Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ethics of Releasing Non-Malicious Linux Malware?

Posted by kdawson on from the what-would-schneier-do dept.

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

10 of 600 comments (clear)

  1. I think you've already decided... by Jeff321 · · Score: 5, Insightful

    There were two options:
    1. Release it anonymously and take no credit
    2. Write about it and get some credit (but then you can't actually release it due to legal issues)

    You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.

    1. Re:I think you've already decided... by sopssa · · Score: 5, Insightful

      The summary says it doesn't actually do anything malicious and it isn't a worm. There is no legal reason why he couldn't release the code and/or a paper about it.

      The thing is, it's stupid for people to keep thinking their systems are insanely secure. Linux users fall for this all the time, because they've heard so from lots of other Linux users. It's better to show people that it is actually possible, and maybe it leads to better secured systems too.

    2. Re:I think you've already decided... by silentcoder · · Score: 5, Insightful

      There is one crucial difference that really does make linux MUCH more secure, and oddly, it's the one thing nobody mentions when discussing it.

      Linux users (hardly ever) download and install software from the internet. We download and install packages from repositories.

      A huge amount of Linux security comes from the fact that we've taken the task of identifying malware from the real thing, and given it to trained professionals rather than Joe Sixpack. The average user simply cannot tell the difference between a useful piece of freeware and a bugridden-malware-spreading piece of add-ware.

      The people who populate distribution repositories generally can. Then we add other layers on top - like using digital signatures so the client machine can be sure the package you asked it to fetch is in fact the package that got downloaded (thus protecting against somebody replacing a package with a malware program in the same filename on a mirror site) etc. etc.

      That grounds up linux is probably a more secure design than windows I don't doubt, I also know that it's far from being anything like as secure a design as we imagine- especially as it moves into the desktop realm. But - and this is a big but, since the easiest way to install anything on linux remains using your distro's provided tools to install from your distro's repositories (for the ubuntu crowd... I mean "using synaptic") - the risk of malware infection is kept remarkably low - not because linux is so secure, but because infecting the repo's will be very hard indeed and the software in those repos are checked by people who are *trained* in computers.

      --
      Unicode killed the ASCII-art *
  2. You've failed to understand the real world by topham · · Score: 5, Insightful

    Malware can exist for any platform.
    However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.

    I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.

  3. treat it like any other proof of concept exploit? by Anonymous Coward · · Score: 5, Insightful

    Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.

  4. Newly retrodden ground by _Sprocket_ · · Score: 5, Insightful

    This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.

  5. If you have to ask, your ethical compass is b0rked by tomhudson · · Score: 5, Insightful

    Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?

    That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"

    BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.

  6. Dear Slashdot by Daniel+Dvorkin · · Score: 5, Insightful

    I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  7. Re:consult with a real security professional by Anonymous Coward · · Score: 5, Insightful

    Should people run SELinux? Prolly not, it's a pain the ass for Joe user. It's hard enough for admins who know what they're doing (anyone who's had an SELinux error and not checked the right log knows what I'm talking about.) Distros need to play nice with SELinux or provide a better alternative for Joe user.

    Should Sysadmins run SELinux? If you've got sensitive data on it, damn straight--you need that kind of protection along with the service removal and permissions hardening you do to Linux machines you really want to keep "safe." If you don't and it's not even a production server, why bother with anything beyond Permissive (or perhaps just Targetted services.)

    ---

    FYI If you find yourself responding in any way that involves a CLI my grandma is going to get annoyed, call me, and ask how to deal with it and I'm going to need a new solution.

  8. Smell test by mhall119 · · Score: 5, Insightful

    The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.

    --
    http://www.mhall119.com