Slashdot Mirror
Korean Mozilla Binaries Infected
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I can hear it now; "See, FF isn't as secure as its supporters claim it is."
Whatever.
Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
That's odd... I learned here that Mozilla is clearly more responsive to security bugs than Microsoft. What gives?
You mean besides the fact that the binaries were removed as soon as they found out?
Well, the symantec description wasn't very useful to me. But if I read it right, the virus tries to infect /bin. But iirc it will have to be run with root privileges in order to be able to infect /bin. Dunno about you guys, but I never ever unpacked firefox builds into my home directory when running as root. Basic security. So, if I understand this correctly, it only infects /bin when you've been sloppy. Not much of a threat, is it?
----- One learns to itch where one can scratch.
I'm assuming this can only occur if you installed the virus infected material as root?
Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk
It is. The fact that the only way for it to be effective is to pre-infect the original distribution. Which means someone miscopulated the canine. Still cant get around human fallibility in that regard.
Linux is still much more secure in its raw state than almost any closed-source product even after post-install configuration. Anyone with a modicum of experience with a fresh *nix installation will likely spot this before it does any real damage.
Suppose it was only a matter of time before someone figured this out though. Goes to show you, it is not a good idea to hook any system up to a network or the web before you finish the basic post-install configurations.
Stupid Humans.....
Where does it says it spread?
It is a 3 years old thing and it never spread, why should it now?
It has been found somewhere on some server in some package.
OK, then?
Distros build their version of softwares from source, they check the sources, their users get their software from their distro.
End of the story.
Moral of the story:
-don't download binaries from other sources than your distro.
-don't install binaries from other sources than your distro as root.
I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior. And they'd all be modded +5.
Of course saying the reverse here will quickly get you troll/flamebait/overated down to -1.
East Coast Brewers
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
If you've read TFA, you'd know that this has virtually nothing to do with mozilla or OSS.
A third party, a mozilla fan site in korea, distributed infected binaries.
If you find an infected version of Winzip on an internet site, would you blame Winzip.com ?
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).
We already have to trust the developers. We shouldn't have to trust every FTP server too.
One of the reasons that people supported Linus trademarking Linux was to prevent other people from releasing buggy code.
How is this different?
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
Writing a virus for Linux is easy.
Getting that virus onto someone else's box is very difficult.
Getting that virus to spread from that box is even more difficult.
Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.
The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.
Let's compare apples to apples here. If MS was offering infected binaries form one of THEIR sites, yes, we'd be jumping down their throat. On the other hand, if MS decided to let Download.com distribute versions of a "freeware" application (like Messenger), and the binaries on Download.com were infected, most of us would just be avoiding Download.com like the plague. Sure, some people would still blame Microsoft, just as some people are going to blame Mozilla here.
Now, having said all of that, I'll bring up the question of accountability. Since Mozilla is being distributed by public mirrors, it's probably a REALLY good idea to have some sort of guidelines that need to be met by the administrators to make sure this doesn't happen on a "Mozilla-certified" mirror. Maybe this is already in place.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
That's a falacy. Linux is just as vunerable to trojaned installers as any other OS. You install mozilla as root, right? Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.
OS security does help against worms and other methods of infection, but dealling with trojans is a 90% user function. This improved security, along with market share (as you point out) is what makes Linux "safer". To get a virus on Linux, you essentially have to do something wrong yourself. Which is no consolation to the gran and grandpa users, "Download Weather Bar (linux version) popups" are only a few years away...
And sadly, Linux administrators have been unable to suitably protect their systems in all this time, so it continues to be a pain in the ass, never really going away. I work for a hosting company, and I've dug Linux.RST.b out of too many servers.
/bin like "grep" start crashing. Tends to make boot up and shutdown clumsily fail.
I think too many Linux admins don't believe there's such a thing as a Linux virus. Usually the easiest way to recognize the infection is if a large number of common programs in
I don't care, but don't let that stop you from trying to tell me anyway.
To get infected on Windows you... have to turn the system on. As far as I can tell.
Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.
If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.
As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?