Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Virus Alert

Posted by timothy on from the poisoned-herring-or-red-herring dept.

marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."

24 of 501 comments (clear)

  1. This cracks me up. by JeremyYoung · · Score: 5, Funny
    ...the virus requires users to run an infected program from an account with "root" permission.


    Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
    --

    Go Lakers!

    1. Re:This cracks me up. by Anonymous Coward · · Score: 5, Informative

      hmmm.. social engineering anyone?

      localhost:~$ tar zxf some-random-binary-0.0.1.tar.gz
      localhost:~$ cd some-random-binary-0.0.1
      localhost:some-random-binary-0.0.1$ ./runme

      This program must be run as root.

      localhost:some-random-binary-0.0.1$ su
      Password:
      localhost:some-random-binary-0.0.1# ./runme

      Sucka!
      Another point.. when was the last time you actually checked the code of something you've compiled? lets say instead of some-random-binary, it's some-random-young-sourceforge-app. Jeez, get off your fucking high horse.

    2. Re:This cracks me up. by Lumpy · · Score: 4, Interesting

      Actually quite often. Anything that requires running as root dont get installed unless it is a major important app. (Sorry but superWarezSniffer1.2 is not a major important app)

      I did look through airsnort, and the other "grey area" apps that I use for security and curiosity. Games? never get ran as root, every other app? never as root.

      Sorry but if you have to run it as root, 90% of the time it is a sign of poor code and will probably suck anyways...

      --
      Do not look at laser with remaining good eye.
    3. Re:This cracks me up. by ljaguar · · Score: 5, Informative

      OK, I'm really sick and tired of those people who say "Oh, I run binaries as root, so you do too."

      Have you every thought of /usr/local?
      ./configure --prefix=/usr/local?

      My /usr/local is writable by my staff. My staff consists of... me. So, I have root, my desktop login and staff. Just install stuff on /usr/local, as staff. Voila. Staff can't touch my $HOME or any of the system binaries. So any malicious script (at install time aka make install) is pretty much contained in... /usr/local.

      Let's say I run a infected binary in /usr/local/bin as my desktop login. I loose my stuff. You can argue that this is just as bad, but my system is still not compromised.

      This isn't rocket science, guys.

  2. Re:Not via email you dont you wascally wabbit by dkemist · · Score: 5, Insightful

    Russell makes an excellent point there. All you have to do is distribute a file that "lets you own M$ boxen!" and there will still be a large number of script kiddies that will download the file and run it as root. Sure, it's not going to be able to be auto-executed, but it's just like virii back in the DOS days.

  3. It's not a virus, it's stupid. by lostchicken · · Score: 4, Funny

    #!/bin/sh
    cat /dev/urandom > /dev/hda1

    There. It's a virus.

    --
    -twb
  4. Loved this part... by Eryq · · Score: 5, Funny

    Unlike some Windows-based viruses that travel like wildfire using vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is unlikely to spread widely, according to Russell.

    One short sentence to compare and contrast the MS Virus Deployment System with Linux. I also like the part where he says that most Linuxers are more "sophisticated" (must be why our mascot wears a tux).

    --
    I'm a bloodsucking fiend! Look at my outfit!
  5. heh by Order · · Score: 4, Funny

    Linux, an alternative to Microsoft's Windows.

    Heh, couldn't they just write "An operating system"?

    --

    I am a genius; therefore, you suck.
  6. Re:More viri on MS- why? by NecroPuppy · · Score: 4, Informative

    Part of it's because of the relative lack of security on a Windows box; only NT and XP had/have an administrator level where regular users aren't allowed to do things.

    95/98 let anyone run just about anything as default. And XP actually does this too... Default accounts are set up as administrator without passwords.

    And while you can run everything from an administrator account (got root?) under Linux, the type of person who installs Linux generally knows better than to do so.

    It's because of the limited access that most accounts have that makes viruses difficult to write under Linux.

    As to why malicious coders concentrate on MS, it's because it's easy. The coders at MS keep making the same mistakes over and over again. Look at the UPNP exploits.

    --
    I like you, Stuart. You're not like everyone else, here, at Slashdot.
  7. DOS 7 virus alert! by startled · · Score: 5, Funny

    Do NOT run "deltree /Y *"-- this is a very dangerous trojan that could potentially destroy your system!

    The worst part is, it's already infected 100% of all DOS 7 systems.

    (Is is just be, or does it seem silly to give any time to a "virus" that requires you to run a binary while rooted?)

  8. They're Trying So Hard... by Greyfox · · Score: 4, Insightful
    To make it look like it's actually a threat. Oh yeah, it'd be dead simple to entice users to download a binary as root and run it. Yeah, once we give the user a frontal lobotomy and he believes everything we say, it is dead simple to do that. Oh yeah, it'd be a major threat if it infected binary files on sourceforge...

    Has anyone actually seen this virus in the wild? I can't imagine it'd actually propigate...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  9. Re:OpenBSD.. by The+FooMiester · · Score: 5, Funny

    .. runs your Linux binaries (if you can't get source)..
    .. runs your FreeBSD binaries (if you can't get source)..
    .. remember most "Linux" code is just generic UNIX C..
    .. Be safe, run OpenBSD.

    Whereas, I'm working on porting this virus to NetBSD, and putting it in the pkgsrc collection, so it can be enjoyed on a VAX, an Amiga, hey, you name it! You too can feel "cool" when your alpha gets infected. Who says the only people who get viruses are those running intel boxen with windows!

    And for the netBSD/toaster port, I guess I'll just have to make it burn the toast on one side, and leave the other side raw.

    --
    The previous has been a secret message to my comrades.
  10. Re:Pretty crazy stuff by pete-classic · · Score: 4, Informative

    Well, the primary reason would be the lack of any viruses to scan for.

    It is only "crazy" to not scan for viruses from the mindset that viruses are out there. It isn't crazy to take a road trip in a car that doesn't have a spare innertube if the car uses tubeless tires.

    It is also important to note that this article is not about a virus. It is about a trojan. There isn't really any way to do an automated check for unknown trojans on any platform, since the scanner can't know what the program is supposed to do in to first place to figure out if it is doing something else as well.

    The question with Linux binaries is are they what they claim to be. That question is generally answered with an MD5 sum from a trusted source. This renders the case of unknown trojans moot.

    -Peter

  11. Is this REALLY a problem? by Restil · · Score: 4, Insightful

    I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.

    Programs that exploit security holes are far and wide. Yet, they are typically released as source code, usually attached to messages in security mailing lists. We can take a quick glance over this source before compiling it and running it. And besides, if it IS your typical exploit code, nobody needs to run it as root. To do so would defeat the purpose of having an exploit in the first place.

    I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.

    -Restil

    --
    Play with my webcams and lights here
  12. Re:Protection? by sjehay · · Score: 5, Informative
    Yes - well, sort of. There are plenty of anti-virus programs out there, such as:

    and so on. Symantec/Norton also has a Linux/UNIX binary which is certainly bundled with the network-wide thing, I don't know if it's available separately. The trouble with all of these things is that although they are Linux applications, they detect Windows virii - they use the same signature files as the versions on other platforms do. This means they're very good for running on file/e-mail servers to protect the poor Windows machines behind them (which is what they're intended for) but they probably won't stop the subject of this post, for example. Basically, yes, they exist and work well but make sure you know what you're hoping for them to do...

  13. I wont be running it!! by gorre · · Score: 4, Funny

    Who would run a virus that is distributed as a binary only? Everyone knows no self respecting linux user uses software unless the source is available! Until they release this virus under the GPL I for one will be staying well clear of it.

    --
    "Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
  14. Running binaries as root by adadun · · Score: 5, Informative
    Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
    I realize of course that you are joking, but I do believe that a lot of users run a lot of untrusted stuff as root. How many times have you run "make install" as root? I certainly have done it a few times for software packages that I downloaded from untrusted sources and without having read through the entire Makefile first. Who knows what kind of programs that I might unwillingly have run as root?

    RPMs or other packages that are downloaded from more or less untrusted locations without encryption signatures might very well run a few evil scripts during the installation process (which, of course, is done as root).

    To be really sure, one should always install new programs in a chrooted jail; the software should be installed in a totally new branch of the filesystem tree and the installation process should not be able to read of write to other parts the filesystem.
    1. Re:Running binaries as root by BlueWonder · · Score: 5, Informative

      How many times have you run "make install" as root?

      Never. I want to have full control over and knowledge of where each file is installed.

      If the Makefile has been generated with GNU Automake (which is true for maybe 90% of all Makefiles I encounter), there is an easy solution: Install with make install DESTDIR=~/tmp as ordinary user, and if you agree with the file layout under ~/tmp, cp the files to their final location as root.

  15. Things that make you go hmmmmm by tiny69 · · Score: 5, Interesting
    Managed security provider Qualys obtained a copy of one new variant last month from an "outside source," according to Gerhard Eschelbeck, vice president of engineering.
    So he wasn't actually infected by it. Sounds like someone gave him a proof of concept prototype.
    To date there have been "limited" reports of the new RST variant in the wild, according to Eschelbeck.
    Reports to who?
    To replicate, the virus requires users to run an infected program from an account with "root" permissions.
    Only a complete moron would run would do this.
    Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said.
    Exactly. From what I've heard else where, it sounds like the "virus" is similar to the old COM virues from the MSDOS days. Yes, they may have a copy of a "virus", but the whole thing sounds fishy to me.
    --
    Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
  16. Once again proving.. by _aa_ · · Score: 4, Redundant

    ...the only real security hole is 'User Error'.

  17. Lest we dismiss this too lightly... by CatherineCornelius · · Score: 5, Insightful
    A reminder is perhaps due here that the first internet worm program to cause significant damage (the Morris worm) was released in the 1988 and infected UNIX systems through a well known vulnerability (yep, good ole gets(3)) in the fingerd daemon.

    And waddaya know, UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later, despite the fact that we all know that it doesn't check for buffer overflow and that a buffer overflow _can_ be used (read: _has_ been used in the past) to make a program execute code of the worm writer's choice and bring a significant part of the internet grinding to a halt.

  18. Worse than running something as root by Raul+Acevedo · · Score: 5, Insightful

    It doesn't matter if it requires root privs to run. Most programs have to be installed as root, and that's all that is needed. The make install step can do something nasty without telling you (how many people fully read & understand the Makefiles in the above scenario?), or it can install a trojan version of ls or any other program.

    --
    In a real emergency, we would have all fled in terror, and you would not have been notified.
    1. Re:Worse than running something as root by foobar104 · · Score: 5, Interesting

      how many people fully read & understand the Makefiles in the above scenario?

      Which brings up an interesting point: write-only code. I've tried to read and understand autoconf-generated Makefiles a few times, and given up with my head spinning. They're a tangled web of M4 macros and such.

      Computer-generated code is notoriously hard to read, and install scripts are one instance where reading the code is important.

      I only wish there were a way to improve autoconf and other code generating programs without having to have a massive security breakdown happen first to inspire the work.

  19. Viruses and the internet. by Error27 · · Score: 4, Interesting
    I remember when slashdot first talked about the RST trojan. That time Qualys did an abysmal job reporting on the virus. (Read the comments on the article.)

    The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it. :P

    The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
    #-----
    zcat foo.tar.gz | tar -xv
    if source
    cd foo/
    ./configure
    make
    fi
    cd ..
    su
    cp foo /usr/local/tar/
    ln -s /usr/local/bin/foo /usr/local/tar/foo/foo
    #-----
    Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.

    (Normal .debs would install normally because debian developers are trusted.)

    On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and .doc files and all kinds of stuff that should be data but instead is executable.

    These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.

    I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.