Linux Virus Alert

marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."

Things that make you go hmmmmm

[tiny69]

Managed security provider Qualys obtained a copy of one new variant last month from an "outside source," according to Gerhard Eschelbeck, vice president of engineering.

So he wasn't actually infected by it. Sounds like someone gave him a proof of concept prototype.

To date there have been "limited" reports of the new RST variant in the wild, according to Eschelbeck.

Reports to who?

To replicate, the virus requires users to run an infected program from an account with "root" permissions.

Only a complete moron would run would do this.

Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said.

Exactly. From what I've heard else where, it sounds like the "virus" is similar to the old COM virues from the MSDOS days. Yes, they may have a copy of a "virus", but the whole thing sounds fishy to me.

Re:This cracks me up.

[Lumpy]

Actually quite often. Anything that requires running as root dont get installed unless it is a major important app. (Sorry but superWarezSniffer1.2 is not a major important app)

I did look through airsnort, and the other "grey area" apps that I use for security and curiosity. Games? never get ran as root, every other app? never as root.

Sorry but if you have to run it as root, 90% of the time it is a sign of poor code and will probably suck anyways...

Re:Worse than running something as root

[foobar104]

how many people fully read & understand the Makefiles in the above scenario?

Which brings up an interesting point: write-only code. I've tried to read and understand autoconf-generated Makefiles a few times, and given up with my head spinning. They're a tangled web of M4 macros and such.

Computer-generated code is notoriously hard to read, and install scripts are one instance where reading the code is important.

I only wish there were a way to improve autoconf and other code generating programs without having to have a massive security breakdown happen first to inspire the work.

Viruses and the internet.

[Error27]

I remember when slashdot first talked about the RST trojan. That time Qualys did an abysmal job reporting on the virus. (Read the comments on the article.)

The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it. :P

The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
#-----
zcat foo.tar.gz | tar -xv
if source
cd foo/
./configure
make
fi
cd ..
su
cp foo /usr/local/tar/
ln -s /usr/local/bin/foo /usr/local/tar/foo/foo
#-----
Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.

(Normal .debs would install normally because debian developers are trusted.)

On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and .doc files and all kinds of stuff that should be data but instead is executable.

These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.

I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.

Re:Viruses and the internet.

[warpeightbot]

Linux is not immune to internet worms, or have you forgotten the Ramen worm?

Which got about two nanometers, being one of those "click on me" kinds of things... li0n was more virulent in some ways, but not in others, as the fix was out TWO MONTHS before the virus hit....

One thing I forgot to mention, is that Linux users are far more apt to run some sort of firewall, or at least NAT, than Joe Windows.... as well as all sorts of other tricks to mitigate damage, like chroot jails, not running your daemons as root, etc.

Point being, there is a cultural resistance to virii - inherent in how we were taught to use it as much as in its technical features - amongst users of originally-multi-user operating systems that simply does not exist amongst folks who grew up masters of their domain by default. If that sounds elitist, well... let's put it this way. In the history of Unix-like operating systems, which have long had access to the Internet and the Arpanet before it, and to which college kids have had access for what, 20 years now? there have been four, count'em, F-O-U-R worms. Countless exploits, sure, but only four big memorable self-(or semi-self-)propogating beasties, only one of which (the first one, Morris') got loose and caused major damage. (Now, remember, these were the days of mostly-proprietary OS's, too, so I'm not even beating the Open Source drum here...) How many Windows or Mac beasties have there been floating around in the same twenty-year time frame? Like the stars.

If you're running around on the Big Bad Internet in God mode all the time, you're plainly and simply DOING IT WRONG. (Credit where credit is due, Win2k and OS X fix this little problem...) Running as an unprivileged user solves a whole lot of problems by default. (Not letting untrusted data run as a script (Outlook, Word, IE) will get 99% of the rest of it, IMHO...)

Security is a state of mind, a state of constant relaxed alertness, taking the time to notice where harm might lurk, and taking steps to avoid trouble altogether. You could run OpenBSD or Trustix or CDC NOS with A-level security, but if you're not keeping up with the bulletins, somebody's going to find a problem with your system eventually, and you're gonna get 0wn3d. Run what you want to... but keep up with the damn patches, and stay away from problem programs, or else... and if work or circumstance decree that you MUST run an OS in god mode to do your work, for pity's sake, BE CAREFUL. But hopefully you can get OS-X or Win2k (XP Pro? I know Home acts like 98...) or if Ghu smiles on you, something with a hash prompt... hey, Diablo II runs on Linux now, so what're you waiting for? :)

more info

[sweasel18]

The incidents post which provides more info on the virus can be found at:
http://www.securityfocus.com/archive/75/247481

I agree this virus isn't a huge threat. I do believe some people here are underestimating it a little. You do not have to be root when running the infected file... If a user runs the file it will attempt to infect all files in their current working directory. Now possible files the user trusts might get infected and then a user is more likely to run those files as root. Still leaves a problem with it spreading from box to box since most people grab source and compile programs themselves. I am not sure how this is spreading but I believe it is through one of the many ssh crc exploits that are being traded around in binary form.

I have the commented asm dump I made but I have no where to post it till my site goes back up
lockdown