Slashdot Mirror
Korean Mozilla Binaries Infected
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
This virus has been in the wild since at least early 2002.
c /data/linux.rst.b.html
Here's Symantec's take on the virus:
http://securityresponse.symantec.com/avcenter/ven
bug.gd: error search engine. Humanity working together to solve all errors.
it's a virus?... for linux? I'm sorry but just don't understand the situation?
Guess anything that can be programmed is also vulnerable, regardless of how impenetrable it is.
"Mozilla hits back at browser security claim"
BWAHAHAHAHAHAHA.
Oh, wait.
Birdflu ?
...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Is this the first time a linux virus has been spreading in the wild?
A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory. Version 1.0.7 fixing the flaw is already out.
They could have easily replaced the app signatures to match the infected binaries.
-mkb
I can hear it now; "See, FF isn't as secure as its supporters claim it is."
Whatever.
Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
And that applies to Linux as well. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception. This is what we ought to teach end users to practice and also system Admins need to follow advice on this. Understand SELinux, Firewalling and virus detection is crucial.
Scott McNealy to Michael: "Suck my Sun!" Michael Dell to Scott : "Lick my Dell!"
Exactly. If you run as root, you're a moron. If you run as a regular user, then the only thing you might hose is your own /home dir. If you're a smart user, you've been backup up your /home dir to a location that only root can access... That way recovery is painless. Very different from Windows where you have to reinstall the OS to be sure you're clean. (BTW, we're talking home users, not corporate users)
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
First the unofficial Korean Mozilla site in July, and now long obsolete versions of the Korean Mozilla (not Firefox) and Korean Thunderbird builds. I doubt anyone was infected, nor was that likely the intent, especially given the old, neither stable nor current, version numbers, but one thing is clear. Someone out there really doesn't like Koreans.
Actually Linux is more secure. If you run mozilla as a normal user, then mozilla and the virus can't write to the files in /bin, and therefor can't do any really servere damage.
Well, the symantec description wasn't very useful to me. But if I read it right, the virus tries to infect /bin. But iirc it will have to be run with root privileges in order to be able to infect /bin. Dunno about you guys, but I never ever unpacked firefox builds into my home directory when running as root. Basic security. So, if I understand this correctly, it only infects /bin when you've been sloppy. Not much of a threat, is it?
----- One learns to itch where one can scratch.
I'm assuming this can only occur if you installed the virus infected material as root?
Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk
Then you'll know this virus was distributed on purpose or the core distribution was hacked and the hackers distributed it on purpose.
You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.
This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
...Steve
As I recall, Firefox (which is not the same as Mozilla, yes, I know) won't work quite right unless it is run as root once. Isn't that a security hole waiting to be exploited by something like this? Even a user who normally doesn't normally run as root can be hit with this situation.
I don't subscribe to RMS's GNUtopian vision.
It is. The fact that the only way for it to be effective is to pre-infect the original distribution. Which means someone miscopulated the canine. Still cant get around human fallibility in that regard.
Linux is still much more secure in its raw state than almost any closed-source product even after post-install configuration. Anyone with a modicum of experience with a fresh *nix installation will likely spot this before it does any real damage.
Suppose it was only a matter of time before someone figured this out though. Goes to show you, it is not a good idea to hook any system up to a network or the web before you finish the basic post-install configurations.
Stupid Humans.....
Since if you run it as a normal user on Windows it cannot damage the system files either :)
Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.
Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process.
Bogtha Bogtha Bogtha
If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).
"Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.
Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"
Who is that guy who don't feel necessary to precise that "/bin directories" can't be written by non-root users... Jeez, "all about internet security", really ? Make your facts accurate !
This Linux virus was not effective virus in 2002. It is even less effective now. The firefox was about 2 version old, so the infection rate is extremely low.
because most users run as root despite being smart enough to know its safer not too. For the same reason New Orleans didn't have category 5 safe levees, most users spend a lot of their time running as root. Its simply easier to take the risk and, unless your system is critical, getting taken down once in a while just represents an opportunity to clean up. Especially in America, we like our freedom and we are risk takers. Its in our blood.
Do you think we can blame this on the North Korean Hacker army we've been hearing about?
...is what's on the line here, not the security of Firefox. Installing someone else's code is always insecure if they can't be trusted. I still trust Mozilla, but I'm really shocked by this.
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
When are people going to lean that the only truly secure computer is the one that's free of any connection to anything, wired or otherwise, powered off, encased in concrete, and then shot into the sun? Anything that people build will have some kind of vulnerability. The trick is mitigating them so that damamge is minimal.
Come on...this isn't rocket surgery. Use some common sense.
This is not a sig. this is a duck. quack.
Maybe the perp behind was the magnificent and dear chairman Kim Jong-Il himself? I really can't think of anyone else clever enough with skills mad skillz to pull it off.
While you're right normally one installing software as root, installing software from a FTP site without checking at least the md5sum from a trusted origin is dumb.
Unfortunately this part can't be fully automatised, because you would rely on the untrusted package to find the originator sources which can be facked, obviously..
If the installation on Linux was standardised maybe just asking the user where is the originator website of the software.
But Linux's distribution can't even standardised on a common packaging format, so standardising on a common installation tool is a pipe dream..
I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).
We already have to trust the developers. We shouldn't have to trust every FTP server too.
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
Yes, you'll download it from microsoft.com, not from microsoft.kr. Hmm, why not take the same care when downloading Mozilla?
Just because those responses are predictable doesn't mean that some of them aren't also true.
Besides, Microsoft is constantly broadcasting the message that Linux sucks, and they are paying billions a year to have that message repeated wherever they can. Do you expect Linux supporters to just respond once and then shut up?
Microsoft has bought the airwaves, print publications, billboards, and face time to get their message across. Leave the rest of us a little space on discussion groups for expressing our views.
Writing a virus for Linux is easy.
Getting that virus onto someone else's box is very difficult.
Getting that virus to spread from that box is even more difficult.
Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.
The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.
http://www.mozillazine.org/talkback.html?article=
I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.
burnin
mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".
Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.
Now who could that benefit, I wonder...
Don't let THEM immanentize the Eschaton!
ActiveX is a stupid security model. That is why so many exploits for it exist and why you have to keep your anti-virus signatures updated every day.
There is no equivalent in FireFox.
Anyone, anywhere can put up infected FireFox binaries. Whether anyone will ever download and install them is another matter.
But Mozilla as a whole (the organisation and the products) are already getting bad press for this.
People have complained in the past about the Mozilla organisation being heavy handed about trademarks, and trademarks (eg the Linux one) have been getting a bad rap in general. But here's the other side of the coin - the actions of an organisation that identify themselves as "Mozilla", even though they're _not_ the Mozilla foundation, are tarnishing the reputation of the genuine article.
rm -rf ~/*
.. :)
Severe enough
The Mozilla foundation needs to pursue strong, immediate public action against NKing.com, holders of the mozilla.co.kr domain. Using the Mozilla name connotes official status, and they are trashing it badly. I would say stop releasing Korean builds until the domain is handed over to more responsible people.
See! Windows and IE ARE more secure!!!
MWHAHAHAHAHA!!!!!!!!!
The larger number of exploits in Firefox is just the tip of the ice berg!
Open Source, you are going DOWN!
And I for one, welcome our new DRM laden overlords.
Oh, wait, they're not NEW overlords, they've been the overlords for a few decades now.
Well, I welcome them anyway.
"Live Free or Die." Don't like it? Then keep out of the USA
To get infected on Windows you... have to turn the system on. As far as I can tell.
Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.
If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.
As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Downloading from any mirror, official or not is fine as long as you check the archive using md5 or sha1 (or ideally, gpg) from the main site, which provides signatures for every archive.
Though what I don't know is why mozilla doesn't insist more on that (you have to go on the ftp site clicking on "other systems" to find the checksums and signatures : ftp thunderbird)
It's about freaking time virus writers started supporting Linux and Mozilla...
Err, wait...
// file: mice.h
#include "frickin_lasers.h"
The distribution system is how people get the code.If the md5sums from the main site would be valid, then why not download from the main site?
Once you start installing apps from random sites you open yourself up for all kinds of problems.Yeah. Keep believing that. Maybe you've heard of this stuff called "spyware" that infects machines via IE's ActiveX implementation.
Or maybe you haven't heard that a restricted user cannot use IE because the permissions aren't correct.
So, on Windows, you must have elevated permissions just to use the various apps and THAT is what results in so many infections.
Really, I look at a situation like this and, rather than lament about the sorry state of the software involved, I really just want to know how to make it not happen. With UNIX systems, this shouldn't be an impossibility - right off the bat many people have said "don't be root to install",which does stop one point of failure in the process, but it doesn't solve the problem of _running_ the application as root.
/bin binaries immutable), but these only make it so that the actions taken by the virus fail (relatively) silently. No big klaxons going off to tell the admin that a program is misbehaving as root.
/bin/bash" is made impossible without a reboot even for root, a la BSD?
Some solutions come to mind for things that you should be doing anyway (firewall traffic on ports not being officially served by a system; make
Is there any sort of system-wide watchdog that can be put in place to monitor programs and catch actions that are outside the scope of its auspice? I think chroot can be used in a manner somewhat consistent with this idea, but not without resulting in some serious systemwide design complexity if you want to do it right. Any other thoughts?
And might this be an arguement for a Security Levels sort of system whereby things like "remove the immutable flag from
Know ye not that ye are Gods???
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
You see? All but one had "number of sites" between 0 and 2.
They
Do
Not
Spread
Linux's security model is far more effective than Microsoft's one for Windows.
Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.
That's why you keep your home directory on a RAID, duh! :)
LRC, the best-read libertarian site on the web
If you run mozilla as a normal user
But you'll have installed it as root, and the installer was infected, and you're still screwed.
It's official. Most of you are morons.
If you're going to install a package such as FF, why bother going to an unoffical site that has had /known/ problems with security?
www.internetnews.com/security/article.php/3512081
Come on! Don't blame Mozilla.org for something that's not under their control. This goes double for the Windows idiots that point and say that "oo! FF is just as vulnerable!" and forgetting all about that this is just like going to "Shady Joe's Windows Upgrades" instead of microsoft.com for SP2.
--
BMO
This has been a worry of mine for some time.
Notice that when you use MSIE on Windows, it shows you the true URL of the site you are downloading from. In the download box, it will show you the URL it's downloading from, and you can see Mozilla's choice of mirrors around the world.
With Firefox, however, you don't get to see this by default. It just shows the basename of the file you are downloading, not the full URL containing the hostname and directory path. By right-clicking on the progress bar in the Downloads popup window, and choosing Properties, you can then view the true URL, but many users don't know about this.
If the user has turned on the "Ask me where to save every file" option, the popup file-chooser window also unfortunately does not show the true URL. It would be an ideal place to show it in this window, as there seems to be plenty of room there.
Right now, I have to download the file multiple times, open the Properties to make sure I'm getting a different mirror, and then diff the files to make sure they're the same, before I can consider them trustworthy enough to install.
By itself, this is just a nitpick, but it turns into a nasty bug when combined with other things:
1) The user not being able to easily see the true originating URL of a file, before making the download decision
2) Mozilla's decision to use a huge variety of seemingly random sites as mirrors, some more questionable than others
3) Mozilla's decision to not have any way whatsoever of verifying the integrity of the download, such as a cryptographic signature
Put all three together, and it's virus time!
Microsoft: Smug Mode.
With the large numbers of mirrors Mozilla uses, spread throughout the world, the odds of someone sneaking malware in there (either by ignorance, hacking, or a good old-fashioned bribe) is quite high.
The solution probably lies in a plugin. If there's not already a plugin to let the user plainly see the true URL and verify where files are coming from, it should be made (I wish I knew how). The plugin should also have some cryptographic method of verifying a downloaded file, and Mozilla should sign all releases with a strong key. It's just basic common sense, and I'm shocked Mozilla hasn't done this already.
Dr. Demento On The 'Net!