Slashdot Mirror
Rootkit Packaged for Debian
Erich writes "Debian Developer Simon Richter announced in this posting to debian-devel that he Intends to Package (ITP) a R00tk1t for Debian Linux.
The rootkit will make use of debian mechanisms such as diversions to divert the original /bin/ls commands and replace them cleanly by the modified versions.
Even reinstalling or upgrading the file-utils package (containing /bin/ls) will then not remove the modified /bin/ls and the rootkit will stay active, being probably the first upgrade-resistant rootkit!
This rootkit will then be easy to install by doing "apt-get install rootkit" - a major useability aspect for our fellow wannabe-hackers, making Debian the premier choice for them."
April First Post. ;)
bug.gd: error search engine. Humanity working together to solve all errors.
An act of terrorism now..... Too hard to keep up with crazy US laws.
Unless it's April 1st, then we just make up crap. Apparently there's no anonymous posting available today either.
There is no reasonable defense against an idiot with an agenda
:wq
I feel bad for any "REAL" news issues today. Cause I haven't taken anything seriously at all today.
Cancer could be solved today and everyone would think it was a joke...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
D00d, this is so c00l. I heard aboot this on alt.pigeon-fisting. It's the real deal. Hard to uninstall though.
Sent from your iPad.
Sell out! With me oh, yea! Sell out! With me tonight. The record company is gonna give me lots of money and everything will be alright!
Apologies to Reel Big Fish
It's about time. As usual, Debian shows the great leadership that we have all come to expect from the project. The addition of a r00tk1t is yet another brilliant aid to remote administration, and well worth waiting for. RedHat and other so-called "commercial" distributions will, one can only hope, wake up soon and attempt to emulate Debian's ground-breaking innovation in this area, in order to gain market share in the vastly untapped script kiddie market.
I also understand that Debian will be adopting a new motto for the project: "Relax: we understand j00".
Thats the best first april joke i heard today :) :)
the best part is that teh rootkit is fully removeable through dpkg
It looks like so, searching for rootkit yields this, No responses to your query.
Just look at all those jokes, almost every link!
=-=-=-=-=-=-=-=-=
Oh bother.
True, stories may not be funny just because it is about Linux, bashes Microsoft, has a CowboyNeal option, or was posted on April 1st, but that post to debian-devel was quite funny, on it's own. The 1337speak in the Description field was wonderful.
Al Qaeda has ninjas!
How come there's no Windows version of this? I demand a Windows port of this feature! It just shows you how strong a monopoly Linux has among the skript k1dd13z, that this was released without ANY Windows support!
thats the best one today
Debain leads the pack once again
the rootkit will prove an invaluable tool in the workplace for when you *need* the root pw but MIS just won't let you have it.
root was an April fool when it started and 30years later it's still funneh
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I'm waiting for the BSD version:
/usr/ports/security/rootkit
cd
make && make install
finally a linux company is taking a step in the right direction to offer the kind of quality and service that millions have enjoyed with windows.
Oh, a curse on me and my incorrect grammar! The plurality of that sentence was all wrong. Should have been "True, a story may not be . . ." Second time I've made a gross mistake like that today. Second time that I've caught, anyway. *GASP!* There might be more!
Al Qaeda has ninjas!
Is everything on slashdot today a load of bollox ?
How about posting this drivel under the 'it's funny. laff' section ?
If i subscribe, do i get a tickbox to disable april first crap ?
Maybe it's because I'm from the UK, maybe it's because I'm old (30), but IT ISN'T FUNNY.
This is almost as bad as the isonews.com story about warez being declared as legal. A little tact, ala The Onion circa 1998, would help immensely with these posts, guys.
who are whining and bitching about this being april fool's, and there being a bunch of joke stories;
Lighten up. It is the Monday of a long weekend. If you don't like the stories Slashdot has, go spend time with your family. Go read a book, take a nap, do something. I'm sure there are a lot better things you could be doing than bitching about how a few people are having fun on Slashdot.
Duh, just another example of Linux trying to copy Windows. Microsoft released this a long time ago, only it was called IIS.
While I'm sure the ITP announcement is a joke, it's a real issue that we shouldn't dismiss casually.
.deb files to determine the equivalence of tripwire data, and then compares what the .deb file says the files should look like against what's actually on the system.
/usr, /bin, /sbin, /lib and /etc (excluding /usr/local and /usr/src), and lists both unexpected and missing files in addition to modified files.
How do we determine whether a system has been compromised? One good way is to check the package information - one of my backburner projects is a configuration management tool that reads the installed package list, rips apart published
(In practice, I only rip the data once and create a Berkeley DB file mapping full path to a snapshot of the expected "struct stat" and the crypto hashes. Subsequent checks just walk the FS tree.)
It even cross-references what's on the disk under
But if somebody has installed a package using registered diversions to redirect standard programs, my CM tool won't issue any warnings. Why should it? The local administrator has to have the final word, and an unexplained symlink is flagged. But a registered diversion (since I also check some of the system Debian databases) isn't.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
You should check out the Open Directory Project they have a nice April Fool's joke waiting for you.
"Monopolies do it better."
I am into the copy and paste.
Microsoft products have had this form of remote administration available in various forms for many years. I for one am glad that a Linux distribution is finally striving to achieve the same robust remote management facilities that have always been a major selling point for the NT platform.
... apt-get remove rootkit ?
Life sucks.
nt
Hollow words will burn and hollow men will burn.
Or compromise the servers where you get your .debs.
Remember, a lot of people have cron jobs that update their system. It's intended to ensure security patches are applied soon after they're made available, but for practical reasons some sites use local repositories that might not have the same level of security.
Compromise that, and every other system that updates against it also compromised.
Obviously nobody would have installed (and be updating) a package called "rootkit," but the scripts could be piggybacked on any security update.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I don't recall the details any more, but there was a Clinton-era indictment or ruling or something that came out on April 1st.
EVERYONE I talked to thought it was a sick joke when they first heard it. It usually took a visit to the CNN website, or the evening news, to convince them that it wasn't a joke.
Unfortunately, there's some news that can't be putt off for a day or two. Deaths, juries coming back with verdicts, news of suits filed just within statutory limits, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
That would have made a MUCH better April Fool's Post.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Why can't Debian be more current?!
Everyone hates me because I'm paranoid.
Two hours ago, RedHat has finished development of the b0mbk1t tool.
/bin/rm /bin/rm /bin/ls
The b0mbk1t installs as an upgrade to Debian's r00tk1t and offers additional features for really evil cr4cKerZ rather than for h4X0rZ.
It can be installed by running the following install-script:
#!/bin/sh
echo "Installing RedHat b0mbk1t... \c"
chmod u+s
ln -s
echo "done."
I HATE April Fool's Day.
It's a holiday dedicated to increasing the entropy of people's minds - just what I spend my whole life fighting.
And of course the media gets bit or plays along. For instance: we have Slashdot posting April Fool's jokes as straight news. So if anything REAL and surprising comes along it gets buried in the noise. (For the mainstream media that's no big change. But for outlets with some credibility left it's a damned shame.)
I swear: If the Former Soviet Union had understood the holiday they could have launched a first strike on April 1 and won.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Wake me when it's over.
-- @rjamestaylor on Ello
Debian's actively working on getting packages GnuPG-signed. Once that's in place, compromising the server from which the packages are retrieved won't be sufficient.
# apt-get humor
connection refused
#
"once that's in place".... Famous last words.
/etc/printcap file) then compromise those keys or packages.
Besides, all this does is push around what needs to be compromised. Compromise the keyring containing the public keys used to check the packages. If you're using a local repository (e.g., because your site rebuilds packages to include localization, e.g., the 'lprng' package installs a fully configured
Still sleeping at night? Remember all it takes is _one_ trojaned package, e.g., something downloaded from SourceForge or Freshmeat, with an installation script that illicitly adds a black hat key to the keyring for packagers. You can't require all updates be signed by a master key without killing off all local and independent packagers.
(It is left as an exercise for the reader why you can't just have Debian maintain a master key used to sign independent developer keys. They can and should sign their own, but not Joe Smith who just wants to modify lprng so he doesn't have to reconfigure each system by hand.)
This is a surprisingly difficult problem to solve even when there's only one permitted code signer. With an unlimited universe of independent signers, I think the most you can hope for is to contain the damage.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Most Linux users don't bother checking the crypto hashes on their downloadble binaries or reading the full sources of their application source. Creating an RPM (or dpkg, but RPM is both standard and more more widespread) virus would be one way to have viruses seriously make an impact on Linux users. Imagine all the APT repositories filled with corrupt rpms/dpkgs. Non foolingly, it's worth worrying about.
I thought you were *seriously* implying Microsoft have a sense of humour - thankfully their sense of humour is confined to the peals of laughter every time someone installs Windows.
Video Game cheats, hints a
Off topic on April fools day?
I love that we can meta-moderate.
Get your Unix fortune now!