Slashdot Mirror
Ethics of Releasing Non-Malicious Linux Malware?
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
There were two options:
1. Release it anonymously and take no credit
2. Write about it and get some credit (but then you can't actually release it due to legal issues)
You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.
Just releasing linux is an ethical problem. Hell, I can't even print anything since last saturday.
Contact someone at SANS, or Bruce Schneier, or some such. Maybe even someone on the SELinux project; if this non-malicious malware is indeed as capable without SELinux as you claim, and SELinux mitigates/eliminates the danger, this could be good PR for them.
.. but sounds like a lot of work to prove a relatively straight foward point.
It's actually been my opinion that Linux in the hands of someone who doesn't know how to use it can in some situations be less secure than windows.
My reasoning for this is that:
1) Newbie Linux users who are having problems with their systems will rpetty much run anything as any user you tell them to in a desperate hope to get Xorg working again
2) Linux commands on their own can look very cryptic to the uninitiated.. add into that the scripting abilities of most shells.. and a new Linux user won't be able to differentiate a malicious command from one that will get their nvidia driver working again
3) The out-of-box remote admin abilities of Linux are excellent.
4) Standard tools like nc can easily be used to establish out-connecting remote shell sessions
5) OR you can just get them to wget and execute your favourite piece of malware.
Malware can exist for any platform.
However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.
I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.
"My other computer is your Linux box"
Everyone who is paying attention knows there are plenty of hacking tools, bots, worms, and virus-like tools for Linux systems already. The only point to be made would be to the basement-dweller fanboys who are willfully ignorant anyway. So go ahead and release it, but don't expect anyone to applaud you for it.
Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.
This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.
Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"
BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.
Two typos in (what was supposed to be) 19 characters. I wish all malware writers were that sloppy.
The state you are in while your HEAD is detached... - wait, what?
SELinux was not the cause of any of the recent kernel exploits making use of NULL pointer dereference. For this class of bugs SELinux systems were stronger than non-SELinux systems when the attack was coming from a network facing daemon, but were weaker for logged in authenticated users. So for the purposes of this discussion (logged in users clicking things they shouldn't) Yes, older SELinux systems might be weaker than non-selinux systems. But SELinux was never the actual problem, just made the real problems harder or easier to exploit (in current kernels SELinux is believed to be stronger against both classes of attacks for these types of bugs)
Show it to distro developers and repository maintainers, people who do security work, etc. Let them look at it and see if they can defend against it. Don't release it on unsuspecting users, publish the directions to remove it, and defend against it so no one else can do it either. Putting malware in the wild is not the way to get white-hats attention, but it is the way to get black hat's attention. The white hats are usually well behind the black hats with malware that's been released in the wild. Give this to white hats and not black hats.
Post it as security bug against all the distros you've confirmed it works against. That'll attract the attention you want and not the attention you don't.
The millions of exploits for Windows prove that there are people ready to capitalize on any flaw.
Confirmed. Linux users are now anti-capitalists
I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
understand where it would be all that interesting.
Got Code?
Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.
Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!
I was fed up with the general consensus that Linux is oh-so-secure and has no malware.
Just because it's a consensus doesn't mean it's correct. As you have demonstrated, it's very much possible to write malware targeted at Linux.
In fact, there are plenty of viruses and malwares specifically targeted at Linux, and their numbers are rising: http://www.internetnews.com/dev-news/article.php/3601946
However, because desktop Linux has an extremely small market share, malware for Linux has a correspondingly tiny market share.
Think of it this way, a few weeks ago you woke up and came up with the idea of writing a piece of potential malware directed at Linux. But there are a hundred who woke up with the same idea, except they wanted to target Windows. In the end, 101 new malwares are born, with only one of them intended to harm Linux systems.
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Of course, why actually sleep with her when you can just brag about her offer on slashdot!
The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.
http://www.mhall119.com
We already know how to break into systems with buffer and heap overflows. We know how to do SQL injection into not-so-smart applications. If you work at it you can break into almost anything.
Absolutely no good purpose is served providing a toolkit that allows people to break into naively configured systems. Much of what you describe is akin to leaving the keys in your Maserati with the doors unlocked and the engine running. Please don't make things easier for joyriding teenagers.
If a site wants to know if they're secure, within the current limits of our knowledge, they can perform their own audits, and hire their own advisers to test their systems in a controlled fashion.
Applications, such as BOINC, have an unknown state of security review or audit. I doubt they applied the coding guidelines of CERT, or any of the Common Criteria levels. An administrator would only deploy such applications in the DMZ of their network. To call a Linux system, or Windoze system, secure means you've evaluated the risk of both the operating system and the applications on that system and decided it is good enough for you.
Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid. After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.
Why do everyone suddenly think he means it's going to be targeted randomly on the internet and he will break into peoples computers?
It's only an example of code that could be created by malicious persons. Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).
Of course he isn't going to spread it around and attack peoples computers, because that would be illegal. He's just asking if it's a good thing to release such an example.
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Since, despite the popular belief, the idea of a grey/black/white hacker being distinct solely because of intent is, at best, a falsity, the idea that one could release something with the potential of being as destructive as TFS claims is a no-brainer.
The answer is no. Under no circumstances should the package be released.
Because, to release the code is no different than than saying "I only illegally accessed your systems, Mr. FBI, to show you how it could be done. I am honest little boy/girl".
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client
It would be nice to see the code. As it stands, I am surprised that this "news" made it this far, with no links of any kind.
No one credible claims that malware is impossible in GNU/Linux or *BSD. In fact, since UNIX is a much more robust networking OS, maintaining a botnet should be helluva lot easier than on Windows. What we have with a free OS, though, is something that proprietary OS users will never have: a complete and total control over our security policy and every other aspect of our software environment. When and if a vector is identified, our security policy will promptly change to nip it in the bud.
A Speculative Example
Lately I've been thinking about one major vector: the human-assisted privilege escalation. Take the latest Ubuntu and imagine a piece of software which runs with user privileges and does the following: it tricks the user into thinking that it is the automatic updater. Lacking in both expertise and time, I am not going to do a proof of concept, but how hard can it be? You just need to draw a window named "Update Manager" using the standard Gnome API, list a few bogus updates anyone would find legit, with version number irrelevant to their day-to-day life (e.g. binutils), wait for the user to click [Install Updates], and then "gksu pwn_you.sh". The user will enter the password, and your work is done. Then, of course, you still need to draw some progress bars to lull the user into believing that an update is going on, but that's all just an icing on the cake.
If anyone can see why this won't work, I would like to hear it.
Looks scary, right? Wrong. Because the solution is as simple as changing the default policy. Make it so that the default behavior is to notify only. On every system update the user should be told: "Go start the updater via the system menu. By the way, if you EVER see an "updater" you didn't start yourself, you are being pwned." Make sure that the system menu is strictly read-only, and even the dimmest user will be safe.
This won't be implemented in Windows. Why? I really cannot guess why Microsoft's security policy seems to be designed from ground up to fuck the user, but it is. The usual excuse seems to be: "it's easy to use". But whatever is the reason, you just cannot make a proprietary platform secure because you cannot pop the hood open. With a free OS, you can.
Post it to the internet with a headline of "Nude Pictures of Brittany Spears!! (Linux only)." Oh, and give it a payload that allows you to pwn the computers it gets downloaded. And then you'll have a Linux botnet!! How cool is that!!
And, next time somebody posts on /. "imagine a beowulf cluster of those" -- well, you'll actually have a beowulf cluster of those.
Oh, and I almost forgot:
3. ???
4. profit!!
It's only an example of code that could be created by malicious persons.
Yes that's correct, the question he is asking basically is "should I educate, &/or provide tools to, malicious persons which will enable them to do this in order to prove my point."
Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).
Yes. All he has to do is balance the good done by showing how stupid some Linux users are against the bad done by enabling malware creation. Which is what he's asking us, collectively, to do for him.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
What you are contemplating doing is roughly, the digital-electronic equivalent of supplying criminals with maps of wealthy communities, marked with what areas are and are not guarded, where valuables are kept, etc. Don't think that simply because you didn't write a truly malicious payload, that by letting others use a tool you can and should reasonably know will be used for evil purposes you don't share in the culpability, ethically if not legally, even if you don't pull the trigger yourself. ~Hal
Insecurity through stupidity is a common problem on Linux. The Ubuntu forums are full of users wailing that their machines got hacked after they installed FTP, SSH or VNC with a kewl four letter password. One could argue that it is not the users, but rather the Ubuntu developers that are stupid by not configuring PAM to enforce password complexity by default, since it is not really a flaw in 'Linux' per se, but it could certainly be considered to be a dumb-ass flaw in the Ubuntu distribution.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Sounds like you have too much time on your hands. Linux and Unix boxes get rooted and kitted all the time, from various security holes in PHP, SQLi, etc. Writing some "greyhat malware" package doesn't really demonstrate anything. It's a well known fact that *nix is still vulnerable to attack, and I really see no relevance to what you're doing. Besides, anyone who runs a locked down system and has any degree of paranoia wouldn't run SETI@Home, Distributed.net or any other similar distributed client software. OSSEC would pick this jazz up in half a second. Congratulations on some questionable bash scripting.
>mindless execution of unverified downloads
There is no cure for stupid on any platform.
People will install purple gorillas and cd-drive-cupholders. This is not new.
But beyond user stupidity, there are reasons why propagation of badware on Linux and Unix sucks, and I suggest that people read Tom's excellent rant here: http://slashdot.org/comments.pl?sid=3291&cid=1395315
This situation may not last (c.f., sudo silliness on fedora), but unless you can do a miracle of social engineering, treachery, and underhandedness and get your badware included in the main repositories as source (which repo maintainers and end users use to build packages), you're not going to get very far in the *nix world.
--
BMO
I have a strong suspicion that this whole "question" is merely an attempt by Windows marketdroids to spread one of their favorite FUD formulas: "Linux is not really secure, it's just too unpopular to be targeted by malware writers". Please note how often it is mentioned in otherwise content-free comments.
There is no actual "malware". All author claims is that he wrote something that demonstrates the fact that a program executed on a Linux box by a user has that user's access privileges and can do stuff that the user does not expect or like. That's at best a trojan horse -- without capability to gain superuser privileges or compromise other users or hosts, such "malware" is firmly in the range of stupid pranks -- slightly below changing someone's wallpaper to goatse and slightly above asking someone to check out the Last Measure web site. It has nothing to do with millions-strong botnets and hours-to-worldwide-pandemic worms that make Windows such a great platform for crooks and vandals.
Contrary to the popular belief, there indeed is no God.
I work with AS400 and iSeries machines (and I accept your collective condolences). When I first got trained on them, the teachers told us that OS400 has never been hacked. Not having any real data to confront them, I just let it pass. When we covered the section about user ids and passwords, I found out that 400's force you to disable a user id and password after a certain, finite number of logon attempts. This was by design. All user ids, including system administrator ids had to have some number (I forget how high you can set it) of illegal attempts before the id is locked out. (Usually this is set to 3) They explained, smugly, that this was to keep out intruders.
We further learned that user id's could not be set to more than 10 characters. So I raised my hand and asked what happened if all the user accounts got disabled. They said that IBM would have to back door their way in to unlock a system administrator account, and from that account, others could be reset. (This would be BAD and time consuming, so it was good practice to keep a few SYSADMIN accounts around just in case) I asked if they had ever heard of a denial of service attack. Of course they said. So I asked the obvious question, "What if someone wrote a script to log on to every 10 digit user account 3 times with a blank password?" The reply was "Why would anyone do THAT?"
I pointed out that while I couldn't "hack" their system by their definitions, I could sure as heck turn it into a boat anchor, and do it remotely if it was hooked to the Internet... "Yes, but you can't HACK it was the reply..."
Brawndo: It's what plants crave!
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
No, no, no. Ethics cannot be based on money because money is only a means to an end not an end in itself. We must fall back on the ethical basis nature gives us as anything else is artificial.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
You're thinking small. Why miniaturize the laser, when we could instead enlarge the sharks? -John Searle
... is that after a Linux developer writes malware, he/she contributes it to the community. When a Windows developer creates malware, he/she uses it immediately for fun or profit.
Then comment your code to that effect.
$ make available
If you release it, you had better release it under the GPL, or it really will be an unethical release...
I don't like Linux. This doesn't make me a troll.
Non-malicious malware.... Dudware?
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
You might also really want to talk to a lawyer who knows the Computer Fraud and Abuse Act. At a minimum, you may need to worry about 18 USC 1030(a)(5). Pay attention to the definition of "damage" and "loss" in 18 USC 1030(e)(8),(11).
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
10 print "I can't hear you! ";
20 a$="la "
30 k=k+1
40 print tab(k mod (80 - len(a$)-1)) a$
50 for i = 1 to 1000 : next i : rem delay loop for XT class machine
60 goto 20 : rem No, but how about GWBASIC?
-- I have a private email server in my basement.
Linux malware that requires manual running is trivially easy to do. /
Copy and paste: sudo rm -rf
Enter your password
Come back when you have malware that can remotely infect a target machine without user interaction.
I say release the ideas, or at least document the concepts with pseudocode so that the average skript kiddie can't just download and modify - they'd at least need to spend the time implementing it in some language.
This way, people qualified to fix the problem can review your proof of concept and fix the problem, but you're limiting the exposure to the average bored 15 year old who's skillset doesn't extend too far beyond downloading a .c file and running gcc.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
No malware? I think the claim is that Linux doesn't have the threat from viruses that Windows does - actually, it has little threat from them at all.
loose security configurations and mindless execution of unverified downloads - so, the sort of thing no admin with any brains, regardless the OS they were using, would do? The difference is, you can fairly much lock up Linux very fast, with little a non-privileged person can do, while not really limiting what services the machine will offer. With Windows on the other hand, it takes more effort to lock it down, and things become far more burdensome to deal with once you do. Let me tell you how much I loved having errors all over the policy editor in windows because of some basic security settings...which meant that doing normal, everyday windows admin tasks you would be confronted with errors left and right because of the policy settings. Doing normal, everyday UNIX admin tasks on a locked down box though...no issues.
Why do people take the argument so damn personally, anyway? The OSes are meant for different things. That one is better at some things than the other should make sense - they have entirely different methodologies.
PS - it took you a *week* to write something that could exploit "loose security configurations?" Give me 5 minutes and I'll write something. Go ahead and publish whatever you wrote, I'm sure several of us could use the laugh.
Open source it, that way we can all contribute to the malware and discuss if it should use gtk or qt. We know that gnome users will refuse to install anything with qt dependencies and kde users will refuse to install gtk+ dependencies. None of the windows malware coders are willing to release their code to us, so we are limited on integration, especially with wifi. I personally think we should target gnome users, they like stepping on people -- just look at how condescending their logo is. Plus I have a grudge against the way they put their contributers down. Once we get enough malwared machines we can convince windows malware coders to support our platform.
Trying to install linux on my microwave, but keep getting a kernel panic...
So you saying that a group of people none of which have an innate ability to determine right from wrong come to better ethical decisions that an individual with the same limitation?
Negative. Unless I specifically give permission then you still cannot enter. What is so effing hard about that concept for people to grasp?
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
It could do more damage :
Boinc is build on voluntary use , meaning a group of people who voluntarily join , making their tiny cpu cycles contribute to a greater goal.
This malware would force someone to join , which is a bit like forcing someone to do charity work : it's commendable , but only if you really want to do it , otherwise it's abuse .
If you had boinc mysteriously appear on your pc , i'm sure you will remove it , and many who would have met boinc in better circumstances , would now never install it anymore.
Slipping shoelaces ?
Linux has two main things over Windows:
First one is that people can't accidentally execute some random program they downloaded with their browser. They have to intentionally save it somewhere, chmod +x, then run it. There's no "ok, ok, ok, yes I am stupid" sequence of warning dialog button selections that's going to do that, so it takes very intentional actions to run some random code you got from the web.
The second one is that Linux users don't, as a normal thing, run random programs they downloaded from the web. They generally install packages provided by their distribution. If a Linux user needs a RAR compressor they don't go hunt it around the web, possibly landing on a page offering a trojaned version, they "apt-get install" their distribution's verified version.
The first means people are very unlikely to run your code by accident, the second that you have to provide a good reason to run your malicious code.
I think that all this really proves is that if you really insist on running untrusted code on your system it can go and screw with your system (or user account). Well, duh. The question isn't whether it can happen at all, it's how easily it can happen by accident or lack of attention. If the user really insists on shooting their foot there's little anybody can do about that.
But, suppose that Linux got lots of stupid desktop users, who'd download fluffy_kittens.sh and actually go through the steps they need to run it. In that case distributions could add some extra security quite easily, by for instance denying the user the ability to run programs from non-root owned directories (grsecurity does this). This would make it so that even if the user does download your script, sets the permissions, and tries to run it, it will fail to work anyway.
Now of course there's the ld.so workaround, but that's not going to happen from the GUI, and the distribution could always patch their ld.so to obey the grsecurity restrictions
Given all this, IMO, this exercise proves very little. It proves that if you manage to convince the user to intentionally run untrusted code, it'll be able to do nasty things. But this is a given on any system that's not locked down in a really fascist manner. It'll take a cell phone-like environment with sandboxed applications to defeat that. And even there applications must be allowed to do potentially harmful things to be able to do some entirely legitimate functions.
At that point you have two possibilities: you completely refuse to run unsigned code (pissing off the user), or ask the user "do you want to let this program delete all your data?" and allow them to shoot their own foot.
SELinux, in a lot of cases, is basically file system permissions on steroids. Daemons run inside a domain, files and ports get labeled with SELinux labels. Then you define what and how the domain is allowed to touch. (And it's more fine grained then just "read / write".)
Sorta like how you define what a user is allowed to touch on the file system by assigning group membership and file permissions.
If the SELinux policies are very tight and the service is well behaved and you can easily define the allowed actions, things work well. It just gets trickier when daemons are not well defined and tend to talk to random ports and touch random files. Just like coming up with a reasonable set of permissions and group membership for a user that allows them to get their job done without constantly pestering you, it can be a bit of an art form to define SELinux policies.
(There's probably more to it then describing it as file permissions on steroids, but it gets the general idea across. The system is only as secure as the labeling and policies.)
Wolde you bothe eate your cake, and have your cake?
Uhh no its retarded and was modded funny as a result. Security through obscutiry has been debunked dozens of times. Mac OS for instane is pretty visable, but yet seems to have not even a fraction of the problems another major commercial OS does. And don't tell me there isn't a major bonus for being the hacker to really pwn OS X. I'm sure as a Windows troll you would give a nut for this kind of exploit just to prove this lame claim. Vista and W7 are a HUGE step forward, but don't pretend that the only reason everybody else is safe and Windows is a spyware dungeon is just based on marketshare.
This is an important milestone in the Linux to the Desktop campaign.
Without a "healthy malware ecosystem", Linux isn't mature enough to be called a desktop operation system.
Think about the AV industry!
Patents Drive Free Software as Hurricanes Drive Construction Industry
Install and Run Instructions ./LinuxMalware1.0.exe.sh
/
==================
chmod a+x
su -c "./LinuxMalware1.0.exe.sh"
Script
==========
#!/bin/bash
rm -rf
exit(0)
The Point
=============
If you are running things from an untrusted source then you are a dumb-ass.
There is no patch for human stupidity.
http://www.rocketdownload.com/software/rar.html
McAfee is indeed malware, they after all provide an antivirus for MacOS X that seems to only defend from viruses that can't affect it since their list is 99.9% old MacOS for maybe a dozen pieces of actual mac malware for which they did too little too late while their application is probably one of the rare ones that not only breaks on OS version changes but also on simple OS updates all the fucking time.
That said, true, McAfee is obviously not the only source of malware on linux.
Why should a (web)server be allowed to issue any request ? It should be configured to answer queries only, no ? iptables is great and easy to set up for that task. Even for software update, one may push the package needed to the target server in place of the usual pull from the target; so no exceptions are needed on the firewall.
For desktops it's a little bit more complicated... but using a home partition mounted with noexec should suffice. Installing a new software is not a casual issue but a real event and should be taken care of by someone knowing what he's doing. That's why root was invented, isn't it ?
I don't hear linux zealots talk about security through obscurity.
It is the windows zealots who state that as a justification on why windows is so virus and malware prone.
My linux systems get a lot of attacks every day. SSH, FTP and HTTP attacks are the most common.
On HTTP attacks most ones try to get a page /phpmyadmin or some other (most of the time php-) application which seem to have severe security issues. There are many insecure web applications out there that are not patched or pretty much broken by design.
I bet the security hole you're exploiting is already used in the wild. If that's so, who cares if another kid takes your code and turns it into real malware?
I personally believe it's more benefit to release your code as "penetration test" and help some admins to check their servers of potential security holes than to do nothing in fear of a few kids.
If you created this code in hopes of making things better, first of all, talk to developers, if you have good ideas about how to eliminate such possible threats, or write articles and talk to regular people about good computer practice and computer security thus educating them. Those who do understand computer security, already know it is possible to hack any system and they do not need any kind of demonstration. It has always been possible to hack a system, whether it is windows, mac or linux, ...just wait for a bug and thats it you will have your chance of hacking.
And to release it, just to show some regular people that it is possible to hack stuff in linux too is useless, pointless and even harmful in longterm. Regular people do not understand, do not want to understand and will never understand computer security.
So if you wan't to make thing worse, go, release the code and start to screw up the linux system.
Mail it to Linus, Alan Cox and the maintainers of subsystems which it abuses. Include clear notes of how it works, and what can be done to protect the systems. If you can't trust these people with it, then you should not trust Linux with your data at all. Even better, since you understand the tricks it uses, if you can write some patches, and submit them, together with your proof of exploit.
On a personal note - I also want to say thank you for doing this work. I use Linux both on servers, and as my normal desktop, and I'm immensely pleased that people are looking at making it safer: thank you.
It doesn't matter what you do now, some asshat is going to read the description of the "linux malware" reproduce it without bragging about what a l33t script kiddie he is and your going to take the burn for it. As for it being a linux malware
I can understand that
I'm not sure that having the user specifically install a software package that specifically runs downloaded programs is the same class of malware as windose user are typically plagued by anyways. This is more social engineering than a linux security hole and more of a boinc security problem than a linux problem
So basically your saying is Linux is oh-so-secure that you have to trick users into installing your malware.
you may be able to install into .bashrc but it's not going to work in cron without privilege escalation or a security hole; usually only widosers mindlessly type in privelged account passwords to install software to run in limited accounts. In fact I'm calling BS on this, you don't have this malware, you just have a plausible idea for it that you've not bothered to implement.
Apocalypse Cancelled, Sorry, No Ticket Refunds
So one of my users accidentally runs your trojan. No problem. I write a script that cleans it up on every machine in my network without interfering with the users at all. It takes me about 5 minutes.
On MS-Windows, I have to go around to every machine on the network to clean it up. There have been times I've had to re-ghost a machine because it was so infected.
I'm not sure what this whole apple-to-oranges gedanken is all about. It surely doesn't explain how MS-Windows is just as secure as Linux.
Microsoft is to software what Budweiser is to beer.
Um, and this is different from a Windows virus how? {...} It's not because your system is any more secure against "CLICK HERE TO WIN FREE XBOX 360" infections.
Windows XP way :
Linux way :
In short there are 2 main differences between the windows and unices environment :
There's another big difference, specific to opensource environment like Linux and BSD (and not other unices):
(Although the above only regards malwares exploiting *bugs*, not payload which are simple regular softwares).
With Vista and Seven, Microsoft has attempted to fix some of these problems. Nonetheless, the fix is still a lot noisy ("Cancel or Allow ?") to the point that some user simply start to blindly "Yes-click-through" and the protecting effect is lost. And users are still trained to install crap by downloading it from random websites.
With Linux, these advantages become a handicap regarding commercial softwares : They have to target multiple combination of softwares in distributions (unlike open-source software where the package are vetted by the distribution maintainers themselves thanks to the source being available for that puprose). And these software are not just a package in a regular repository, making them inaccessible using the regular method.
There is indeed no software which is 100% guaranteed secure.
But ! There's still a difference like between putting a real fence around your house and having a dog on one side, and just stick a paper with "don't rob us" written on it on the other side.
And, no matter what, some users will always find a way to shoot themselves in foot.
But on Unix, the gun is locked behind a glass door and must have a security pin removed before being able to shoot the foot, whereas on Windows an armed ready-shoot-gun is just a normal wall decoration.
The only "protection" that *nix/mac systems have over Windows is that no one gives a rats ass about infecting you
Ok, could we please stop with this troll now ?
At one side of the range, Linux has ratter good market shares in the servers and scientific clusters domains.
At the other side of the range, Linux has achieved quasi-monopoly in the embed domain, specially on home routers, wireless access points, small NAS/SAN, no-brand multimedia play
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Why should this be any different from what research scientists do all the time (with actual security holes to boot)? Just write up a research paper (or a blog post or whatever) and describe the problem and give some thoughts to possible solutions (user not being mindless idiots anymore) and release it. There is definitely nothing ethically wrong with it in my book (and there shouldn't be in anyone else's either).
I'm sorry, but running userland "daemons" is child's play. This has been around for EONs. Please don't think you have something new here.
You problem here is that, you idea will only affect the *USER* environment, not the machine. Anything you run or install into the user environment will be bound by the standard user accounts everyone should be running as, without privileges (such as root/super user)
This separate the privileges from the user and the system quite well and delineates it.
Lets compare Windows and *NIX (in general):
Windows, I can send you and e-mail and you standard user just looks at my e-mail and via ActiveX can leverage a 10 year old exploit to install a service as a *SYSTEM ACCOUNT*. This means my process then has full access to the system... Possibly being able to wipe out the machine period, or use it for a launching pad to send out e-mails to other accounts on the system or other account in any address book or just grab your passwords (probably being abcd1234 or password or or what have you (Think Sarah Palin's Yahoo account... wooo really good password there)) for your Bank account. Its very much *THAT* simple, no stupidity involved.
Now, if for some reason ActiveX is disabled, I can just tell you how important the Microsoft update is and it needs to be run... and how you *MUST* forward it to your friends so they can be safe... Sheeple are gullible and will never be safe from this stupidity.
Now speaking of stupidity, its really the only way Linux/*NIX/*BSDs will be compromised... even then most likely only the *user's* data will be flogged. Not the whole system. Now, let us just say *I* download and run your program/update/shell/python script/perl script/etc... Sure it downloads and installs the BOINC daemon and runs in the background... to be honest who cares. Any program you run or have running to capture data from the user will only affect the *USER* not the whole system. Separation of privileges is pure and simple why the *NIX systems will not seriously fall prey to these kinds of things. And to be honest, unless you install a persistent AT job for the BOINC daemon to start or at the very least a cronjob that runs every minute... a reboot will kill your pitiful attempt.
greg, REMEMBER ED CURRY!!!
A father used to rationalize why he was so mean to his son by saying, "I'm getting him ready for the world, because it is mean." By that rationale, the best thing would be to simply dump the child out on the streets.
If you see flawed code, submit a patch.
If you see flawed usage, educate users (documentation, blog article, forum posts).