Slashdot Mirror
Ask Slashdot: Is GNU/Linux Malware a Real Threat?
New submitter m.alessandrini writes "I've been using Debian for a long time, and I'm not a novice at all; I install system updates almost daily, I avoid risky behaviors on Internet, and like all Linux users I always felt safe. Yesterday my webcam suddenly turned on, and turned off after several minutes. I'm pretty sure it was nothing serious, but I started thinking about malware. At work I use noscript and other tools, but at home I have a more relaxed browser to be used by other family members, too. Here I'm not talking about rootkits or privilege escalation (I trust Debian), I think more of normal user compromise. For example, these days much malware come from malicious scripts in sites, even in advertising banners inside trusted sites, and this is more 'cross-platform' than normal viruses. So, what about non-root user malware? How much could this be real? And how can you diagnose it?"
Your webcam turned on, then off, and you didn't ask it to? I think you need to figure out what happened first.
Yes.
It would help if the manufacturers would preinfect their software so we could stop worry about "if" we are infected and move towards just accepting it.
*Disclaimer: I in no way work for, represent, or contract for Sony. (Sorry Sony lawyers made me add the preceding text.)
You're using Debian and didn't look to see what's using the /dev/ entry?
Just take a look at the numbers. See how many Microsoft Windows only malware "products" come out each day, and then compare that to other platforms. Make your own decision as to how "real" the threat is.
It was just Skynet checking out what you were up to. Or maybe the ATF. Or Russian Mafia. Or...
As for security, ~5 years ago read someone's account of watching while someone on the internet installed a root kit on his Linux box in a matter of minutes.
Presumably some platforms/applications are less likely to be compromised than others, but the safest assumption is that everything is compromised, or would be if the experts wanted it.
Sheesh, evil *and* a jerk. -- Jade
That's not an O.S. issue. If anything it is an app issue.
When I ran Linux on my laptop for work I always ran some form of AV. I really wasn't concerned about my own machine being compromised. The scenario that bothered me was the potential for a client to send me an infected file which could get forwarded to another customer. Do to the nature of our business, at the time, that would've been rather embarrassing.
Solving Unix problems since 1989...
It's linux, expect it to fuck up often when it comes to device drivers.
Getting struck by lightning is real. Worrying about/preparing for it very much is silly. Draw your own conclusions about how this applies to malware on a Linux machine that's kept up-to-date and the user avoids risky behaviors.
For lightning, make a will, and you're covered. For Linux, make backups, and you're covered.
Has anyone seen mike hunt?
So you get GF / Wife vids of doing who knows what posted to the internet and you can now claim plausible deniability - smart move!
Do not copy and paste commands into your terminal that you do not understand.
The vast majority of compromised Linux systems that I've dealt with have not been because of any malware or crazy hacking, they've been because people copied and pasted commands that gave attackers free access to their computer. I've seen fairly computer literate people open their systems right up because they had a bug, searched Google, and entered the first command they saw into their terminal.
Don't do it. Don't let your parents, friends, or whoever relies on you for tech support think that this is okay behavior. It's just as bad as launching random exe's in Windows.
I actually believe in general, from a strictly technical standpoint, that Linux is much easier to exploit than Windows. All of its internals are well understood, and there are more things one can do with shell access.
There is also a massive wide range of how secure a particular system is, based on settings and the OS of choice. Even in embedded devices, many have telnet/ssh hanging wide open allowing root access from the factory.
The primary reason Linux hasn't been a target is because of the relatively small and savvy user base of desktop Linux and that enterprise/server stuff tends to be more secure.
I'd worry about it a little, but bigger threats are things which target locked down Linux like Android.
So, what about non-root user malware?
There's your answer. And non-root user malware can become root-user malware by just adding a cron entry for itself to download the latest 'sploit code and having it run the exploit before you get a chance to reboot to finish a kernel update (or just in the hours before you run your daily updates).
We already know browsers are buggy. Mitigate your risk by running ad blocking software for your browser.
Yes. As strange as it is, a headline question can sometimes be answered with yes.
Linux was safer when it has both less market share and almost no users who download and run random things. As long as you have lots stupid people, they will be targeted.
There may also be major security issues in the code base (not just the user base), as well as the general design. I think there are major problems there, but even without those, there is clearly a threat here, because people do stupid things, and Linux isn't safe from that. Its actually pretty bad at defending itself from stupid users, since it empowers users to do stuff. Don't claim there is great VM and sand-boxing support to solve this: we are talking about stupid people here: it won't be safe at all unless running random crap is sand boxed safely by default, and people arn't desensitized to allowing applications to access random crap (Android, darn you with your apps that must access everything to target ads).
Now if you asked if Genode was safe, well, maybe that is closer. More secure design, and basically no stupid users: that is safer!
http://xkcd.com/1200/
Yesterday my webcam suddenly turned on, and turned off after several minutes.
Hey, sorry about that. I was trying to get the girl next door that's leeching off your wifi. She's so cute! But when I turned on the webcam, I knew I had the wrong person. Also, dude, put some pants on. Nobody wants to see that.
Oh, and that stuff about Linux having malware? I'm sure you have nothing to worry about. The Year of the Linux Desktop hasn't come yet (though they say it'll be this summer for sure!), so you're safe. All the malware me and my friends at the Evil League of Evil make for Linux is designed to worm its way into web servers, ftp, etc., to spread malware to Windows boxes. We aren't interested in your personal life. You're a nerd, running Linux. We haven't found a single case of one of you having a life yet. Hell, you don't even have a decent car, man.
oh oh, gotta go, the webcam is up and... oooooh my....
#fuckbeta #iamslashdot #dicemustdie
As long as you have people on Ubuntu forums posting "sudo apt-get " as the solution to everything without explaining what they do, and as long as you have people willing to copy/paste the commands without understanding what they are doing, then malware is a threat.
The same groupthink plagues the Arch Linux forums. Blindly copy/pasting commands that someone else put on a wiki does not make you elite, it makes you an idiot.
The same issue exists in adding repositories from untrusted sources. What's the point of running an enterprise-class operating system if the first thing you do is add a third party repo from Russia and update the kernel with something ending -kmod?
The critical mass of idiot users still reside in Windows, where things like UAC and walled gardens exist to protect them somewhat. At least there, you have to know the administrator password to do real damage. Ubuntu and all the new user-friendly distros are content to put every new account in /etc/sudoers and allow you to use your own password to gain root access. Any operating system is prone to malware so long as people are willing to bend security practices.
then I'd worry a lot. Rootkits for privilege escalation, SQL injection attacks against poorly-written 3rd-party and locally-developed databases, PHP, CMS & web framework vulnerabilities, etc, etc, etc.
For home use, I'm concerned about router vulnerabilities (Tomato helps but is not perfect) and MITM attacks (but there's nothing I can really do about them except keep my s/w up-to-date, while praying that vendors do the same).
"I don't know, therefore Aliens" Wafflebox1
RMS would say that you're sacrificing your freedom if you allow non-Free malware to run on your GNU/Linux PC computer.
Either that or "told you so."
But I couldn't get the damn thing to compile!
Consider that about fifteen years ago the biggest watning to users were sticks and disk that would autorun and the single thing that users could do to make themselves a lot more secure was to disable autorun.
Now as I understand it Ubuntu comes with autorun capabilities.
Fact is that there are several things making linux less secure.
The first is that there are some people who in a hurry to catch up with Microsoft copy what Microsoft does including the bad engineering that leads to malware.
The second thing is that the more respectable linux has become the more it's drawn in morons^H^H^H^H^H^H^H WIndows programers, in an Eternal September mindset that leads to the badly engineered apps.
I would say that the safeest thing you could do is do any unsafe computing in a special; account that you don't mind being corrupted and boot off external drive for the stuff you want really secure and be careful of how you use that.
You probably just forgot to read the README, or you forgot
After installing build-essential, try this:
Note: The make install will probably ask for your password.
p.s. Did you get the version that removes your home directory, or did you get the forkbomb version?
And now they have you right where they want you.
"I'm not a novice at all; I install system updates almost daily"
Two sentences that shouldn't be anywhere close to each other.
Assuming you don't do silly things like run completely unknown commands, you're pretty safe. JavaScript and Flash is cross-platform, though. I've seen one Linux system where their Yahoo email account was compromised, probably by malicious JavaScript. It might have been phishing, though, or a combination. The main things I do for security are - run most updates provided by the distro and browser, have backups, don't run services I don't use, and I have a separate browser for Flash and Java. Most Flash is ads or pointless eyecandy so I don't miss not having Flash in my daily browser. Even YouTube doesn't need Flash these days, so I open the Flash browser maybe once per month, if that.
TEEX.com has some free online cybersecurity courses that may have good reminders for your and your family members regarding safe browsing habits and simple security practices.
...ages ago. Hence why they constantly scan for and patch vulnerabilities.
Unfortunately, there's no patch for the ultimate vulnerability. The end user.
You mean Linux? What moron walks around saying "gee in yoo Linux"?
I remember when RMS got his panties all jammed the crack of his ass because everyone was calling it Linux. Sometimes I hate the industry because of all the jackasses and whimpering babies that are in it. Know what's funny about the tech industry?... it's an industry dominated by men who are really just a bunch of pussies.
But getting back on topic... I'm not worried about it any time soon. I'm sure we'll see more attempts at LINUX! malware in about two years.
Hold on for a minute, while I finish this code
...
...
...
Ok, now it is.
You only needed to ask. That's Open Source for you.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Admittedly Linux based operating systems can be very secure. However trusting the OS to be secure would be like trusting the locks on your house to lock themselves when you are gone. You should trust that you have properly configured the systems security settings to prevent issues, not trust the system itself, especially if other people are allowed to use the system.
If an infected application can affect other applications, it is an OS issue. Your infected web browser should not be able to read your GPG keys, but right now most GNU/Linux distros do nothing to stop that from happening.
Palm trees and 8
Otherwise, your point is spot on.
You are being MICROattacked, from various angles, in a SOFT manner.
You forgot the "make clean" because you don't want those build files strewn about.
OP writes:
" I install system updates almost daily"
Seems to me.that any OS requiring multiple updates per week is a fail.
*DUCKS*
. . . should always be unplugged or covered up when not used, period. I love Debian myself, but as long as you have any kind of proprietary software on there, you don't really know what all of its behavior is and what it can be set up to do. Even if your system is totally free of this nonsense, that's not to say that an upgrade won't change that. That on/off light that webcams have - they're starting to go away; an iPad camera, I'm sure you're noticed, doesn't have one. You won't even know if your device is being turned on in the future.
Unplug that thing, just common sense.
that was me
Not necessary, since most virus packagers either make clean before building the tar file, or they include pre-built binaries to speed up the install, and they'll remove them in configure if the platform doesn't match.
Finally narrowed it down to the light coming on whenever something was running that used a microphone.
I was just look to see what's going on at your place . . .
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
This article here explains how this can be done. It's a few years old already, but always interesting: http://www.geekzone.co.nz/foobar/6229
To avoid internet malware infections:
1. Install a virtual machine manager on your host. :-)
2. Install a virtual machine image of favorite operating system.
3. Do ALL your web browsing and such on the virtual machine.
4. Snapshot your VM regularly.
5. When VM becomes infected, restore to last good snapshot.
6. NEVER use host OS for web browsing.
7. Sleep better at night, knowing that all your enemies are sandboxed in the VM...
Two questions:
On my system, I've got noscript configured to deny all by default and all the other users (with log-ins) are configured the same way be default. If they want to change things, they can do so for those sites where it's a must to have scripts but they've already learned to be very careful about that and ask if they don't know for sure.
Mod me up/Mod me down: I wont frown as I've no crown
That's easy on Linux. Much easier than on Windows because everything is just a file, there's no registry or anything like that, and no copy protection. In some of the very first Linix distros, that's pretty much how the installer worked - it treasured a "backup" of a default system. Just copy the files and install the bootloader, basically.
I created a system that backs up your Linux system to a virtual machine, so the backup can be booted directy, or be restored by copying it to a hard drive. Even cooler, Linux can act as an external drive enclosure, so the empty machine can be plugged into the backup and booted from the backup file directly, wirh the hardware believing it's booting from a local drive...
That should work better.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Nope. The make install calls sudo for you. (See the part wher I said make install will "probably" ask for your password. It won't do so if you've sudo'd recently from the same terminal window.)
And the virus is installed as suid root, so there's no need to sudo for it.
You mean Linux? What moron walks around saying "gee in yoo Linux"?
In practice, I've taken "GNU/Linux" to mean any Linux-based operating environment that is more similar to Fedora or Debian than to Android. What clearer term for Linux-that-is-not-Android do you recommend?
Reading the replies some mentioned flash, Flash for Windows defaults to Webcam on, so thought I'd
check my Flash for Mint as I wasn't sure if I had set the settings. Mint is my start in Linux and used infrequently.
Things led to preferences, Network Proxy pref's showing that 127.0.0.1 as being ignored, hit the help button
and get a standard Mint manual of which "network proxy" isn't found.
http://i39.tinypic.com/2z5uf80.jpg
No help, I see if it means what I think it means and put "127.0.0.1. slashdot.org" in my HOSTS file,
saved, rebooted then logged into slashdot.org
http://i41.tinypic.com/2s99gr8.jpg
Crap the only thing being blocked are sites placed into my router. I've been wide open the entire time while thinking
some 19400+ sites I have blocked in my HOSTS file, haven't been.
No, I don't trust Mint anymore after today, I've no clue what other surprises are "built in".
It is the most assuring way. If you simply cannot afford to have a particular machine compromised over a network, then don't use it over a network. I treat a machine that is capable of public connectivity with some skepticism and really am forced to take a kind of a demilitarized zone attitude towards it. Ideally, I personally would use a workstation (for development etc.) that were not connected to the internet at all, and then some other machine as a "su cassa es mi cassa" type area. I would also warn anyone who used the "public phone", including kids, to use it in the same gist. That is no matter what precautions you care to take, there is always a risk of leaking information from such a POE. So why worry yourself about it? Clearly we don't want to make things easier for our potential snoops, but if you can never be certain, why take all the trouble. A standard install with a few tweaks here and there is all the time I'd prefer to give up and keep stuff I really worry about completely off the net.
Here I'm not talking about rootkits or privilege escalation (I trust Debian), I think more of normal user compromise.
Privilege escalation is a very real threat, even in Linux, and particularly when an attacker has user-level computer access already.
As with the OS X userbase, the Linux userbase is fairly blaise with regards to the possibility of being compromised.
So far, the platform has been relatively safe, however as it gains popularity on the desktop expect more end-user focused malware (vs. the traditional sort of rootkit) to be developed. Given the vulnerabilities these days are mostly found in flash, java, javascript, etc, and your DATA is just as valuable (if not more) than root on your machine (and is available from your user account), I'd say that it is inevitable that sooner or later we'll see a cross-platform or Linux / OS X exclusive exploit get significant penetration.
Given that very few OS X or Linux users actually run any form of malware protection - IF something breaks out in a serious manner, it's likely to be a pandemic.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
You accidentally tapped a hotkey combination you were unaware existed.
I've written some myself, disguised as a 'Facebook hack tool', in order to figure out the identity, and subsequently blackmail, a guy who was harassing a friend of mine over social networks. It was a simple keylogger that reported back to a remote server every minute, which was enough to grab all his passwords for both his personal and harassment accounts. Anyway, after archiving and destroying his entire Internet presence and threatening to reveal all of his secret perversions to his friends and family, he soon backed down. Felt damned heroic, too.
Hey now, does anyone besides me remember past posts, regarding DOJ/FBI's own malware, CIPAV? It was a capable malware that knew the difference between Windows, Mac, & Linux (BTW-did anyone ever solve the legal dillema of scrubbing a customer pc and finding it? Do we remove it as we are paid to & obstruct justice or leave it and do a partial job?) Next, I recall a recent find, within about a year, an equally capable malware, found by F-Secure, in Bogota, which reconfigured itself, prior to attacking either of the three. Obviously, linux malware infestation by governments and otherwise is certainly possible!
"And how can you diagnose it?" This is the crux of it, to me. If you were compromised, how would you know? Assuming you do trust Debian-provided software, and you haven't (intentionally) installed any non-Debian-provided software, how can you check that Debian-provided software is indeed all that is running on your system right now? There actually is a product that does this. Verifying the currently executing software in memory, plus checking for kernel rootkits and backdoors, is basically what the Second Look memory forensics software is designed to accomplish. I know many aren't willing or able to pay for commercial Linux security tools, but there really isn't any open source project that does this right now. You can use debsums to verify files on disk, and maybe try elfcmp to verify what's running...
I love the smugness of *nix users who think that it's only Windoze users who can be compromised.
I have a rather large botnet made out of their computers. It's extermely well written code so it uses very little of their system resources and, in their smugness, they'll never even notice it's there.
Amazing how easy it is to explot a browser to download and run the install too.
Mount home and tmp as non executable link
AccountKiller
Actually, I have seen something similar recently on a kubuntu 12.04 machine. The web cam just went on on its own. If I remember correctly, it went off as soon as I killed skype. I am not sure whether this makes it more or less concerning, but my guess is that skype is involved.
This machine is fully patched and uses pretty strict firewall rules. Of course, this his my wife's machine, and my guess is that her browsing habits are not very safe. She me told that the cam went on and off on its own several times before...
Isn't Android already pre-infected? They already send all your info to Google.
You just need to edit /etc/hosts. That'll fix it
about the drugs you are using
1960's "what we could really do with is some sort of tracking/bugging device for all citizens, one for the home and one they carry round with them"
"No way, it'll never be accepted by the public"
2000's "I can has a phone with 2 cameras?!"
...and it's trying Linux again...
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."