Slashdot Mirror
Korean Mozilla Binaries Infected
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
Is this the first time a linux virus has been spreading in the wild?
Really? I wonder if this website really knows much about Linux at all. That's fine advice for a platform that has antivirus products.
This certainly doesn't bode well for these new 'IE is more secure than Firefox' claims.
Even so, as long as the user you run doesn't have write acccess to any executables (tis a good idea), you're fine.
This link is saying that Mozilla 1.7.6 and Thunderbird 1.0.2 Korean For Linux were infected. But it doesn't mention any other versions.
Old news? Crap that doesn't matter (any more)?
Then you'll know this virus was distributed on purpose or the core distribution was hacked and the hackers distributed it on purpose.
You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.
This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
...Steve
But they need WRITE access to bin in order to inject the virus in the first place. However, you are correct in that most users do install as root in order to get the binaries into /usr. But I don't think the installer is what causes the infection. It is the execution of Mozilla that would infect a system. As long as root doesn't run Mozilla, it shouldn't be an issue.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
As I recall, Firefox (which is not the same as Mozilla, yes, I know) won't work quite right unless it is run as root once. Isn't that a security hole waiting to be exploited by something like this? Even a user who normally doesn't normally run as root can be hit with this situation.
I don't subscribe to RMS's GNUtopian vision.
because most users run as root despite being smart enough to know its safer not too. For the same reason New Orleans didn't have category 5 safe levees, most users spend a lot of their time running as root. Its simply easier to take the risk and, unless your system is critical, getting taken down once in a while just represents an opportunity to clean up. Especially in America, we like our freedom and we are risk takers. Its in our blood.
It's a fan site! Are you and the parent really suggesting that they should start applying international legal pressure to a fan site over use of the trademark? If they did, would you be sniping at them for that too?
That's because viruses on Linux are so rarely reported due to their limited scope of effectiveness. Since Windows is more popular in the combined server and desktop markets, outbreaks cause significantly more damage (though I'm willing to bet the damage caused per exploited system is a far lower average than the lower volume, but higher cost server attacks that UNIXes more often suffer). In addition, Windows users tend toward not being so, how to put it nicely, interested in learning the proper maintenance of their systems (hey, I'm not complaining, doing it for them pays my bills), so they tend to frequently get infected by things that don't exploit security holes in the systems but rather excess holes in the heads of the users.
Compare to Linux in which most exploits are a result of actual security problems in either the kernel or the supporting applications, and you have less widespread attacks that affect fewer systems.
Difference in market shares, my friend. If you want to exploit a Linux system you're probably an attacker targetting a specific network and installation for a very specific purpose (making this attack something of an oddball). If you're looking to exploit a Windows system, however, you're more likely just a general Internet thug trying to install spam bots and backdoors on home machines. The latter causes more problem since the target is a much, much larger pool of users, so the latter gets more heavily reported even though the targetted attacks usually cause more on-average damage.
mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".
Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.
Now who could that benefit, I wonder...
Don't let THEM immanentize the Eschaton!
The Mozilla foundation needs to pursue strong, immediate public action against NKing.com, holders of the mozilla.co.kr domain. Using the Mozilla name connotes official status, and they are trashing it badly. I would say stop releasing Korean builds until the domain is handed over to more responsible people.
If you download from a mirror you should always check the MD5/SHA1 Sum to ensure that you are getting the proper files, and that they haven't been tampered with.
What always amuses me is that most mirror sites also mirror the checksum files as well.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Really, I look at a situation like this and, rather than lament about the sorry state of the software involved, I really just want to know how to make it not happen. With UNIX systems, this shouldn't be an impossibility - right off the bat many people have said "don't be root to install",which does stop one point of failure in the process, but it doesn't solve the problem of _running_ the application as root.
/bin binaries immutable), but these only make it so that the actions taken by the virus fail (relatively) silently. No big klaxons going off to tell the admin that a program is misbehaving as root.
/bin/bash" is made impossible without a reboot even for root, a la BSD?
Some solutions come to mind for things that you should be doing anyway (firewall traffic on ports not being officially served by a system; make
Is there any sort of system-wide watchdog that can be put in place to monitor programs and catch actions that are outside the scope of its auspice? I think chroot can be used in a manner somewhat consistent with this idea, but not without resulting in some serious systemwide design complexity if you want to do it right. Any other thoughts?
And might this be an arguement for a Security Levels sort of system whereby things like "remove the immutable flag from
Know ye not that ye are Gods???
Sites using mirrors should also provide instructions for less savvy users as to how to verify their binaries are un-tampered-with. A bit of education would mean lower rates of virus infection, which would be good for everyone.
Good point. I don't care about the checksum on the mirror so much as I care about the checksum on the master.
I can see something like the yum xml files where a downloader could automatically determine the source and verify the checksum.
Mozilla should at least block the mirrors from downloading the checksum files, force the mirrors to checksum their own files, and then have the master server crawl the mirrors and compare checksums files.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If you're going to install a package such as FF, why bother going to an unoffical site that has had /known/ problems with security?
www.internetnews.com/security/article.php/3512081
Come on! Don't blame Mozilla.org for something that's not under their control. This goes double for the Windows idiots that point and say that "oo! FF is just as vulnerable!" and forgetting all about that this is just like going to "Shady Joe's Windows Upgrades" instead of microsoft.com for SP2.
--
BMO
If you want to include all or part of a Mozilla trademark in a domain name, you have to receive written permission from Mozilla. People naturally associate domain names with organizations whose names sound similar. Almost any use of a Mozilla trademark in a domain name is likely to confuse consumers, thus running afoul of the overarching requirement that any use of a Mozilla trademark be non-confusing. If you would like to build a Mozilla, Firefox Internet browser or Thunderbird e-mail client promotional site for your region, we encourage you to join an existing official localization project.
source
So Mozilla does state a policy regarding exactly what has occurred here. The problem is, U.S. trademark laws don't have any teeth in Korea. In fact, there is a U.S. government-run site that goes into great detail about how companies that have registered trademarks in the U.S. should not try to do business in Korea (or enforce their trademarks, of course) until they have registered their trademark in Korea, as well:
Basic intellectual property laws exist in Korea. However, protection of intellectual property and the laws governing enforcement of these protections are not necessarily extra-territorial. What is understood and practiced in the United States is not always practiced in Korea. U.S. companies wishing to sell their products or services in Korea should first and foremost find out if they have to register their intellectual property rights (copyright, trademark or patents) in Korea...One of the most frequent IPR problems facing U.S. businesses in Korea is trademark protection.
source
Now, the last piece relates to trademark use by localization teams. The site distributing the binaries was in fact run by a Korean Firefox localization team, however, Mozilla has yet to refuse their right to use the trademarks, as per Mozilla Foundation policy, which allows use by localization teams in general, and rejects only in specific instances:
It is very important that Community Releases of Firefox and Thunderbird maintain (or even exceed!) the quality level people have come to associate with Mozilla Firefox and Mozilla Thunderbird. We need to ensure this, but we don't want to get in people's way. So, we are taking an optimistic approach. Official L10n teams can start using the "Firefox Community Edition" and "Thunderbird Community Edition" trademarks from day one, but the Mozilla Foundation may require teams to stop doing so in the future if they are redistributing software with low quality and efforts to remedy the situation have not succeeded. Doing things this way allows us to give as much freedom to people as possible, while maintaining our trademarks as a mark of quality (which we are required to do in order to keep them).
source
I'll readily admit that I have no idea whether Mozilla has attempted to reject their right to use the Mozilla trademark, but given the warning found on U.S. government sites regarding trademark enforcement, I'd say it would be prodigal use of the foundation's limited resources. Further, there is nothing to indicate that there is in fact any "affiliation" whatsoever, as nowhere does Mozilla Foundation acknowledge the presence of the Korean site (although its URL does appear on a Mozilla-run wiki - who knows who put it there).
In any case, this reflects poorly only on the part of the Korean Localization Team, as Mozilla Foundation likely lacks the resources to succesfully pursue a trademark infringement case abroad in Korea, and we have already established that the site is not an official Mozilla site (unlike, for example, http://www.mozilla-europe.org/ or
This has been a worry of mine for some time.
Notice that when you use MSIE on Windows, it shows you the true URL of the site you are downloading from. In the download box, it will show you the URL it's downloading from, and you can see Mozilla's choice of mirrors around the world.
With Firefox, however, you don't get to see this by default. It just shows the basename of the file you are downloading, not the full URL containing the hostname and directory path. By right-clicking on the progress bar in the Downloads popup window, and choosing Properties, you can then view the true URL, but many users don't know about this.
If the user has turned on the "Ask me where to save every file" option, the popup file-chooser window also unfortunately does not show the true URL. It would be an ideal place to show it in this window, as there seems to be plenty of room there.
Right now, I have to download the file multiple times, open the Properties to make sure I'm getting a different mirror, and then diff the files to make sure they're the same, before I can consider them trustworthy enough to install.
By itself, this is just a nitpick, but it turns into a nasty bug when combined with other things:
1) The user not being able to easily see the true originating URL of a file, before making the download decision
2) Mozilla's decision to use a huge variety of seemingly random sites as mirrors, some more questionable than others
3) Mozilla's decision to not have any way whatsoever of verifying the integrity of the download, such as a cryptographic signature
Put all three together, and it's virus time!
Microsoft: Smug Mode.
With the large numbers of mirrors Mozilla uses, spread throughout the world, the odds of someone sneaking malware in there (either by ignorance, hacking, or a good old-fashioned bribe) is quite high.
The solution probably lies in a plugin. If there's not already a plugin to let the user plainly see the true URL and verify where files are coming from, it should be made (I wish I knew how). The plugin should also have some cryptographic method of verifying a downloaded file, and Mozilla should sign all releases with a strong key. It's just basic common sense, and I'm shocked Mozilla hasn't done this already.
Dr. Demento On The 'Net!
ruby~# cat > /tmp/cat /tmp/cat: Text file busy
-su:
Same thing here. As soon as I quit the cat process still running from that binary, I can alter the binary.
Although unlinking and then replacing the binary would work.