Slashdot Mirror
Ethics of Releasing Non-Malicious Linux Malware?
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
There were two options:
1. Release it anonymously and take no credit
2. Write about it and get some credit (but then you can't actually release it due to legal issues)
You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.
Malware can exist for any platform.
However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.
I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.
Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.
This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.
Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"
BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.
I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
understand where it would be all that interesting.
Got Code?
Should people run SELinux? Prolly not, it's a pain the ass for Joe user. It's hard enough for admins who know what they're doing (anyone who's had an SELinux error and not checked the right log knows what I'm talking about.) Distros need to play nice with SELinux or provide a better alternative for Joe user.
Should Sysadmins run SELinux? If you've got sensitive data on it, damn straight--you need that kind of protection along with the service removal and permissions hardening you do to Linux machines you really want to keep "safe." If you don't and it's not even a production server, why bother with anything beyond Permissive (or perhaps just Targetted services.)
---
FYI If you find yourself responding in any way that involves a CLI my grandma is going to get annoyed, call me, and ask how to deal with it and I'm going to need a new solution.
The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.
http://www.mhall119.com
Sounds like you have too much time on your hands. Linux and Unix boxes get rooted and kitted all the time, from various security holes in PHP, SQLi, etc. Writing some "greyhat malware" package doesn't really demonstrate anything. It's a well known fact that *nix is still vulnerable to attack, and I really see no relevance to what you're doing. Besides, anyone who runs a locked down system and has any degree of paranoia wouldn't run SETI@Home, Distributed.net or any other similar distributed client software. OSSEC would pick this jazz up in half a second. Congratulations on some questionable bash scripting.
I have a strong suspicion that this whole "question" is merely an attempt by Windows marketdroids to spread one of their favorite FUD formulas: "Linux is not really secure, it's just too unpopular to be targeted by malware writers". Please note how often it is mentioned in otherwise content-free comments.
There is no actual "malware". All author claims is that he wrote something that demonstrates the fact that a program executed on a Linux box by a user has that user's access privileges and can do stuff that the user does not expect or like. That's at best a trojan horse -- without capability to gain superuser privileges or compromise other users or hosts, such "malware" is firmly in the range of stupid pranks -- slightly below changing someone's wallpaper to goatse and slightly above asking someone to check out the Last Measure web site. It has nothing to do with millions-strong botnets and hours-to-worldwide-pandemic worms that make Windows such a great platform for crooks and vandals.
Contrary to the popular belief, there indeed is no God.
Or heck, this is *Linux* we are talking about here.
Release it, and they will patch.
Give it to Theo Raadt of OpenBSD fame. In a week all of the attack vectors will be well defined, and source code fixes being pushed downstream.
For BSD admittedly, but once the vectors are well defined, the Linux guys are more than able to 'translate' and make the same fixes.
That can only be a good thing.
It isn't like you need to worry about the company suing you for pointing out a security problem in their product when you tell them!
Besides, no matter how well behaved malware system you write, no matter what possible evils your imagination has come up with that it could be twisted into, the script kiddies out there already have much much better tools than that.
Just release it, sitting on it only gives the black hats more time to use the same exact security flaws for evil.
I say release the ideas, or at least document the concepts with pseudocode so that the average skript kiddie can't just download and modify - they'd at least need to spend the time implementing it in some language.
This way, people qualified to fix the problem can review your proof of concept and fix the problem, but you're limiting the exposure to the average bored 15 year old who's skillset doesn't extend too far beyond downloading a .c file and running gcc.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
No malware? I think the claim is that Linux doesn't have the threat from viruses that Windows does - actually, it has little threat from them at all.
loose security configurations and mindless execution of unverified downloads - so, the sort of thing no admin with any brains, regardless the OS they were using, would do? The difference is, you can fairly much lock up Linux very fast, with little a non-privileged person can do, while not really limiting what services the machine will offer. With Windows on the other hand, it takes more effort to lock it down, and things become far more burdensome to deal with once you do. Let me tell you how much I loved having errors all over the policy editor in windows because of some basic security settings...which meant that doing normal, everyday windows admin tasks you would be confronted with errors left and right because of the policy settings. Doing normal, everyday UNIX admin tasks on a locked down box though...no issues.
Why do people take the argument so damn personally, anyway? The OSes are meant for different things. That one is better at some things than the other should make sense - they have entirely different methodologies.
PS - it took you a *week* to write something that could exploit "loose security configurations?" Give me 5 minutes and I'll write something. Go ahead and publish whatever you wrote, I'm sure several of us could use the laugh.
Uhh no its retarded and was modded funny as a result. Security through obscutiry has been debunked dozens of times. Mac OS for instane is pretty visable, but yet seems to have not even a fraction of the problems another major commercial OS does. And don't tell me there isn't a major bonus for being the hacker to really pwn OS X. I'm sure as a Windows troll you would give a nut for this kind of exploit just to prove this lame claim. Vista and W7 are a HUGE step forward, but don't pretend that the only reason everybody else is safe and Windows is a spyware dungeon is just based on marketshare.
Um, and this is different from a Windows virus how? {...} It's not because your system is any more secure against "CLICK HERE TO WIN FREE XBOX 360" infections.
Windows XP way :
Linux way :
In short there are 2 main differences between the windows and unices environment :
There's another big difference, specific to opensource environment like Linux and BSD (and not other unices):
(Although the above only regards malwares exploiting *bugs*, not payload which are simple regular softwares).
With Vista and Seven, Microsoft has attempted to fix some of these problems. Nonetheless, the fix is still a lot noisy ("Cancel or Allow ?") to the point that some user simply start to blindly "Yes-click-through" and the protecting effect is lost. And users are still trained to install crap by downloading it from random websites.
With Linux, these advantages become a handicap regarding commercial softwares : They have to target multiple combination of softwares in distributions (unlike open-source software where the package are vetted by the distribution maintainers themselves thanks to the source being available for that puprose). And these software are not just a package in a regular repository, making them inaccessible using the regular method.
There is indeed no software which is 100% guaranteed secure.
But ! There's still a difference like between putting a real fence around your house and having a dog on one side, and just stick a paper with "don't rob us" written on it on the other side.
And, no matter what, some users will always find a way to shoot themselves in foot.
But on Unix, the gun is locked behind a glass door and must have a security pin removed before being able to shoot the foot, whereas on Windows an armed ready-shoot-gun is just a normal wall decoration.
The only "protection" that *nix/mac systems have over Windows is that no one gives a rats ass about infecting you
Ok, could we please stop with this troll now ?
At one side of the range, Linux has ratter good market shares in the servers and scientific clusters domains.
At the other side of the range, Linux has achieved quasi-monopoly in the embed domain, specially on home routers, wireless access points, small NAS/SAN, no-brand multimedia play
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]