Slashdot Mirror
Linux Virus Alert
marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."
Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
Go Lakers!
A patch that allows the virus to exploit Windows will be released in Service Pack 1 for Windows XP.
Russell makes an excellent point there. All you have to do is distribute a file that "lets you own M$ boxen!" and there will still be a large number of script kiddies that will download the file and run it as root. Sure, it's not going to be able to be auto-executed, but it's just like virii back in the DOS days.
#!/bin/sh /dev/urandom > /dev/hda1
cat
There. It's a virus.
-twb
Any smart Linux user doesn't usually run their computer with root permissions. Until Windows XP, all consumer versions of Windows (9X, Me) ran all users at an eqivalent to root level, enabling viruses to wreak havok at any time. Macs were the same way before OS X, but virus writers still targeted Windows because of the large installed base.
Unlike some Windows-based viruses that travel like wildfire using vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is unlikely to spread widely, according to Russell.
One short sentence to compare and contrast the MS Virus Deployment System with Linux. I also like the part where he says that most Linuxers are more "sophisticated" (must be why our mascot wears a tux).
I'm a bloodsucking fiend! Look at my outfit!
Linux, an alternative to Microsoft's Windows.
Heh, couldn't they just write "An operating system"?
I am a genius; therefore, you suck.
Part of it's because of the relative lack of security on a Windows box; only NT and XP had/have an administrator level where regular users aren't allowed to do things.
95/98 let anyone run just about anything as default. And XP actually does this too... Default accounts are set up as administrator without passwords.
And while you can run everything from an administrator account (got root?) under Linux, the type of person who installs Linux generally knows better than to do so.
It's because of the limited access that most accounts have that makes viruses difficult to write under Linux.
As to why malicious coders concentrate on MS, it's because it's easy. The coders at MS keep making the same mistakes over and over again. Look at the UPNP exploits.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Why is is there are more viruses for MS platforms than Linux platforms?
The main reaseons are thus:
1) Microsoft attemps to grab marketshare by adding any 'feature' that appeals to the masses, rather than adding security that appeals to a few smart people.
2) Microsoft's security model has had only a few years of evolution, the UNIX/Linux/BSD model has had almost twenty years of networked connected time to get it right.
3) Microsoft is gready. Raher than give you a patch to fix the secutity problems of your old Microsoft software - they would rather force you to pay for their newer version.
4) Microsoft programmers are inept. Microsoft attracts greedy and underqualified programmers with the lure of stock options. Good programmers either work for themselves or for a company that puts pride in their work. Good programmers seldom do it for the money - witness the wonderfull security of the shoestring-budget OpenBSD versus the 1.2 billion USD Windows XP that had to be pathced within a month of it's consumer release.
In short - Microsoft's bad security is actually good for their bottom line, it forces you to pay money for their 'upgrades.'
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Do NOT run "deltree /Y *"-- this is a very dangerous trojan that could potentially destroy your system!
The worst part is, it's already infected 100% of all DOS 7 systems.
(Is is just be, or does it seem silly to give any time to a "virus" that requires you to run a binary while rooted?)
Has anyone actually seen this virus in the wild? I can't imagine it'd actually propigate...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
More virii. Glad that no one likes the Mac but me and two other people... Sevendust is the last major threat we had...
.. runs your Linux binaries (if you can't get source)..
.. runs your FreeBSD binaries (if you can't get source)..
.. remember most "Linux" code is just generic UNIX C..
.. Be safe, run OpenBSD.
Whereas, I'm working on porting this virus to NetBSD, and putting it in the pkgsrc collection, so it can be enjoyed on a VAX, an Amiga, hey, you name it! You too can feel "cool" when your alpha gets infected. Who says the only people who get viruses are those running intel boxen with windows!
And for the netBSD/toaster port, I guess I'll just have to make it burn the toast on one side, and leave the other side raw.
The previous has been a secret message to my comrades.
Well, the primary reason would be the lack of any viruses to scan for.
It is only "crazy" to not scan for viruses from the mindset that viruses are out there. It isn't crazy to take a road trip in a car that doesn't have a spare innertube if the car uses tubeless tires.
It is also important to note that this article is not about a virus. It is about a trojan. There isn't really any way to do an automated check for unknown trojans on any platform, since the scanner can't know what the program is supposed to do in to first place to figure out if it is doing something else as well.
The question with Linux binaries is are they what they claim to be. That question is generally answered with an MD5 sum from a trusted source. This renders the case of unknown trojans moot.
-Peter
I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.
Programs that exploit security holes are far and wide. Yet, they are typically released as source code, usually attached to messages in security mailing lists. We can take a quick glance over this source before compiling it and running it. And besides, if it IS your typical exploit code, nobody needs to run it as root. To do so would defeat the purpose of having an exploit in the first place.
I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.
-Restil
Play with my webcams and lights here
and so on. Symantec/Norton also has a Linux/UNIX binary which is certainly bundled with the network-wide thing, I don't know if it's available separately. The trouble with all of these things is that although they are Linux applications, they detect Windows virii - they use the same signature files as the versions on other platforms do. This means they're very good for running on file/e-mail servers to protect the poor Windows machines behind them (which is what they're intended for) but they probably won't stop the subject of this post, for example. Basically, yes, they exist and work well but make sure you know what you're hoping for them to do...
If people are going to downloading the uploaded software, then not scanning it for virii (trojans or anything else for that matter) is completely irresponsible.
I now know not to trust Sourceforge anymore. If I don't have the time to audit the code I won't download it.
A Government Is a Body of People, Usually Notably Ungoverned
Who would run a virus that is distributed as a binary only? Everyone knows no self respecting linux user uses software unless the source is available! Until they release this virus under the GPL I for one will be staying well clear of it.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
RPMs or other packages that are downloaded from more or less untrusted locations without encryption signatures might very well run a few evil scripts during the installation process (which, of course, is done as root).
To be really sure, one should always install new programs in a chrooted jail; the software should be installed in a totally new branch of the filesystem tree and the installation process should not be able to read of write to other parts the filesystem.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Part of it's because of the relative lack of security on a Windows box; only NT and XP had/have an administrator level where regular users aren't allowed to do things.
95/98 let anyone run just about anything as default. And XP actually does this too... Default accounts are set up as administrator without passwords.
Let me add some items to your list...
- Linux installers are usually very good at teaching newbies the dangers of the root account. They will also make it real easy and natural to setup secured user accounts.
- The community is very good at reminding each other not to run as root, be it in weblogs, readmes, changelog, etc. In fact, they even go on running jokes about it. At the end of the day, it makes a wonderful job at passing the word to new users.
- Since there is already a critical mass of carefull users on linux, programs that use more permissions that they need to can expect to receive flews of angry emails. Under w2k/xp, where most home users run in administrator, those that do not are less likely to complain. The end result is, windows software too often crashes and bugs up unless run as root.
- Under Linux, it is real easy to become root the time of one punctual action (su, sudo, fakeroot), then relinquish the extra permissions. Under w2k, you have to create a shortcut to the executable, right click, check 'run as a different user', click ok, double click, click on the password field, enter the root password. A real pain in the ass. And again, alot of programs that would run otherwise correctly as administrator won't work with this method. In which case you have to save all your work, log out, log in as admin, run that program, log out, log back in, restart all the program you were using. Blah! Easily a ten minutes process.
- Under windows, it is always trivialy easy to runs programs. So much so, that I'm extra careful whenever I'm reading mail under windows, and slow down my perusal to be sure not to stumble and accidentaly run a virus. Under linux, running untrusted program is a two step process: first give it the permission to run (chmod +x virus.exe), then run it (./virus.exe) .
- Finaly, viruses need to pull their infection/clean up ration over the 1.0 bar in order to survive and outbreak. Linux, with it's smaller installed base and it's biodiversity of distributions, makes it hard for a virus to find its next vunerable target. With that in mind, we can expect somewhat more Linux viruses the day it takes over Windows as everyone's operating system.
This post was compiled with `% gec -O`. email me if you need the sources
...the only real security hole is 'User Error'.
Personally, I consider anti-virus software viruses themselves. They often cause more problems and interfere with your system much more than any 'virus' Just look at what they do...constantly run, constantly run every file access against a big-assed hash table, possibly causing problems with legitimate software. No thanks.
A lot of smart alecs here are making light of this, but let's face it, the smart thing is to give time to any virus at all. Tell me you've never, ever, left yourself in as root by mistake. OK, now tell me no-one else has. 'Nuff said.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And waddaya know, UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later, despite the fact that we all know that it doesn't check for buffer overflow and that a buffer overflow _can_ be used (read: _has_ been used in the past) to make a program execute code of the worm writer's choice and bring a significant part of the internet grinding to a halt.
It doesn't matter if it requires root privs to run. Most programs have to be installed as root, and that's all that is needed. The make install step can do something nasty without telling you (how many people fully read & understand the Makefiles in the above scenario?), or it can install a trojan version of ls or any other program.
In a real emergency, we would have all fled in terror, and you would not have been notified.
The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.
However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.
In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.
Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.
I'm often asked - `won't viruses for Linux start to appear once Linux gains more desktop users?'. And I always explain what it is about Linux and Unix-like operating systems in general that make this very unlikely (the strict separation between root and users in particular). However, at present we have a situation in which there is a very strong sense of mutual trust: if you see some code being offered for download in the usual places you know that it's very unlikely that it will harm your system if you build it / install it as root.
It is worth thinking about the possible dangers of these particular waters getting muddied - as Linux gains more users, there will be more people around with less sophistication about these matters and there could be more people deliberately offering dangerous code for download.
So there are some reasons for concern but they are based on faults in the potential users, not in the OS.
Roger Whittaker
SuSE Linux Ltd London
The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it.
The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
#-----
zcat foo.tar.gz | tar -xv
if source
cd foo/
make
fi
cd
su
cp foo
ln -s
#-----
Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.
(Normal
On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and
These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.
I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.
# Save this as Makefile and try "make -n install" /sbin/shutdown now)
# with GNU Make.
#
# This runs even with -n, and doesn't print first.
foo:=$(shell
#
# This too runs with -n, but is displayed.
# (I use a semicolon in case slashdot loses tabs.)
install:; +echo this runs too
Not trying to sound like a troll, but this post is an example of what is holding linux back from being a major contendor in the desktop OS market. Time and time again i see people saying that no self respecting linux user would run a program without first examining the makefile and looking over the source. The VAST majority of home computer users would have no idea how to do that, and that is even assuming they had any knowlege of coding. How likely is it that a new user would download the source if a binary is avalilble? Convenience and simplicity is what MS is targeting, and by all acounts it is working. Hate MS all you want, but the fact of the matter is that windows is run by virtually all home computers and is far more familiar and user-friendly for most simple tasks. It may not be as powerful, as secure, or as elegent at *nix, and though some may say is dumbs down the computing experience so that any moron can use a computer, that is precisely why MS owns the home computing market. The average person would not WANT to check the code for every program he or she installs, even if that person knew enough about linux and programming to make a difference. Sure, maybe all of those people that post on /. are smart enough not to get hit by this or any other virus, but /. readers do not make up the majority of computer users, as much as everyone wishes they were. Elitist atitudes about the linux 'community' is what keeps linux away from the general home computer community. As shown in this post, Linux users are just as bad at trying to downplay the possibility of being hit with a virus. Go count how many of the posts go on about how there is hardly any risk at all of viruses in Linux. I use and love linux, but instead of finding the type of constructive development I was hoping to find on how viruses were playing a part in linux, I found a bunch of people pounding their chests as to how THEY are so damn good that there is no threat to them, and how if you actually are hit by this virus, there must be something wrong with your head.
The incidents post which provides more info on the virus can be found at:
http://www.securityfocus.com/archive/75/247481
I agree this virus isn't a huge threat. I do believe some people here are underestimating it a little. You do not have to be root when running the infected file... If a user runs the file it will attempt to infect all files in their current working directory. Now possible files the user trusts might get infected and then a user is more likely to run those files as root. Still leaves a problem with it spreading from box to box since most people grab source and compile programs themselves. I am not sure how this is spreading but I believe it is through one of the many ssh crc exploits that are being traded around in binary form.
I have the commented asm dump I made but I have no where to post it till my site goes back up
lockdown