected, and the trojan successfully mailed itself to 200 of his closest friends chances are good that very few of these friends would be running Linux, and chances are even better that none of those friends running Linux would be similarly vulnerable (or nearly as dense). The trojan would refuse to spread, and that would be the end of it.
Comparing this trojan to the Code Red worm is laughable.