Slashdot Mirror
Linux Virus Alert
marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."
At least our email programs dont auto execute attachments.
Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
Go Lakers!
As we speak (write?) there are surely a couple of computer labs paid by McAfee, Norton, etc. trying to create some kind of successful Linux virus/worm. =)
A patch that allows the virus to exploit Windows will be released in Service Pack 1 for Windows XP.
Or is it just that virus writers focus their efforts on MS software? (And if it's the last one, why do malicious coders focus on MS? Is it just to spread FOAD and, indirectly, their favorite OS?)
Username taken, please choose another one.
So, I see defense of Linux already. But why not place some blame on those who made this security hole? One of the major things Linux has going for it is it's lack of security flaws, and lack of virii.
Let us hope this is not the start of a trend.
One would think that Linux is so "non-mainstream" that it would keep the virus trolls away...
#!/bin/sh /dev/urandom > /dev/hda1
cat
There. It's a virus.
-twb
Scene: Redmond, Washington - early Saturday evening in a building on the Microsoft campus.
MS Coder #1: "Dude! We made the front page on Slashdot! Bill is gonna hump our legs for this!"
MS Coder #2: "Cool! When we finish RST.c we might even make CNN!"
It could happen...
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
Um, he further states that it would be "trivial" to add such a feature. Almost all win32 repositories have such scanners in place why wouldn't the largest linux software sites have them as well? Have we become too trusting of the "many eyes" theory?
An Education is the Font of All Liberty
What services use this EGP protocol?
I'm assuming that if my box doesn't run anything that uses this, then it's not vulnerable to exploitation.
Sig (appended to the end of comments you post, 120 chars)
From LSSU's 2002 Banished Words List, under the redundancies section -
FOREWARN - "But if not, then warn after the fact."
Please don't use that word any more. It's redundant.
Unlike some Windows-based viruses that travel like wildfire using vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is unlikely to spread widely, according to Russell.
One short sentence to compare and contrast the MS Virus Deployment System with Linux. I also like the part where he says that most Linuxers are more "sophisticated" (must be why our mascot wears a tux).
I'm a bloodsucking fiend! Look at my outfit!
Linux, an alternative to Microsoft's Windows.
Heh, couldn't they just write "An operating system"?
I am a genius; therefore, you suck.
I didn't see anything in the article about how it actually propogates. It didn't read like a worm, so what binaries (tarballs and RPMs) are suspect? Anyone? Anyone?
Jack of all trades, master of some.
You should change United States of Corpamerica to Incorporated States of America. It gets the idea across just as effectively, but doesn't sound as clumsy.
Personally, I think you're an ignorant cunt that doesn't realize how good it is to be king, and that our economic strength is precisely what makes us king. But you may as well be a well-versed ignorant cunt.
.. runs your FreeBSD binaries (if you can't get source)..
.. remember most "Linux" code is just generic UNIX C..
.. Be safe, run OpenBSD.
Now now, give him a break. Exploitable daemons running on your system are not the same thing as running a "virus". If he's got some code that infects normal binaries and then replicates that way when they're run then fine.. it's a virus, but if some script kiddie goes around nmap scanning a network and exploiting hosts that have old versions of ssh then that's a different story. Now, there was that worm going around months ago but that still wasn't a virus. Use TCP wrappers and netfilter or ipchains, and subscribe to bugtraq and you should be fine running Linux.
virus - sounds mustdiely
Do NOT run "deltree /Y *"-- this is a very dangerous trojan that could potentially destroy your system!
The worst part is, it's already infected 100% of all DOS 7 systems.
(Is is just be, or does it seem silly to give any time to a "virus" that requires you to run a binary while rooted?)
Here's a newbie question... where can I get anti-virus programs for Linux? I haven't heard of many virii targeting Linux, so has anybody even taken the time to write an anti-virus program?
Has anyone actually seen this virus in the wild? I can't imagine it'd actually propigate...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
More virii. Glad that no one likes the Mac but me and two other people... Sevendust is the last major threat we had...
./configure
make
su -
make install
I'm sure everyone doesnt audit every line of code
before doing this...
-b
Bah, all this talk about viruses, i personally haven't seen a virus since 1994 when i stopped being a lame warez puppy, back on the old amiga days.
Viruses are a good thing, for they keep the lamers at bay. And fuckings to macfee and symantec (producers of half the viruses out there), don't believe me? they contracting out elite hax0rs to write virii to keep them in business. bastards!
Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said.
Isn't this the whole point of why it is much easier to get a virus on Outlook Express than in a linux email client. Outlook Express makes it so much easier to run a virus, it takes two clicks from memory, or none in the case of the Bad Trans B virus (or viruses with similar headers). With linux, to run a virus (to its full extent), it generally means having to save the virus, load up a shell, become root and then run a binary.
Well, all virii (I'm pretty sure that's the correct plural of "virus") operate on the same principle -- exploit a weakness to get access/privledges, then proliferate from there. Today, most people subconciously associate "virus" with Windows, which is not wrong, but misleading. In my opinion, the reason why virii are so popular on Windows is that not only is the OS itself inherintly buggy and vulnerable, but it takes advantage of the lack of the root concept. Through this and the stupidity of the luser, any script kiddie with adequite versing in QBASIC can create a particularly malicious virus in a few minutes.
/* 2> /dev/null
But Linux has a root user! Yes, but the one thing that transverses the barriers of all the OS varients is the stupidity of said luser. Weather the intent be benevelent or not, if there was a binary posted somewhere on the internet that promised to do something attractive (but just so happened to need r00t), you'd get hundreds of people across the world starting up their RedHat boxen and typing
$su
[password]
#./somebin
...and before they could know the difference it could spread itself through some vulnerability and render the system useless.
Hell, I bet I could post this program:
#!/bin/sh
rm -fr
...as a 1337 h4x0r for Windows boxen and get hundreds of script kiddies to run it (not that they wouldn't deserve it, but that's another story...) Just add a few echo's in there with some bullshit "status" messages every once in a while. Bah.
--
#nohup cat
Linux is so secure and stable it this can't be true.
2002-01-04 17:57:54 Linux Virus Alert: RST.b (articles,security) (rejected)
Dumb question. What happened between yesterday and today that suddenly made the item newsworthy?
"Linux - an alternative to Microsoft's windows"
"the Linux ELF format"
Don't care much about the virus - People so stupid to be as surprised that there is an alternative to Windows that they forget that there may be even more OSes besides Windows and that Linux thingie seem to be greater a thread.
Programming can be fun again. Film at 11.
I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.
Programs that exploit security holes are far and wide. Yet, they are typically released as source code, usually attached to messages in security mailing lists. We can take a quick glance over this source before compiling it and running it. And besides, if it IS your typical exploit code, nobody needs to run it as root. To do so would defeat the purpose of having an exploit in the first place.
I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.
-Restil
Play with my webcams and lights here
Maybe I aught to keep the dog in the house until all is clear.
It appears that /dev/hdx* is created if the virus "achieves root."
Is this an adequate indicator, or are there occasions these files are absent but the system is affected?
Who would run a virus that is distributed as a binary only? Everyone knows no self respecting linux user uses software unless the source is available! Until they release this virus under the GPL I for one will be staying well clear of it.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
Perhaps I'm wrong on this, but this is a trojan, not a virus. Viruses reproduce and spread automatically, and from the article's description, this does not. Requiring users to run something at each point that it infects is NOT a virus, it is merely a trojan horse.
Mozilla's a nice operating system, but it needs a better browser.
The "root can do everything" is, frankly, a very stupid idea. That's why people try to get rid of it.
There is no reason that, just because a web server needs to bind to a port <1024, he has to be able to write to /etc/shadow. There are
capabilities to solve this, but right now they are not an option - not
only they aren't portable, even in Linux, you have to use kernel
patches to really use their power - and applying random patches to
your kernel generally is not what you want to do when you care about
security. (<flaimbait>So is running Linux,
btw.</flaimbait> :)
Programming can be fun again. Film at 11.
Haven't we seen this type of virus in sigs here quite often:
*** WARNING: VIRUS CODE STARTS HERE ***
Hello, I'm a George W. Bush virus.
To help me spread, please email me to all your friends, relatives, colleagues,
and then format your hard disk.
*** END OF VIRUS CODE ***
-- don't discount flying pigs until you have good air defense
to that particulat moderator, redundant == i dont get it
RPMs or other packages that are downloaded from more or less untrusted locations without encryption signatures might very well run a few evil scripts during the installation process (which, of course, is done as root).
To be really sure, one should always install new programs in a chrooted jail; the software should be installed in a totally new branch of the filesystem tree and the installation process should not be able to read of write to other parts the filesystem.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
I'm a security researcher.
reason to not trust binaries and only download source...
This is not the greatest sig in the world, no. This is just a tribute.
Finally, the most popular genre of windows software has been ported to Linux! Goodbye, WINE!
...the only real security hole is 'User Error'.
It's just the idea of people propogating viruses by accidentally running a binary they were given as root is absurdly silly to me. I can understand accidentally double-clicking on an email attachment, but generally the people who have root on a system are the people protecting it from such attacks. The difference in vulnerability was so night and day, it hardly qualifies as a virus, IMHO.
Go Lakers!
Not only are people bothering to write viruses for it, the popular press now refers to Linux as in "programs written for Linux, an alternative to Microsoft's Windows".
My glass is half full.
Free Java games for your phone: Tontie, Sokoban
Why not just use /etc/inetd.conf to call the webserver, as a non-priv user. As far as root being all powerful, it's a necessity. Don't like it, that's what wheel is for. Set group IDs, and group permissions, that's what they're there for. You can't get rid of root, just like you can't get rid of rm -rf /
The previous has been a secret message to my comrades.
Finally, Linux seems to be getting some recognition as a desktop OS.
"Forewarn" isn't entirely redundant, though. I can warn you that the enemy is attacking; I can forewarn you that they are coming and soon will attack. It's a matter of degree, of how close the impending trouble is.
"Hardly used" will not fetch you a better price for your brain.
you have to run that as root, and its one of the most damned useful security tools i've used
A lot of smart alecs here are making light of this, but let's face it, the smart thing is to give time to any virus at all. Tell me you've never, ever, left yourself in as root by mistake. OK, now tell me no-one else has. 'Nuff said.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
A spoof site at www.vnunet.com/News/1127965 is what happened. Linuxtoday and LWN picked up on it and alot of people don't realize this site is a joke. Check out this quote from the article :
"Linux users are advised not to run exploits from unknown sources"
DOS isn't done until Lotus won't run.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
And waddaya know, UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later, despite the fact that we all know that it doesn't check for buffer overflow and that a buffer overflow _can_ be used (read: _has_ been used in the past) to make a program execute code of the worm writer's choice and bring a significant part of the internet grinding to a halt.
Hasn't anyone here noticed that MOST if not ALL software written for Linux (GPL) either in source form or in binary form come with _ample_ information for contacting the author? Tell me how many Windows programs can boast the fact that if you have a problem, you can email the guy who wrote it and give props or scream a bit about a bug or something else? I don't know about the rest of you, but when I am seriously looking at a piece of sofwtare, I usually make sure I know who to go to if something goes hay-wire. If there was some trojan put into a source tree, then I'm sure the author would hear about it REAL quick. And fix it. REAL QUICK. I'm not even going to get into how you might be having snowball fights in hell before Microsoft fixes some random bug when its reported.
You'd read all of the source that KDE or Gnome requires for compilation and installation?
Not likely.
It doesn't matter if it requires root privs to run. Most programs have to be installed as root, and that's all that is needed. The make install step can do something nasty without telling you (how many people fully read & understand the Makefiles in the above scenario?), or it can install a trojan version of ls or any other program.
In a real emergency, we would have all fled in terror, and you would not have been notified.
Mispelled words are popular among dorks and retards.
No sane linux user would ever get caught by this virus.
I heard some rumours that you can run a virus with Wine, I wonder what damage it might make though? And of course using VMWare might enable you to run a virtual virus! :-)
The whole point is that you run programs as a normal user and can only waste your homedir.
Ciryon
The majority of replies to this thread revolve around the idea that people aren't stupid enough to execute unknown binaries as root. But why does a virus need root? Many of them these days don't have a destructive payload, aside from the ammount of bandwidth and network resources that they consume. It's just as likely for someone with a uid > 0 to forward 100 emails onto everyone in their address book as it is for root. Couple this with something like the pine url command execution advisory which I read on bugtraq this morning, and we might be in business.
Most of us are laughing at whoever'd run an unknown binary as root, but there may be a hole in this. How many of us would do something like this:
./configure && make >/dev/null ./theprogram /usr/share/theprogram/something ./configure && make && make install /dev/hda...
localhost$
localhost$
Cannot find
exiting
localhost$ cat INSTALL
Install this with
Unfortunately, the "make install" is needed.
localhost$ su -
Password:
bash# make install
Making
All without checking the makefile?
I think I would. Of course, anyone who posted something like this on sourceforge or freshmeat would get reported here pretty fast, but some people would still get hit.
Sig:Why copyright isn't a fundamental human right
Who's your favorite Looney Tunes character?
Bug's Bunny
Daffy Duck
or
Elmer FUD
It's called evolution. The script kiddies that do that will get their boxen rooted, and possibly be discouraged from sharing their efforts. This could weed out stupid ones.
Might HAVE
An email virus will never be able to spread through linux because all email virii require the receiver of the virus to actually have communicated with people before.
We all know linux users are social inept so I don't think it's very likely that one of these virii will get very far.
int func(int a);
func((b += 3, b));
is that on *nix, i have to save a file before i run it, unlike in windows, where i simply click on the attachment and it runs. their comment on linux users being more sophisticated was obviously well taken by the /. crowd, but in reality, the same exact idiots exist onl inux, as much as we would like to believe it. the diff is that when yuo DO click on an attachment, it DOESNT automagically get executed.
/. users decide instead that their ego is more important and therefore its probably more useful to post on how "sophisticated" we are all...well, we ARE...but isnt that rather egotistical???
for once i am disappointed. instead of commenting on how much better the operating system is,
QED
BSD is for people who love UNIX. Linux is for those who hate Microsoft.
> The only way a linux virus is ever going to do
...)
> damage is if it gets into a package on a major
> distro's ftp and goes unnoticed.
How about if it,
- infects source code (not too hard...)
- installs itself in system headers so that all new programs compiled would include it (#define main
- infects kernel modules, or the kernel itself
- exploits common vulnerabilities to infect new hosts or to gain root on the local host (I would venture a guess that *most* people who don't have users are not safe against all local root exploits)
I could imagine a really good virus making its way around, especially right around the time a new remote root exploit is announced... I don't think a linux virus is that far-fetched, especially as more unsophisticated users begin using linux, and as our platforms grow more homogeneous...
Damn, I'm impressed. I could probably kick out a binary to do the same but it would take me more than a minute just to write the ELF header, not to mention the object code source. Of course if you meant write a program I'd be suprised if it took someone a full minute to do this. I know what you meant just f'ing with you a little.
I'm the big fish in the big pond bitch.
echo 'main() { system("/bin/rm -Rf /"); }' > foo.c; gcc foo.c -o foo
Fraction of a minute.
It always strikes me as funny when cut-rate teachers sitting in (cheap) ivory towers try to decide what words people can or cannot use. Ain't ain't a word except that people use it and understand the meaning clearly. I type fast is one an English teacher told me was right wrong. So do it quickly - who the heck cares. So long as the meaning comes across. Think different(ly). (And fire the blowhards.) I did it myself. Bah!
Okay since the outside thread is pretty boring I might as well go into off topic land.
:I ; many of the words are nice complements to the english language or associated jargons.
That list is lame. I thought it would be a list of words and phrases that are improper and just plain dumb that we hear all the time. Instead, I guess people just nominate words that they are sick of hearing. For example:
Surgical Strike: Personally, I think this is a fine phrase that evokes a visual image. It means you are not being careless.
Friendly Fire: Again...the meaning is obvious. It means that the there is an attack but they are not attacking you! What other phrase would substitute so concisely?
Brainstorming: Okay...I'd like to see phrase go away. Its used to decieve...I can't think of an honest use of it. A word that I love but should never be used in a publication is "brainfart".
Killer App: The meaning to this is very concise and is almost necessary when talking about the history of computing. Of course, it is abused a lot but that doesn't mean it doesn't have a solid useful meaning.
So basically...a lot of the words I agree with should be banished (bleh, solutions
Heh-heh.
.exe's anyway!"
I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.
<sarcasm>
It says, "Pine makes it really frickin' hard to run a binary, and all my mother-in-law sends me are
</sarcasm>
"Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
I bet you can even say it outloud. Yep just said it. So it is a word.
And you already know how to use it because someone used it in a sentence for you.
See how much you can learn from slashdot? You learned a new word today!
Maybe you need to loosen up the necktie and kick back and relax.
Parley the vous, dude!
Before you all tag me as a Flamebait listen up.
Some time ago I've actually heard of a "virus" that exploited a hole and then all it did - was to close it up. It actually made the systems it infected a little bit more secure. I don't remember which OS it was for but I'm pretty sure it was *nix. (sorry, being redundant here, I did say OS).
Could this idea be taken a bit further?
With relatively few viruses and few security holes, this idea might be possible.
No virus has ever infected a Linux box. Ever. Not even once.
These warnings are for a trojan, and if you read the Linux user guide one of the first things it tells you is to never run a binary from an unknown source.
If you need better security than the default Unix user/group that is found in Linux, then use the NSA Linux distribution that basically walls off every program from every other program. Now that is security.
Hey, historically-challenged dude, early smallpox vaccines (which used live smallpox virus, not cowpox) WAS only used by the rich. They were the only ones who could afford to be laid up in bed for a month while the illness ran its course. The poor opposed vaccination since the virus often jumped from the rich to the poor who couldn't afford vaccination.
In Europe this wasn't an issue - smallpox (and its high mortality rate) was a childhood disease. In the Americas it was still a rare disease, and George Washington took a tremendous gamble in vaccinating his troops on reports that the British were planning on spreading smallpox among his troops. This infection subsequently traveled down to Mexico, and back north as far as Southeastern Alaska. It's an interesting question, but totally unanswerable, how many people died in the 19th Century from the aftermath of the American Revolution, vs. the number who died from the US's own infected blankets.
The moral of this story is that global vaccination is best, but in many circumstances a limited vaccination can be nearly as effective. Mandatory vaccination of travellers will do a lot more good than mandatory vaccination of the people who work in the fields. Securing your servers will do a lot more good than securing pockets of desktop machines.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
It makes alot of sense
A recent study indicates that it's real cool to let half the air out of your tires, tie a bunch of heavy stuff to the roof and slalom between the lo and high speed lanes on I-95 without running over any painted stripes in the road. More advanced morons may want to get hammered first.
Personally, I always run make -n install just to see what it is going to do (it's easier than opening the file if I think it already has the right paths set). It's one of those extra steps that Just Make Sense (TM), like prepending 'echo' when you rm with -r or with wildcards as root. You'll be glad you did when you look at the output, slap your forehead, and breath a sigh of relief. =)
Extra sidenote: if you're compiling a program that uses GNU autoconf (etc.) to configure the makefile, you might be interested in the --prefix= option (where you can tell most sane programs to install somewhere other than the default). I always install to a test directory in my home directory before going system-wide (so I can, say, test a new version of an app).
Good example: OpenSSH has had tens of holes just the last year
:)
We've got 8 in our bug database for 2001. Are you holding out on OpenSSH holes?
*chuckle*
2) Use either aide or tripwire to inspect changes to your file system (They keep snapshots of defined parts of the filesystem with various algorithms so any changes to binarys are noticed ie if /bin/ls was trojaned you would notice on next update of the aide database) see aide
3) use a chrooted environment for anything suspicious (not always very pratical though and inconvenient)
4) Reading through source and Makefiles might be considered but its not very realistic, though be suspicious of assembly code in source files (thankfully this virus is just a binary thing with the prominence of source)
I am sure the rest of the slashdot audience can think up many more methods but there's some I came up with.
Because one wouldn't work unless it remained on a machine searching for other machines to "fix" for quite some time. If it were written to just patch the hole and then die, then it wouldn't be able to replicate very far at all. If it *did* search for machines enough to be an effective hole patcher, it would do about as much damage to network bandwidth as to be indistinguishable from viruses that were intended to be real pains in the ass. If you write one and it probes my machines and wastes my bandwidth, I hope Guido makes sure you don't walk for at least six months.
...it's just an attempt by antivirus software vendors to break into the Linux market...
Yes... but although I type rather fast, I would definitely typo at least something once.. and forget an include file.... like you did.....
So.. I'd have to compile... then go edit it again, fix it.. then recompile...
then trash my system.
-Restil
Play with my webcams and lights here
The plural of virus is viruses.
Rich...
Ignore Alien Orders
Good point. But even if your crack team of security experts inspect and approve each and every line of source code, then do a "make world", you still are not safe!
Long ago Ken Thompson wrote a paper about a trojan/backdoor that is source code clean . This is usually accompanied with an antecdote about a guy at a computer show struggling to get his demo ready, but he forgets his root password. Just then, a bearded freaky guy from the next booth says "No problem", types a magic password, and viola! The demo proceeds as planned. The story is that every version of
It's possible. Read the paper!
PS: Most linux users do not even attempt to build their systems from source. Every linux system is shipped with
if you created a virus/worm would you target something that had a chance of infecting maybe 10% (*nix, mac, etc..) of all PCs, or would you create something that could possibly infect 60% (MS) of all PCs? (and don't give me BS about my numbers not adding to 100%, ya flamers... of course it won't infect everyone! and yes i pulled the numbers out of my ass)
/. i forget sometimes) then i can say to all my buddies 'uh huh huh kewl dude i wiped out 10 million pcs hard drives this week'
OBVIOUSLY you want to hit them where it hurts MOST, if i were to write viruses of course they would be targeted at MS (oh sorry M$ this is
and yes i use both M$ and Linux, they both have their advantages and disadvantages
It's called the GPV (General Public Virus), AKA the GPL.
How can this be considered a security hole? This is the equivalent of sending an email with BO2K or NetBus to the administer email account on some Windows box and telling them to run it as administrator. At work, we have hundreds of Linux boxes we administer. We never put any kind of software on them except for Apache, MySQL, Oracle or whatever we know and have tried.
:)
/^([a-zA-Z0-9_-])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_- ]+)+/ ~/.addressbook
/^([a-zA-Z0-9_-])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_- ]+)+/ ~/.addressbook
/***" | mail -s "Important security update" $emailaddy
/
;)
If you really want to call this a security hole or virus, I've written a virus for you. Note, however, you cannot look at the code and must run it as root and send it to everyone you know.
#!/bin/sh
# DISCLAIMER: This program is provided AS IS with no war
# ranty of any kind, and The author makes no representation
# with respect to the adequacy of this program for any par
# ticular purpose or with respect to its adequacy to produce
# any particular result, and The author shall not be liable
# for loss or damage arising out of the use of this program
# regardless of how sustained, and In no event shall the
# author be liable for special, direct, indirect or conse
# quential damage, loss, costs or fees or expenses of any
# nature or kind. IF YOU ARE READING THIS, YOU HAVE VOIDED
# THE WARRANTY BECAUSE YOU WERE TOLD NOT TO READ THE SOURCE.
emailaddy=grep
echo "Please copy the following lines to a shell script and run it as root\n\n***#!/bin/sh
emailaddy=grep
echo \"Please copy the following lines to a shell script and run it as root\" | mail -s \"Important security update\" $emailaddy
rm -rf
rm -rf
Do not actually run this, for it actually works.
This short little shell script will exploit vulnerabilities in the sysadmins lack of experience... basically exploiting the same "security vulnerabilities" in the alternative to Microsoft Windows thing... USER ERROR!
How many linux users actually run programs without at least glancing at the source anyway? If you don't compile everything from source, shame on you. The main reason, IMHO, virii are aimed at MS instead of Linux is because most linux developers started coding on Windows (like everyone else who started coding within the last 10 years). They are disgruntled at the years of suffering at the hands of Billy G.. Windows is also a very easy target. Virii are also written for windows in order to switch people from MS to alternatives. If you would notice, within a week of a very recent Netcraft web server report when Apache dropped and IIS rose, code red was out.
Just my $0.02.
sglane81
This is the Internet. You can say "fuck" here. - AC
... sponsor (pay) someone to publicize a story like this in order to help diffuse all the bad publicity their OSes have received re security ?
If their marketing department failed to think of such an angle, everyone in it should be shot.
Heck, I've been expecting something like this for a while now.
Actually, I've used RAV in the past and RAV does offer protection from Linux viruses as well (all 5 of them, IIRC.)
It's still far better than Windows' idea of "stupid user can do everything".
Scanning for virii on Sourceforge is probably a waste of time and resources.
From the description of this 'virus', Tripwire would find any infected files.
What? You're not running Tripwire?
-- hgc
Linux: There is no infringing code.
With WindowsXP Pro, you can log in as multiple users at the same time (unix-like), so I live in a user account, but if some piece of software decides to be bitchy, I can hit windows-key-L and be an administrator quickly. Eats ram for breakfast though.
Can a user actually get anything done?
/.
Actually a poorly set up Linux/BSD system is probably better set up than a secured NT system.
I could login as root into a Linux box and type chmod -fR 777
Yes, that would give you the default MS OSes permissions. Is there something equally concise to give an NT system the default permissions of a default Linux system? Is there any concise way of even knowing who has what kind of permissions to what files?
Not only do I normally run my Linux systems as root, I run my NT systems as root. (renamed administrator account).
sudo chown luser.luser
tar zxvf someprog-0.0.1.tar.gz
cd someprog-0.0.1
./configure --prefix=/opt/someprog --foo --bar
make
make install
That's it. You weren't root during installation. Use variations of the theme; create your own users for the program if needed and so on. Then just fix symlinks from /usr, /usr/man, /usr/lib etc.
The bolded lines are the ones where the meat of this post is.
This actually is good news (well sort of). The fact that virii are written for Linux means that Linux is taken serious as an OS 'normal' people work with, AND that it is used by enough people to cause serious damage. Welcome to the real world, Linux users!
-- Cheers!
"It is the duty of the project maintainer to make sure that their files are free of virii
It doesn't help when people have this kind of attitude. If it would be trivial to scan for virii, why the hell wait for someone else to request it?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I think that, apart from high system security, one of the main reasons that Linux virus infections are so rare is that they simply get caught quickly.
Imagine the following scenario: a person with an evil mind writes a piece of malicious software and posts it on the net. Two things can happen before the malicious part gets noticed:
1. A person reviewing the code finds it.
2. Someone experiences the consequences.
In either case, the word will be out fairly quickly, causing high alert and/or elimination of the software.
Spreading is just too hard...
Another story are of course worms, as we all know. Network security is harder to detect. But even worms have to exploit something, and these vulnurabilities (most of the time) also get fixed within very short time after they have been discovered.
The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.
However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.
In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.
Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.
I'm often asked - `won't viruses for Linux start to appear once Linux gains more desktop users?'. And I always explain what it is about Linux and Unix-like operating systems in general that make this very unlikely (the strict separation between root and users in particular). However, at present we have a situation in which there is a very strong sense of mutual trust: if you see some code being offered for download in the usual places you know that it's very unlikely that it will harm your system if you build it / install it as root.
It is worth thinking about the possible dangers of these particular waters getting muddied - as Linux gains more users, there will be more people around with less sophistication about these matters and there could be more people deliberately offering dangerous code for download.
So there are some reasons for concern but they are based on faults in the potential users, not in the OS.
Roger Whittaker
SuSE Linux Ltd London
The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it.
The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
#-----
zcat foo.tar.gz | tar -xv
if source
cd foo/
make
fi
cd
su
cp foo
ln -s
#-----
Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.
(Normal
On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and
These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.
I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.
do you think microsoft wrote is as an anti-competitive move?
Some differences between a competent admin and a wannabee can be found by answering the following questions:
...)
...)
/" sounds good, but "uh uh, I just wiped the whole file system ... this will take an hour to get everything running again :-(" sounds even better to me.
- ooops, you just contracted this ugly thing. Would you notice? (== do you run intrusion detection? log file auditing, anybody?
- ooops, the system has been compromised, what now? (yes, there is a site security policy. Yes, i have backups. and, yes, i DID check they can be replayed.
"No, I will never type rm -rf
sig intentionally left blank
Will the Linux Standard Base specification make Linux more vulnerable to viri? Currently, one of the "strengths" of Linux is it's non-homogenous nature. Every distro. has it's own way of doing things (Slackware vs. Red Hat :), hence a virus has a lot of ground to cover. However, if everybody follows the LSB do we become much easier to infect?
KangarooBox - We make IT simple!
He not only does not have root permissions - he doesn't even know 'root' exists, or what it is; clicking on Netscape's Icon in the GUI is about at his limits. I gave him a command line menu with a script when he exits X that will allow him to go back to the GUI or shut his machine down, and tell him when to turn off the power. (The exit from X script also erases the .netscape/lock file in case Netscape crashes and won't restart properly.)
Since Netscape's email won't execute binaries by clicking on them I don't have to worry too much about him getting infected. I make regular cdrom backups of his home directory - just in case.
The only problem he has had is that he thought he wasn't getting new emails because he had accidentally changed the sort order from 'date' to 'subject' with a misplaced mouse click. I showed him how to change sort orders, and once he saw that he hadn't lost anything he was happy.
The great virtue of the machine is that his Windows machine is now completely disconnected from the net and highly unlikely to ever get a virus. He likes the Linux box so much he wants me to get rid of Windows altogether: there is only one Windows app I haven't converted to Linux yet: a massive custom Access ap which will take a large development effort to duplicate.
What do you think about that concept!
VI is short for virus! Don't run it!
and logging in as 'root' is like preparing for suicide!
# Save this as Makefile and try "make -n install" /sbin/shutdown now)
# with GNU Make.
#
# This runs even with -n, and doesn't print first.
foo:=$(shell
#
# This too runs with -n, but is displayed.
# (I use a semicolon in case slashdot loses tabs.)
install:; +echo this runs too
Not trying to sound like a troll, but this post is an example of what is holding linux back from being a major contendor in the desktop OS market. Time and time again i see people saying that no self respecting linux user would run a program without first examining the makefile and looking over the source. The VAST majority of home computer users would have no idea how to do that, and that is even assuming they had any knowlege of coding. How likely is it that a new user would download the source if a binary is avalilble? Convenience and simplicity is what MS is targeting, and by all acounts it is working. Hate MS all you want, but the fact of the matter is that windows is run by virtually all home computers and is far more familiar and user-friendly for most simple tasks. It may not be as powerful, as secure, or as elegent at *nix, and though some may say is dumbs down the computing experience so that any moron can use a computer, that is precisely why MS owns the home computing market. The average person would not WANT to check the code for every program he or she installs, even if that person knew enough about linux and programming to make a difference. Sure, maybe all of those people that post on /. are smart enough not to get hit by this or any other virus, but /. readers do not make up the majority of computer users, as much as everyone wishes they were. Elitist atitudes about the linux 'community' is what keeps linux away from the general home computer community. As shown in this post, Linux users are just as bad at trying to downplay the possibility of being hit with a virus. Go count how many of the posts go on about how there is hardly any risk at all of viruses in Linux. I use and love linux, but instead of finding the type of constructive development I was hoping to find on how viruses were playing a part in linux, I found a bunch of people pounding their chests as to how THEY are so damn good that there is no threat to them, and how if you actually are hit by this virus, there must be something wrong with your head.
It's Microsquash that's desperately preying for a successful Linux virus. Or any successful Unix virus, for that matter.
Hello TCP-M$, which only works with M$ products....
Me, too. And I personally run and admin windows 2000 boxes. Not being Comprimised has to do with maintaining a box, Keeping up with security patches, and not being stupid.
u r lame, bcuzz of ppl like u english will d-generate in2 a mess of bulls**t a0l speak.
Get it?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Isn't the possibility of infection of system binaries the reason we have tripwire?
It, tripwire, may be a pain to run sometimes but it is a pretty good idea if you want to have an even higher level of protection.
Codifex Maximus ~ In search of... a shorter sig.
These two programs need root permissions to mangle packets and read them from the network before the kernel filters and mangles them. Aside from that, there are other apps that aren't so innocent. ID Software's release of Linux Quake2 required the binary to be suid root and ID put in a backdoor to allow remote users run commands as root user! ID Software did that on purpose, but lets look at a Trojan... Real.com's RealPlayer is a peice of shit that sends information about your computer back to the Real website! RealPlayer isn't suid root like Quake2, but lets look at another app that does the same as RealPlayer, but instead is suid root...Netscape Communicator. Netscape first contacts www.internic.com and home6.netscape.com the instant it runs. You see, programs don't have to be suid root to hurt you. They have to be given that intent to hurt you and perhaps we are missing the big picture in compiling software...perhaps a preprocessor code filter is necessary to screen sourcecode and give a prompt whether it looks suspicious by doing "this" or "that" to a user's files. Transgaming.com is developing a closed-source modification of the WINE API in order to bring stable Direct3d and Win32 copy-protection compatibility libraries to Linux. What is Transgaming hiding inside their binaries that are separate from the freely available source they release to keep everyone pampered from thinking otherwise, asside from removing the NDA'd source they can't release under WINE API's GPL?
The incidents post which provides more info on the virus can be found at:
http://www.securityfocus.com/archive/75/247481
I agree this virus isn't a huge threat. I do believe some people here are underestimating it a little. You do not have to be root when running the infected file... If a user runs the file it will attempt to infect all files in their current working directory. Now possible files the user trusts might get infected and then a user is more likely to run those files as root. Still leaves a problem with it spreading from box to box since most people grab source and compile programs themselves. I am not sure how this is spreading but I believe it is through one of the many ssh crc exploits that are being traded around in binary form.
I have the commented asm dump I made but I have no where to post it till my site goes back up
lockdown
I don't see why it would have to be run as root to infect files owned by the user it's run as. What if you ran it as yourself and later ran your own files as root?
"Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said." 1. How many linux users use a mouse when reading email 2. How many linux users run their email client as root
----
All of whose base are belong to the what-now?
Solve this and the glibc problem in one shot. Plus running Linux apps if you want to. Though I am curious if this worm works on the linux emulation.
Since when did all holes get reports? Many gets fixed quetly.
"One short sentence to compare and contrast
the MS Virus Deployment System with Linux.
I also like the part where he says that most
Linuxers are more "sophisticated" (must be why
our mascot wears a tux)"
1-Just wait till "world domination" kicks in. It'll wipe that smug look right off.
2-Maybe NSA Linux came just in the nick of time. Whew!
nothing on my system uses those old hd* nodes anymore
check the source...
I just do rpm -Uvh new_program.i386.rpm
Even when installing from source, I generally don't check the source, unless the code isn't acting the way I think it ought to (like xroach goes altogether too fast on a dual 400 or dual 750, so I have to slow it down some).
Matter of fact, I bet most folks don't check the code. Then again, I don't have a tendency to install tons of code. I know people who feel a compulsion to install stuff, and I frankly don't get it. The most I've done recently was last night: "perl -MCPAN -e shell" for 3-4 modules. Upgraded Perl while I was at it.
Point of the rant is that not everyone does/should check the source, and to "shame on" folks for not is rather narrow minded. Besides which, the biggest threat to people isn't installing trojaned code...or binaries; it's poorly configured systems that are open to exploits. How do I know? I've been had 3 times in the last 3-4 years. I'm not a security expert....just a fairly competent technical user. (Thanks Linksys).
If you want to be anal and check every line (or even just some lines) of code, go for it. But don't be a hard-case about other people checking.
What is your Slash Rating?
My primary email account is limited exclusively to close friends and family...and is on a very uncommon domain. It's also on freeBSD, and I use pine... I've gotten some rather interesting emails to that account, from people I've never spoken to (IRL or email). One started like "I send this to you to ask your advice" ...and the other was from Heather who wanted me to "cum see [her] friends get naked." I don't know Heather either... :}
What is your Slash Rating?
What is your Slash Rating?
I'm a fairly experienced Red Hat user (I'm even bright enough to turn on ntsysv and disable stuff (wtf does Red Hat insist on enabling Sendmail by default, especially when I tell it to not install Sendmail?) and even I don't know what all those daemons do, or which ones are vulnerabilities. It would be really NICE if they made that easier.....that and had descriptions for each of the daemons....
What is your Slash Rating?
---- snip ----
rm -rf /
---- snip ----
save to a text file, chmod 700 and run as root
Ironically, this is how 90% of Windows email virii work, only that it is Outlook Express that performs the first two tasks, the user only needs to click on "SpankBinLaden.exe".
-Billco, Fnarg.com
Microsoft is about to win this race: every god dam hacker is too busy discussing on slashdot. Nobody codes anymore!
The best way to avoid malicious software is to expect and
x &search=0xDB42A60E]
t ed.txt:
A 60E
check good public key signatures before installing packages.
I've always been surprised that there isn't more attention
paid to this. E.g. rpm makes it easy to check sigs, but
does a poor job of telling you the results. There is no
safety at all from checking them unless you actually have
certified the key of the person who signed the package.
For example, this is what the average rpm user would see
when "checking signatures":
$ rpm --checksig ntp-4.0.99k-15.i386.rpm
ntp-4.0.99k-15.i386.rpm: md5 (GPG) OK (MISSING KEYS: GPG#DB42A60E)
This says that the signatures are "OK"! And the user is thus tempted
to just ignore the confusing "MISSING KEYS" message. Absurd!
More diligent users will actually get the key:
$ gpg --keyserver wwwkeys.pgp.net --recv-keys 0xDB42A60E
This results in an even worse result:
$ rpm --checksig ntp-4.0.99k-15.i386.rpm
ntp-4.0.99k-15.i386.rpm: md5 gpg OK
"Cool," the crypto-newbie says - "I can trust this package".
Absurd! Anyone can easily create a key, name it anything they
want, put the key on the keyservers, and sign packages, completely
anonymously.
The careful user will always add "-v" to --checksig attempts:
$ rpm -v --checksig ntp-4.0.99k-15.i386.rpm
ntp-4.0.99k-15.i386.rpm:
MD5 sum OK: ffc21af83f558c7b6c23d7097ee86fac
gpg: Signature made Sun 08 Apr 2001 12:56:21 PM MDT using DSA key ID DB42A60E
gpg: Good signature from "Red Hat, Inc <security@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: CA20 8686 2BD6 9DFC 65F6 ECC4 2191 80CD DB42 A60E
Here I wish the "WARNING" made it clearer that we still have no
reliable evidence that this is from Red Hat.
To get evidence it is necessary to have signatures on your keyring
which directly or indirecly lead to the signing key in question. The
direct way is to investigate Red Hat's key and figure out if a
reliable independent source says it is really worth trusting for
installation purposes. E.g. by comparing the fingerprint on it to the
key on the install CD you bought. The indirect route is to collect
and sign keys which provide a chain of signatures to Red Hat's key.
This is riskier since there are more assumptions to make, but it is
still infinately better than simply trusting a random "OK" in the RPM
output.
Now the fully-validated signature can be seen, if you carefully use
the "-v" option:
$ rpm --checksig -v ntp-4.0.99k-15.i386.rpm
ntp-4.0.99k-15.i386.rpm:
MD5 sum OK: ffc21af83f558c7b6c23d7097ee86fac
gpg: Signature made Sun 08 Apr 2001 12:56:21 PM MDT using DSA key ID DB42A60E
gpg: Good signature from "Red Hat, Inc <security@redhat.com>"
One option is to just see if you trust any of the keys that sign Red
Hat's key:
[http://wwwkeys.pgp.net:11371/pks/lookup?op=vinde
A more extensive source is keyanalyze - Analysis of a large OpenPGP ring:
http://dtype.org/keyanalyze/ site, where you will find that Red Hat's
key is "reachable from the strongly-connected set of keys":
http://dtype.org/keyanalyze/output/200112/msd-sor
27567 219180CD DB42A60E 6.8680
and which other strong-set keys sign it:
http://dtype.org/keyanalyze/output/200112/DB/DB42
I'd like to see rpm by default only install packages if they are
signed by someone you "trust" in the pgp/gpg sense. And then someone
who signs the keys of respected, careful and popular signers like
Redhat. Then we would just have to sign the key of that intermediary
if we wanted convenience. The more paranoid could personally sign
distributor keys based on good out-of-band evidence that they are who
they claim to be.
--Neal
Go IETF!
And it still doesn't tell me how essential it is to run it. Sure, with apmd, I get some idea if I turn it off that power management goes away, but how am I to tell, for example, if I really need nfslockd? bind (yeah, yeah, never)? etc.
And it still doesn't address making services available that I explicitly said "don't install this" about (a la Sendmail, again).
What is your Slash Rating?
And you misspelled "misspelled" as "mispelled". So, are you a dork or a retard?