Slashdot Mirror
Korean Mozilla Binaries Infected
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
This virus has been in the wild since at least early 2002.
c /data/linux.rst.b.html
Here's Symantec's take on the virus:
http://securityresponse.symantec.com/avcenter/ven
bug.gd: error search engine. Humanity working together to solve all errors.
it's a virus?... for linux? I'm sorry but just don't understand the situation?
Guess anything that can be programmed is also vulnerable, regardless of how impenetrable it is.
Oh, wait.
Birdflu ?
...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory. Version 1.0.7 fixing the flaw is already out.
They could have easily replaced the app signatures to match the infected binaries.
-mkb
I can hear it now; "See, FF isn't as secure as its supporters claim it is."
Whatever.
Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
First the unofficial Korean Mozilla site in July, and now long obsolete versions of the Korean Mozilla (not Firefox) and Korean Thunderbird builds. I doubt anyone was infected, nor was that likely the intent, especially given the old, neither stable nor current, version numbers, but one thing is clear. Someone out there really doesn't like Koreans.
Actually Linux is more secure. If you run mozilla as a normal user, then mozilla and the virus can't write to the files in /bin, and therefor can't do any really servere damage.
Well, the symantec description wasn't very useful to me. But if I read it right, the virus tries to infect /bin. But iirc it will have to be run with root privileges in order to be able to infect /bin. Dunno about you guys, but I never ever unpacked firefox builds into my home directory when running as root. Basic security. So, if I understand this correctly, it only infects /bin when you've been sloppy. Not much of a threat, is it?
----- One learns to itch where one can scratch.
If you're talking about mozilla.or.kr, the Mozilla Foundation does not own or control that site.
I'm assuming this can only occur if you installed the virus infected material as root?
Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk
Then you'll know this virus was distributed on purpose or the core distribution was hacked and the hackers distributed it on purpose.
You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.
This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
...Steve
It is. The fact that the only way for it to be effective is to pre-infect the original distribution. Which means someone miscopulated the canine. Still cant get around human fallibility in that regard.
Linux is still much more secure in its raw state than almost any closed-source product even after post-install configuration. Anyone with a modicum of experience with a fresh *nix installation will likely spot this before it does any real damage.
Suppose it was only a matter of time before someone figured this out though. Goes to show you, it is not a good idea to hook any system up to a network or the web before you finish the basic post-install configurations.
Stupid Humans.....
Where does it says it spread?
It is a 3 years old thing and it never spread, why should it now?
It has been found somewhere on some server in some package.
OK, then?
Distros build their version of softwares from source, they check the sources, their users get their software from their distro.
End of the story.
Moral of the story:
-don't download binaries from other sources than your distro.
-don't install binaries from other sources than your distro as root.
Since if you run it as a normal user on Windows it cannot damage the system files either :)
Funny? Yes. True? No - you see its not exactly a mozilla problem.
Whilst searching for more information about this, I stumbled across this pagelast time these servers were hacked in June).
Choice quote:
So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")
Its someone who's taken the mozilla source and made their own binaries. A problem yes, a serious problem even, but not to the scale that Kaspersky Labs would have us believe.
Who would have thought it? A security company overhyping an issue!
I'm not sure why they bother. Do they really think stories like this are going to make linux users go and buy their security 'solution'?
My pics.
Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.
Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process.
Bogtha Bogtha Bogtha
If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).
"Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.
Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"
This Linux virus was not effective virus in 2002. It is even less effective now. The firefox was about 2 version old, so the infection rate is extremely low.
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).
We already have to trust the developers. We shouldn't have to trust every FTP server too.
One of the reasons that people supported Linus trademarking Linux was to prevent other people from releasing buggy code.
How is this different?
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
Writing a virus for Linux is easy.
Getting that virus onto someone else's box is very difficult.
Getting that virus to spread from that box is even more difficult.
Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.
The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.
http://www.mozillazine.org/talkback.html?article=
I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.
burnin
mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".
Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.
Now who could that benefit, I wonder...
Don't let THEM immanentize the Eschaton!
The Mozilla foundation needs to pursue strong, immediate public action against NKing.com, holders of the mozilla.co.kr domain. Using the Mozilla name connotes official status, and they are trashing it badly. I would say stop releasing Korean builds until the domain is handed over to more responsible people.
See! Windows and IE ARE more secure!!!
MWHAHAHAHAHA!!!!!!!!!
The larger number of exploits in Firefox is just the tip of the ice berg!
Open Source, you are going DOWN!
And I for one, welcome our new DRM laden overlords.
Oh, wait, they're not NEW overlords, they've been the overlords for a few decades now.
Well, I welcome them anyway.
"Live Free or Die." Don't like it? Then keep out of the USA
To get infected on Windows you... have to turn the system on. As far as I can tell.
Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.
If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.
As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's about freaking time virus writers started supporting Linux and Mozilla...
Err, wait...
// file: mice.h
#include "frickin_lasers.h"
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
You see? All but one had "number of sites" between 0 and 2.
They
Do
Not
Spread
Linux's security model is far more effective than Microsoft's one for Windows.
Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.
If you want to include all or part of a Mozilla trademark in a domain name, you have to receive written permission from Mozilla. People naturally associate domain names with organizations whose names sound similar. Almost any use of a Mozilla trademark in a domain name is likely to confuse consumers, thus running afoul of the overarching requirement that any use of a Mozilla trademark be non-confusing. If you would like to build a Mozilla, Firefox Internet browser or Thunderbird e-mail client promotional site for your region, we encourage you to join an existing official localization project.
source
So Mozilla does state a policy regarding exactly what has occurred here. The problem is, U.S. trademark laws don't have any teeth in Korea. In fact, there is a U.S. government-run site that goes into great detail about how companies that have registered trademarks in the U.S. should not try to do business in Korea (or enforce their trademarks, of course) until they have registered their trademark in Korea, as well:
Basic intellectual property laws exist in Korea. However, protection of intellectual property and the laws governing enforcement of these protections are not necessarily extra-territorial. What is understood and practiced in the United States is not always practiced in Korea. U.S. companies wishing to sell their products or services in Korea should first and foremost find out if they have to register their intellectual property rights (copyright, trademark or patents) in Korea...One of the most frequent IPR problems facing U.S. businesses in Korea is trademark protection.
source
Now, the last piece relates to trademark use by localization teams. The site distributing the binaries was in fact run by a Korean Firefox localization team, however, Mozilla has yet to refuse their right to use the trademarks, as per Mozilla Foundation policy, which allows use by localization teams in general, and rejects only in specific instances:
It is very important that Community Releases of Firefox and Thunderbird maintain (or even exceed!) the quality level people have come to associate with Mozilla Firefox and Mozilla Thunderbird. We need to ensure this, but we don't want to get in people's way. So, we are taking an optimistic approach. Official L10n teams can start using the "Firefox Community Edition" and "Thunderbird Community Edition" trademarks from day one, but the Mozilla Foundation may require teams to stop doing so in the future if they are redistributing software with low quality and efforts to remedy the situation have not succeeded. Doing things this way allows us to give as much freedom to people as possible, while maintaining our trademarks as a mark of quality (which we are required to do in order to keep them).
source
I'll readily admit that I have no idea whether Mozilla has attempted to reject their right to use the Mozilla trademark, but given the warning found on U.S. government sites regarding trademark enforcement, I'd say it would be prodigal use of the foundation's limited resources. Further, there is nothing to indicate that there is in fact any "affiliation" whatsoever, as nowhere does Mozilla Foundation acknowledge the presence of the Korean site (although its URL does appear on a Mozilla-run wiki - who knows who put it there).
In any case, this reflects poorly only on the part of the Korean Localization Team, as Mozilla Foundation likely lacks the resources to succesfully pursue a trademark infringement case abroad in Korea, and we have already established that the site is not an official Mozilla site (unlike, for example, http://www.mozilla-europe.org/ or