Linux Virus Alert

marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."

Linux viruses needed.

[Nicopa]

As we speak (write?) there are surely a couple of computer labs paid by McAfee, Norton, etc. trying to create some kind of successful Linux virus/worm. =)

More viri on MS- why?

[anotherone]

Why is is there are more viruses for MS platforms than Linux platforms? Does it have something to do with the OS itself- more secure, perhaps? Is it just because Linux users are usually more knowledgeable and careful about such things?

Or is it just that virus writers focus their efforts on MS software? (And if it's the last one, why do malicious coders focus on MS? Is it just to spread FOAD and, indirectly, their favorite OS?)

Re:More viri on MS- why?

[kilrogg]

only NT and XP had/have an administrator level where regular users aren't allowed to do things.

But it doesn't work very well in partice. Example, Microsoft Filght sim 2002, when run from a normal user account, tells you you need to run it from an admin account. You see, rather then each user having their own config/save files, there's global config/save files which all users must be able to write to. The same applies to lots of other windows programs too.

Many users will just give themselves admin privledges (or login as admin) and be done with it. So the problem will still exist for a while.

Re:More viri on MS- why?

The difference between 9x and XP/2k security is that on 2k/XP you CAN put a password on things and change people off from being an administrator (Linux root). On 9x you can't put any security on.

Pretty crazy stuff

[linzeal]

"Uriah Welcome, an administrator for the popular SourceForge repository of open source programs for Linux, said the unit of VA Software Corporation does not scan files uploaded to the site for viruses."

Um, he further states that it would be "trivial" to add such a feature. Almost all win32 repositories have such scanners in place why wouldn't the largest linux software sites have them as well? Have we become too trusting of the "many eyes" theory?

Re:Really...

[Steve+Cowan]

Au contraire! Because of the sheer volume of servers currently running linux, it would appear to be one of the most attractive platforms to write virii for.

A programmer could certainly wreak a lot more havoc by planting their seeds in big web servers, domain name servers, mail servers, etc., rather than just messing up a bunch of average peoples' desktops.

So what do I have to do to get it?

[andy+the+engineer]

I didn't see anything in the article about how it actually propogates. It didn't read like a worm, so what binaries (tarballs and RPMs) are suspect? Anyone? Anyone?

Protection?

Here's a newbie question... where can I get anti-virus programs for Linux? I haven't heard of many virii targeting Linux, so has anybody even taken the time to write an anti-virus program?

Things that make you go hmmmmm

[tiny69]

Managed security provider Qualys obtained a copy of one new variant last month from an "outside source," according to Gerhard Eschelbeck, vice president of engineering.

So he wasn't actually infected by it. Sounds like someone gave him a proof of concept prototype.

To date there have been "limited" reports of the new RST variant in the wild, according to Eschelbeck.

Reports to who?

To replicate, the virus requires users to run an infected program from an account with "root" permissions.

Only a complete moron would run would do this.

Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said.

Exactly. From what I've heard else where, it sounds like the "virus" is similar to the old COM virues from the MSDOS days. Yes, they may have a copy of a "virus", but the whole thing sounds fishy to me.

Re:This cracks me up.

[Lumpy]

Actually quite often. Anything that requires running as root dont get installed unless it is a major important app. (Sorry but superWarezSniffer1.2 is not a major important app)

I did look through airsnort, and the other "grey area" apps that I use for security and curiosity. Games? never get ran as root, every other app? never as root.

Sorry but if you have to run it as root, 90% of the time it is a sign of poor code and will probably suck anyways...

Re:Worse than running something as root

dont run 'make install' as root unless you really need to . for random tarballs off the web i usually just run 'make' then see what the binary does... and not for virus reasons. 'make install' tends to clutter your system with random files - e.g. /usr/share/foo, /usr/local/sbin/something...

i guess it helps to be anal and paranoid :-)

Re:Worse than running something as root

[foobar104]

how many people fully read & understand the Makefiles in the above scenario?

Which brings up an interesting point: write-only code. I've tried to read and understand autoconf-generated Makefiles a few times, and given up with my head spinning. They're a tangled web of M4 macros and such.

Computer-generated code is notoriously hard to read, and install scripts are one instance where reading the code is important.

I only wish there were a way to improve autoconf and other code generating programs without having to have a massive security breakdown happen first to inspire the work.

Backdoor/Trojan which is *source code clean*

[ip4noman]

Good point. But even if your crack team of security experts inspect and approve each and every line of source code, then do a "make world", you still are not safe!

Long ago Ken Thompson wrote a paper about a trojan/backdoor that is source code clean . This is usually accompanied with an antecdote about a guy at a computer show struggling to get his demo ready, but he forgets his root password. Just then, a bearded freaky guy from the next booth says "No problem", types a magic password, and viola! The demo proceeds as planned. The story is that every version of /bin/login has this trojan, and that this same bearded freaky guy can log in as root to any unix box on the planet ... if he wants to.

It's possible. Read the paper!

PS: Most linux users do not even attempt to build their systems from source. Every linux system is shipped with /bin/cc, /bin/ls, /bin/make, etc. in binary form, and thus, are all suspect. Every linux system *may* be infected with some backdoor/spyware which is just benign enough to have gone undected thus far.

Alternative installation

sudo mkdir /opt/someprog

sudo chown luser.luser /opt/someprog

tar zxvf someprog-0.0.1.tar.gz

cd someprog-0.0.1

./configure --prefix=/opt/someprog --foo --bar

make

make install

That's it. You weren't root during installation. Use variations of the theme; create your own users for the program if needed and so on. Then just fix symlinks from /usr, /usr/man, /usr/lib etc.

The bolded lines are the ones where the meat of this post is.

Viruses and the internet.

[Error27]

I remember when slashdot first talked about the RST trojan. That time Qualys did an abysmal job reporting on the virus. (Read the comments on the article.)

The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it. :P

The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
#-----
zcat foo.tar.gz | tar -xv
if source
cd foo/
./configure
make
fi
cd ..
su
cp foo /usr/local/tar/
ln -s /usr/local/bin/foo /usr/local/tar/foo/foo
#-----
Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.

(Normal .debs would install normally because debian developers are trusted.)

On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and .doc files and all kinds of stuff that should be data but instead is executable.

These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.

I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.

Re:Viruses and the internet.

[warpeightbot]

Linux is not immune to internet worms, or have you forgotten the Ramen worm?

Which got about two nanometers, being one of those "click on me" kinds of things... li0n was more virulent in some ways, but not in others, as the fix was out TWO MONTHS before the virus hit....

One thing I forgot to mention, is that Linux users are far more apt to run some sort of firewall, or at least NAT, than Joe Windows.... as well as all sorts of other tricks to mitigate damage, like chroot jails, not running your daemons as root, etc.

Point being, there is a cultural resistance to virii - inherent in how we were taught to use it as much as in its technical features - amongst users of originally-multi-user operating systems that simply does not exist amongst folks who grew up masters of their domain by default. If that sounds elitist, well... let's put it this way. In the history of Unix-like operating systems, which have long had access to the Internet and the Arpanet before it, and to which college kids have had access for what, 20 years now? there have been four, count'em, F-O-U-R worms. Countless exploits, sure, but only four big memorable self-(or semi-self-)propogating beasties, only one of which (the first one, Morris') got loose and caused major damage. (Now, remember, these were the days of mostly-proprietary OS's, too, so I'm not even beating the Open Source drum here...) How many Windows or Mac beasties have there been floating around in the same twenty-year time frame? Like the stars.

If you're running around on the Big Bad Internet in God mode all the time, you're plainly and simply DOING IT WRONG. (Credit where credit is due, Win2k and OS X fix this little problem...) Running as an unprivileged user solves a whole lot of problems by default. (Not letting untrusted data run as a script (Outlook, Word, IE) will get 99% of the rest of it, IMHO...)

Security is a state of mind, a state of constant relaxed alertness, taking the time to notice where harm might lurk, and taking steps to avoid trouble altogether. You could run OpenBSD or Trustix or CDC NOS with A-level security, but if you're not keeping up with the bulletins, somebody's going to find a problem with your system eventually, and you're gonna get 0wn3d. Run what you want to... but keep up with the damn patches, and stay away from problem programs, or else... and if work or circumstance decree that you MUST run an OS in god mode to do your work, for pity's sake, BE CAREFUL. But hopefully you can get OS-X or Win2k (XP Pro? I know Home acts like 98...) or if Ghu smiles on you, something with a hash prompt... hey, Diablo II runs on Linux now, so what're you waiting for? :)

It might also be part of a business strategy

If they keep fucking up security, they can then convince the same morons that think M$ is good for the consumer that a new internet protocol is needed.

Hello TCP-M$, which only works with M$ products....

more info

[sweasel18]

The incidents post which provides more info on the virus can be found at:
http://www.securityfocus.com/archive/75/247481

I agree this virus isn't a huge threat. I do believe some people here are underestimating it a little. You do not have to be root when running the infected file... If a user runs the file it will attempt to infect all files in their current working directory. Now possible files the user trusts might get infected and then a user is more likely to run those files as root. Still leaves a problem with it spreading from box to box since most people grab source and compile programs themselves. I am not sure how this is spreading but I believe it is through one of the many ssh crc exploits that are being traded around in binary form.

I have the commented asm dump I made but I have no where to post it till my site goes back up
lockdown