Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Virus Alert

Posted by timothy on from the poisoned-herring-or-red-herring dept.

marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."

4 of 501 comments (clear)

  1. Things that make you go hmmmmm by tiny69 · · Score: 5, Interesting
    Managed security provider Qualys obtained a copy of one new variant last month from an "outside source," according to Gerhard Eschelbeck, vice president of engineering.
    So he wasn't actually infected by it. Sounds like someone gave him a proof of concept prototype.
    To date there have been "limited" reports of the new RST variant in the wild, according to Eschelbeck.
    Reports to who?
    To replicate, the virus requires users to run an infected program from an account with "root" permissions.
    Only a complete moron would run would do this.
    Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said.
    Exactly. From what I've heard else where, it sounds like the "virus" is similar to the old COM virues from the MSDOS days. Yes, they may have a copy of a "virus", but the whole thing sounds fishy to me.
    --
    Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
  2. Re:This cracks me up. by Lumpy · · Score: 4, Interesting

    Actually quite often. Anything that requires running as root dont get installed unless it is a major important app. (Sorry but superWarezSniffer1.2 is not a major important app)

    I did look through airsnort, and the other "grey area" apps that I use for security and curiosity. Games? never get ran as root, every other app? never as root.

    Sorry but if you have to run it as root, 90% of the time it is a sign of poor code and will probably suck anyways...

    --
    Do not look at laser with remaining good eye.
  3. Re:Worse than running something as root by foobar104 · · Score: 5, Interesting

    how many people fully read & understand the Makefiles in the above scenario?

    Which brings up an interesting point: write-only code. I've tried to read and understand autoconf-generated Makefiles a few times, and given up with my head spinning. They're a tangled web of M4 macros and such.

    Computer-generated code is notoriously hard to read, and install scripts are one instance where reading the code is important.

    I only wish there were a way to improve autoconf and other code generating programs without having to have a massive security breakdown happen first to inspire the work.

  4. Viruses and the internet. by Error27 · · Score: 4, Interesting
    I remember when slashdot first talked about the RST trojan. That time Qualys did an abysmal job reporting on the virus. (Read the comments on the article.)

    The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it. :P

    The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
    #-----
    zcat foo.tar.gz | tar -xv
    if source
    cd foo/
    ./configure
    make
    fi
    cd ..
    su
    cp foo /usr/local/tar/
    ln -s /usr/local/bin/foo /usr/local/tar/foo/foo
    #-----
    Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.

    (Normal .debs would install normally because debian developers are trusted.)

    On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and .doc files and all kinds of stuff that should be data but instead is executable.

    These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.

    I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.