Slashdot Mirror

← Back to Stories (view on slashdot.org)

Korean Mozilla Binaries Infected

Posted by CmdrTaco on from the caught-with-their-pants-down dept.

Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."

34 of 592 comments (clear)

  1. Virus data by NoInfo · · Score: 5, Informative

    This virus has been in the wild since at least early 2002.

    Here's Symantec's take on the virus:

    http://securityresponse.symantec.com/avcenter/venc /data/linux.rst.b.html

    --
    bug.gd: error search engine. Humanity working together to solve all errors.
    1. Re:Virus data by _bug_ · · Score: 5, Insightful

      That's odd... I learned here that Mozilla is clearly more responsive to security bugs than Microsoft. What gives?

      You mean besides the fact that the binaries were removed as soon as they found out?

    2. Re:Virus data by boaworm · · Score: 5, Insightful

      If you've read TFA, you'd know that this has virtually nothing to do with mozilla or OSS.

      A third party, a mozilla fan site in korea, distributed infected binaries.

      If you find an infected version of Winzip on an internet site, would you blame Winzip.com ?

      --
      Probable impossibilities are to be preferred to improbable possibilities.
      Aristotele
    3. Re:Virus data by GreyPoopon · · Score: 5, Insightful
      I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior.

      Let's compare apples to apples here. If MS was offering infected binaries form one of THEIR sites, yes, we'd be jumping down their throat. On the other hand, if MS decided to let Download.com distribute versions of a "freeware" application (like Messenger), and the binaries on Download.com were infected, most of us would just be avoiding Download.com like the plague. Sure, some people would still blame Microsoft, just as some people are going to blame Mozilla here.

      Now, having said all of that, I'll bring up the question of accountability. Since Mozilla is being distributed by public mirrors, it's probably a REALLY good idea to have some sort of guidelines that need to be met by the administrators to make sure this doesn't happen on a "Mozilla-certified" mirror. Maybe this is already in place.

      --

      GreyPoopon
      --
      Why is it I can write insightful comments but can't come up with a clever signature?

    4. Re:Virus data by SimGuy · · Score: 5, Insightful

      And sadly, Linux administrators have been unable to suitably protect their systems in all this time, so it continues to be a pain in the ass, never really going away. I work for a hosting company, and I've dug Linux.RST.b out of too many servers.

      I think too many Linux admins don't believe there's such a thing as a Linux virus. Usually the easiest way to recognize the infection is if a large number of common programs in /bin like "grep" start crashing. Tends to make boot up and shutdown clumsily fail.

      --
      I don't care, but don't let that stop you from trying to tell me anyway.
  2. So let me get this straight... by SpocksLoveChild · · Score: 5, Funny

    it's a virus?... for linux? I'm sorry but just don't understand the situation?

    1. Re:So let me get this straight... by Anonymous Coward · · Score: 5, Funny

      No worries. That is common for most slashdot readers.

    2. Re:So let me get this straight... by Crusader7 · · Score: 4, Interesting

      That's because viruses on Linux are so rarely reported due to their limited scope of effectiveness. Since Windows is more popular in the combined server and desktop markets, outbreaks cause significantly more damage (though I'm willing to bet the damage caused per exploited system is a far lower average than the lower volume, but higher cost server attacks that UNIXes more often suffer). In addition, Windows users tend toward not being so, how to put it nicely, interested in learning the proper maintenance of their systems (hey, I'm not complaining, doing it for them pays my bills), so they tend to frequently get infected by things that don't exploit security holes in the systems but rather excess holes in the heads of the users.

      Compare to Linux in which most exploits are a result of actual security problems in either the kernel or the supporting applications, and you have less widespread attacks that affect fewer systems.

      Difference in market shares, my friend. If you want to exploit a Linux system you're probably an attacker targetting a specific network and installation for a very specific purpose (making this attack something of an oddball). If you're looking to exploit a Windows system, however, you're more likely just a general Internet thug trying to install spam bots and backdoors on home machines. The latter causes more problem since the target is a much, much larger pool of users, so the latter gets more heavily reported even though the targetted attacks usually cause more on-average damage.

    3. Re:So let me get this straight... by glesga_kiss · · Score: 4, Insightful
      That's because viruses on Linux are so rarely reported due to their limited scope of effectiveness.

      That's a falacy. Linux is just as vunerable to trojaned installers as any other OS. You install mozilla as root, right? Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.

      OS security does help against worms and other methods of infection, but dealling with trojans is a 90% user function. This improved security, along with market share (as you point out) is what makes Linux "safer". To get a virus on Linux, you essentially have to do something wrong yourself. Which is no consolation to the gran and grandpa users, "Download Weather Bar (linux version) popups" are only a few years away...

  3. Ha. by Anonymous Coward · · Score: 5, Funny
    So much for OSS security. Show me one instance of this happening to Microsoft...

    Oh, wait.

  4. Korean Mozilla Binaries Infected by Anonymous Coward · · Score: 5, Funny

    Birdflu ?

  5. And so it begins... by eno2001 · · Score: 4, Insightful

    ...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
    1. Re:And so it begins... by arkanes · · Score: 4, Insightful

      User-friendly distros (like Ubuntu), borrow a page from OSX and don't even expose the root account. You create a user account in setup, you're prompted for your admin password when you need to install stuff, and when you use the CLI you use sudo. Therefore, without taking proactive steps, it's not even possible run programs at root, and you have to go well out of your way to log in as root.

  6. Black day for Unix Firefox users by teslatug · · Score: 5, Informative

    A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory. Version 1.0.7 fixing the flaw is already out.

  7. Re:Secure.. by Anonymous Coward · · Score: 5, Informative

    Actually Linux is more secure. If you run mozilla as a normal user, then mozilla and the virus can't write to the files in /bin, and therefor can't do any really servere damage.

  8. Um... by Noksagt · · Score: 4, Insightful
    Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
    Most users still install software as root & even if they don't, the user usually has access to /bin & would be able to run scripts.
    1. Re:Um... by Lussarn · · Score: 4, Insightful

      Most of all programs in Linux, about 99.99% is distribution supplied and isn't likely to have virus/trojan/spyware in them.

  9. Infecting /bin? by Danathar · · Score: 5, Insightful

    I'm assuming this can only occur if you installed the virus infected material as root?

    Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk

  10. Re:6 stories down on the front page by tpgp · · Score: 5, Informative
    "Mozilla hits back at browser security claim"

    Funny? Yes. True? No - you see its not exactly a mozilla problem.

    Whilst searching for more information about this, I stumbled across this pagelast time these servers were hacked in June).

    Choice quote:

    Unlike Mozilla Europe, Mozilla Japan and Mozilla China, the Korean Mozilla site is not officially affiliated with the Mozilla Foundation.


    So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")

    Its someone who's taken the mozilla source and made their own binaries. A problem yes, a serious problem even, but not to the scale that Kaspersky Labs would have us believe.

    Who would have thought it? A security company overhyping an issue!

    I'm not sure why they bother. Do they really think stories like this are going to make linux users go and buy their security 'solution'?
    --
    My pics.
  11. Normal installation runs binaries as root by Bogtha · · Score: 4, Informative

    Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.

    Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process.

    --
    Bogtha Bogtha Bogtha
  12. Re:Virus data - It's old! RTFM by Anonymous Coward · · Score: 4, Informative

    If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).

    "Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.

    Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"

  13. Tinfoil shoes? by bitslinger_42 · · Score: 5, Insightful

    OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?

    My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.

  14. Re:No, no, no... Windows is as secure. by arkanes · · Score: 5, Funny

    No, Windows is more secure because you can't write to a binary thats being executed or has been loaded by another process. Viruses can only infect your system files if you reboot!

  15. Alan Cox was right by Saunalainen · · Score: 5, Insightful
    Yet another example of the lamentable state of modern computer security. This wouldn't be a problem if operating systems required a trusted signature for software to be installed.

    I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).

    We already have to trust the developers. We shouldn't have to trust every FTP server too.

    1. Re:Alan Cox was right by seifried · · Score: 4, Informative

      Uhh every major RPM based distro (Red Hat, SuSE, Mandriva, Trustix, etc, etc.) does this. Third party guys like Dag who distribute literally hundreds pf RPM's also sign their packages (thus if I have Dag's key I can verify his RPM's regardless of where I actually get them. In RPM based systems adding a key consists of:

      Download the key (RPM-GPG-KEY-fedora for example)
      rpm --import RPM-GPG-KEY-fedora

      And voila. This works for third party developer's keys.

      As for your other comments they are just misinformed, you should read the article maybe. Or not and justmake stuff up, that works too.

  16. If Microsoft did it, it would be Microsoft. by khasim · · Score: 5, Insightful
    I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior. And they'd all be modded +5.
    If Microsoft distributed infected binaries, then it would be Microsoft distributing infected binaries.
    Of course saying the reverse here will quickly get you troll/flamebait/overated down to -1.
    You do realize that you're completely wrong.

    This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.

    This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.

    The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.

    The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
  17. You don't understand "vulnerable". by khasim · · Score: 4, Insightful

    Writing a virus for Linux is easy.

    Getting that virus onto someone else's box is very difficult.

    Getting that virus to spread from that box is even more difficult.

    Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.

    The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.

  18. no surprise by burnin1965 · · Score: 5, Informative
    The web site was hacked 3 months ago and back then they admitted the site was not an official Mozilla site.

    http://www.mozillazine.org/talkback.html?article=6 771


    Sorry for hack.
    by channy

    Thursday June 9th, 2005 6:39 PM

    Reply to this message

    This is Channy Yun, leader of Mozilla Korean Community. This site is not official web sites of Mozilla Foundation. And this hack is orginated by no patch for PHP vulnerability of my hosting company for mozilla.or.kr. I will change it with backup and fix it with my ISP. Sorry for your worry.


    I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.

    burnin
  19. Re:Virus data - It's old! RTFM by NickFortune · · Score: 4, Interesting
    "Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.

    mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".

    Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.

    Now who could that benefit, I wonder...

    --
    Don't let THEM immanentize the Eschaton!
  20. Mozilla.co.kr by frankie · · Score: 4, Interesting

    The Mozilla foundation needs to pursue strong, immediate public action against NKing.com, holders of the mozilla.co.kr domain. Using the Mozilla name connotes official status, and they are trashing it badly. I would say stop releasing Korean builds until the domain is handed over to more responsible people.

  21. See, Windows is more secure by doublem · · Score: 4, Funny

    See! Windows and IE ARE more secure!!!

    MWHAHAHAHAHA!!!!!!!!!

    The larger number of exploits in Firefox is just the tip of the ice berg!

    Open Source, you are going DOWN!

    And I for one, welcome our new DRM laden overlords.

    Oh, wait, they're not NEW overlords, they've been the overlords for a few decades now.

    Well, I welcome them anyway.

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
  22. Apples to Apples? by Greyfox · · Score: 4, Insightful
    Ok, to get infected on Linux you have to download and install binaries from untrusted third parties and run as root all the time.

    To get infected on Windows you... have to turn the system on. As far as I can tell.

    Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.

    If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.

    As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  23. It's about freaking time... by ndogg · · Score: 4, Funny

    It's about freaking time virus writers started supporting Linux and Mozilla...

    Err, wait...

    --
    // file: mice.h
    #include "frickin_lasers.h"
  24. Because you cannot ... by khasim · · Score: 4, Informative
    Care to support that assertion with some solid facts and numbers?
    http://securityresponse.symantec.com/avcenter/ve nc/data/linux.cheese.worm.html

    http://securityresponse.symantec.com/avcenter/venc /data/tfn2k.html

    http://securityresponse.symantec.com/avcenter/venc /data/linux.adore.worm.html

    http://securityresponse.symantec.com/avcenter/venc /data/linux.hijacker.worm.html

    http://securityresponse.symantec.com/avcenter/venc /data/linux.jac.8759.html

    You see? All but one had "number of sites" between 0 and 2.

    They
    Do
    Not
    Spread

    Linux's security model is far more effective than Microsoft's one for Windows.

    Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.