Slashdot Mirror

← Back to Stories (view on slashdot.org)

Korean Mozilla Binaries Infected

Posted by CmdrTaco on from the caught-with-their-pants-down dept.

Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."

9 of 592 comments (clear)

  1. Virus data by NoInfo · · Score: 5, Informative

    This virus has been in the wild since at least early 2002.

    Here's Symantec's take on the virus:

    http://securityresponse.symantec.com/avcenter/venc /data/linux.rst.b.html

    --
    bug.gd: error search engine. Humanity working together to solve all errors.
  2. Black day for Unix Firefox users by teslatug · · Score: 5, Informative

    A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory. Version 1.0.7 fixing the flaw is already out.

  3. Re:Secure.. by Anonymous Coward · · Score: 5, Informative

    Actually Linux is more secure. If you run mozilla as a normal user, then mozilla and the virus can't write to the files in /bin, and therefor can't do any really servere damage.

  4. Re:6 stories down on the front page by tpgp · · Score: 5, Informative
    "Mozilla hits back at browser security claim"

    Funny? Yes. True? No - you see its not exactly a mozilla problem.

    Whilst searching for more information about this, I stumbled across this pagelast time these servers were hacked in June).

    Choice quote:

    Unlike Mozilla Europe, Mozilla Japan and Mozilla China, the Korean Mozilla site is not officially affiliated with the Mozilla Foundation.


    So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")

    Its someone who's taken the mozilla source and made their own binaries. A problem yes, a serious problem even, but not to the scale that Kaspersky Labs would have us believe.

    Who would have thought it? A security company overhyping an issue!

    I'm not sure why they bother. Do they really think stories like this are going to make linux users go and buy their security 'solution'?
    --
    My pics.
  5. Normal installation runs binaries as root by Bogtha · · Score: 4, Informative

    Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.

    Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process.

    --
    Bogtha Bogtha Bogtha
  6. Re:Virus data - It's old! RTFM by Anonymous Coward · · Score: 4, Informative

    If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).

    "Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.

    Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"

  7. no surprise by burnin1965 · · Score: 5, Informative
    The web site was hacked 3 months ago and back then they admitted the site was not an official Mozilla site.

    http://www.mozillazine.org/talkback.html?article=6 771


    Sorry for hack.
    by channy

    Thursday June 9th, 2005 6:39 PM

    Reply to this message

    This is Channy Yun, leader of Mozilla Korean Community. This site is not official web sites of Mozilla Foundation. And this hack is orginated by no patch for PHP vulnerability of my hosting company for mozilla.or.kr. I will change it with backup and fix it with my ISP. Sorry for your worry.


    I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.

    burnin
  8. Re:Alan Cox was right by seifried · · Score: 4, Informative

    Uhh every major RPM based distro (Red Hat, SuSE, Mandriva, Trustix, etc, etc.) does this. Third party guys like Dag who distribute literally hundreds pf RPM's also sign their packages (thus if I have Dag's key I can verify his RPM's regardless of where I actually get them. In RPM based systems adding a key consists of:

    Download the key (RPM-GPG-KEY-fedora for example)
    rpm --import RPM-GPG-KEY-fedora

    And voila. This works for third party developer's keys.

    As for your other comments they are just misinformed, you should read the article maybe. Or not and justmake stuff up, that works too.

  9. Because you cannot ... by khasim · · Score: 4, Informative
    Care to support that assertion with some solid facts and numbers?
    http://securityresponse.symantec.com/avcenter/ve nc/data/linux.cheese.worm.html

    http://securityresponse.symantec.com/avcenter/venc /data/tfn2k.html

    http://securityresponse.symantec.com/avcenter/venc /data/linux.adore.worm.html

    http://securityresponse.symantec.com/avcenter/venc /data/linux.hijacker.worm.html

    http://securityresponse.symantec.com/avcenter/venc /data/linux.jac.8759.html

    You see? All but one had "number of sites" between 0 and 2.

    They
    Do
    Not
    Spread

    Linux's security model is far more effective than Microsoft's one for Windows.

    Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.