Slashdot Mirror
Ask Slashdot: Is GNU/Linux Malware a Real Threat?
New submitter m.alessandrini writes "I've been using Debian for a long time, and I'm not a novice at all; I install system updates almost daily, I avoid risky behaviors on Internet, and like all Linux users I always felt safe. Yesterday my webcam suddenly turned on, and turned off after several minutes. I'm pretty sure it was nothing serious, but I started thinking about malware. At work I use noscript and other tools, but at home I have a more relaxed browser to be used by other family members, too. Here I'm not talking about rootkits or privilege escalation (I trust Debian), I think more of normal user compromise. For example, these days much malware come from malicious scripts in sites, even in advertising banners inside trusted sites, and this is more 'cross-platform' than normal viruses. So, what about non-root user malware? How much could this be real? And how can you diagnose it?"
Your webcam turned on, then off, and you didn't ask it to? I think you need to figure out what happened first.
It would help if the manufacturers would preinfect their software so we could stop worry about "if" we are infected and move towards just accepting it.
*Disclaimer: I in no way work for, represent, or contract for Sony. (Sorry Sony lawyers made me add the preceding text.)
You're using Debian and didn't look to see what's using the /dev/ entry?
It was just Skynet checking out what you were up to. Or maybe the ATF. Or Russian Mafia. Or...
As for security, ~5 years ago read someone's account of watching while someone on the internet installed a root kit on his Linux box in a matter of minutes.
Presumably some platforms/applications are less likely to be compromised than others, but the safest assumption is that everything is compromised, or would be if the experts wanted it.
Sheesh, evil *and* a jerk. -- Jade
That's not an O.S. issue. If anything it is an app issue.
When I ran Linux on my laptop for work I always ran some form of AV. I really wasn't concerned about my own machine being compromised. The scenario that bothered me was the potential for a client to send me an infected file which could get forwarded to another customer. Do to the nature of our business, at the time, that would've been rather embarrassing.
Solving Unix problems since 1989...
Do not copy and paste commands into your terminal that you do not understand.
The vast majority of compromised Linux systems that I've dealt with have not been because of any malware or crazy hacking, they've been because people copied and pasted commands that gave attackers free access to their computer. I've seen fairly computer literate people open their systems right up because they had a bug, searched Google, and entered the first command they saw into their terminal.
Don't do it. Don't let your parents, friends, or whoever relies on you for tech support think that this is okay behavior. It's just as bad as launching random exe's in Windows.
http://xkcd.com/1200/
Yesterday my webcam suddenly turned on, and turned off after several minutes.
Hey, sorry about that. I was trying to get the girl next door that's leeching off your wifi. She's so cute! But when I turned on the webcam, I knew I had the wrong person. Also, dude, put some pants on. Nobody wants to see that.
Oh, and that stuff about Linux having malware? I'm sure you have nothing to worry about. The Year of the Linux Desktop hasn't come yet (though they say it'll be this summer for sure!), so you're safe. All the malware me and my friends at the Evil League of Evil make for Linux is designed to worm its way into web servers, ftp, etc., to spread malware to Windows boxes. We aren't interested in your personal life. You're a nerd, running Linux. We haven't found a single case of one of you having a life yet. Hell, you don't even have a decent car, man.
oh oh, gotta go, the webcam is up and... oooooh my....
#fuckbeta #iamslashdot #dicemustdie
As long as you have people on Ubuntu forums posting "sudo apt-get " as the solution to everything without explaining what they do, and as long as you have people willing to copy/paste the commands without understanding what they are doing, then malware is a threat.
The same groupthink plagues the Arch Linux forums. Blindly copy/pasting commands that someone else put on a wiki does not make you elite, it makes you an idiot.
The same issue exists in adding repositories from untrusted sources. What's the point of running an enterprise-class operating system if the first thing you do is add a third party repo from Russia and update the kernel with something ending -kmod?
The critical mass of idiot users still reside in Windows, where things like UAC and walled gardens exist to protect them somewhat. At least there, you have to know the administrator password to do real damage. Ubuntu and all the new user-friendly distros are content to put every new account in /etc/sudoers and allow you to use your own password to gain root access. Any operating system is prone to malware so long as people are willing to bend security practices.
then I'd worry a lot. Rootkits for privilege escalation, SQL injection attacks against poorly-written 3rd-party and locally-developed databases, PHP, CMS & web framework vulnerabilities, etc, etc, etc.
For home use, I'm concerned about router vulnerabilities (Tomato helps but is not perfect) and MITM attacks (but there's nothing I can really do about them except keep my s/w up-to-date, while praying that vendors do the same).
"I don't know, therefore Aliens" Wafflebox1
Linux is much easier to exploit than Windows. All of its internals are well understood, and there are more things one can do with shell access.
2003 is calling. They want their FUD back.
"I don't know, therefore Aliens" Wafflebox1
Getting struck by lightning is real. Worrying about/preparing for it very much is silly. Draw your own conclusions about how this applies to malware on a Linux machine that's kept up-to-date and the user avoids risky behaviors.
For lightning, make a will, and you're covered. For Linux, make backups, and you're covered.
My home has a lightning rod. So do all the tall buildings downtown. I have UPS and surge protectors, and even surge arresting breakers in my home's electric service panel. It's not just worrying over lightning, it's also worrying over accidental electrocution (all circuits are GFCI protected in some form, which has saved my bacon more than once); The power spikes and drops in this city are pretty bad. Every time it rains or the wind blows a bit we get little power hiccups. My home has been struck by lightning 3 times in the past 20 years. My neighbors behind me have had a tall pine tree struck, and the neighbors across the street showed up at my doorstep at 3am one morning after a particularly loud thunder clap -- The large china-berry tree in their front yard was struck and it fell over on their house.
Just like with Malware and any OS, there is far more you can do to prevent against lightning or electrical damage. I've never lost a system to power issues, and I have many. In addition to backups I use VMs -- Oops, virused a VM image, restore from snapshot -- It's like a backup, but smarter.
RMS would say that you're sacrificing your freedom if you allow non-Free malware to run on your GNU/Linux PC computer.
Either that or "told you so."
But I couldn't get the damn thing to compile!
Consider that about fifteen years ago the biggest watning to users were sticks and disk that would autorun and the single thing that users could do to make themselves a lot more secure was to disable autorun.
Now as I understand it Ubuntu comes with autorun capabilities.
Fact is that there are several things making linux less secure.
The first is that there are some people who in a hurry to catch up with Microsoft copy what Microsoft does including the bad engineering that leads to malware.
The second thing is that the more respectable linux has become the more it's drawn in morons^H^H^H^H^H^H^H WIndows programers, in an Eternal September mindset that leads to the badly engineered apps.
I would say that the safeest thing you could do is do any unsafe computing in a special; account that you don't mind being corrupted and boot off external drive for the stuff you want really secure and be careful of how you use that.
You probably just forgot to read the README, or you forgot
After installing build-essential, try this:
Note: The make install will probably ask for your password.
p.s. Did you get the version that removes your home directory, or did you get the forkbomb version?
"I'm not a novice at all; I install system updates almost daily"
Two sentences that shouldn't be anywhere close to each other.
Assuming you don't do silly things like run completely unknown commands, you're pretty safe. JavaScript and Flash is cross-platform, though. I've seen one Linux system where their Yahoo email account was compromised, probably by malicious JavaScript. It might have been phishing, though, or a combination. The main things I do for security are - run most updates provided by the distro and browser, have backups, don't run services I don't use, and I have a separate browser for Flash and Java. Most Flash is ads or pointless eyecandy so I don't miss not having Flash in my daily browser. Even YouTube doesn't need Flash these days, so I open the Flash browser maybe once per month, if that.
TEEX.com has some free online cybersecurity courses that may have good reminders for your and your family members regarding safe browsing habits and simple security practices.
Getting struck by lightning is real. Worrying about/preparing for it very much is silly.
My home has a lightning rod. So do all the tall buildings downtown. I have UPS and surge protectors, and even surge arresting breakers in my home's electric service panel. It's not just worrying over lightning, it's also worrying over accidental electrocution (all circuits are GFCI protected in some form, which has saved my bacon more than once); The power spikes and drops in this city are pretty bad. Every time it rains or the wind blows a bit we get little power hiccups. My home has been struck by lightning 3 times in the past 20 years. My neighbors behind me have had a tall pine tree struck, and the neighbors across the street showed up at my doorstep at 3am one morning after a particularly loud thunder clap -- The large china-berry tree in their front yard was struck and it fell over on their house.
...and you inadvertently prove the OP's point. The reason getting struck by lightning is so rare is that, even when lightning actually strikes something, it almost always strikes something taller than you. A building, a tree, your house. But you? No. You were not struck by lightning, and neither were your neighbors. Your downtown is not full of people getting struck by lightning. Just some things in your area that are taller than humans, and that is all fairly normal. Good electrical grounding saves property damage and saves you from fires, but it doesn't prevent you from getting struck by lightning. It is beyond rare to get struck by lightning, just as the OP said, even for you, who apparently live in Lightningpalooza. And I'd say Linux malware in the situation described is rarer than that.
2003 is calling? Don't forget to warn them about Vista and Windows 8!
If an infected application can affect other applications, it is an OS issue. Your infected web browser should not be able to read your GPG keys, but right now most GNU/Linux distros do nothing to stop that from happening.
Palm trees and 8
Not necessarily FUD. The original Google Android phone (the HTC G1) with stock firmware echoed all key presses on the home screen to a console running as root. Needless to say, made rooting the phone exceedingly simple. Start a telnet server, download a client from the app store, connect to localhost. See this for details.
Otherwise, your point is spot on.
You are being MICROattacked, from various angles, in a SOFT manner.
linux is more a target for hackers, not malware because of all the hobby web servers out there that aren't secured properly. it's been proven beyond reasonable doubt that linux can be infected but without intervention from the user either directly (clicking/installing something while logged in as root) or by deliberately disabling default security measures, viruses can't automatically propagate, which defeats the purpose of infection in the first place.
if you're worried about non-root malware, maybe do a fresh install of debian and then after you get yourself set up as a non-root user (preferences and stuff) make a copy of your home directory to a backup location, set write permissions to root only, and then make a little script that you can run in single user mode either if you think you're compromised or maybe even every 6 months just for good measure, that deletes home directory config files (not documents), copies config files from the backup and changes write permissions back to non-root.
on the other hand, if it doesn't really cause any problems (performance or intrusive behavior) maybe don't bother with it. occasionally when i cold boot i have to unplug and plugin my usb keyboard or mouse, and for some reason i have to unmount a usb stick twice. it might be a software/config problem or it might be my mobo. when it really bothers me i might google how to fix it.
OP writes:
" I install system updates almost daily"
Seems to me.that any OS requiring multiple updates per week is a fail.
*DUCKS*
You should trust that you have properly configured the systems security settings to prevent issues
a) No, you should not trust that you have configured anything properly.
b) Doesn't solve the problem even if you could trust yourself.
The best security only comes when you dont trust anything, even yourself. It is only then that you can make proper decisions...
"His name was James Damore."
That is what SELinux and AppArmor are for. They might not be 100% (as there were some kernel exploits that could be used to bypass those), but with proper policies in place, something getting UID 0 would be pretty limited in what it can accomplish.
OS X also has a similar mechanism in place.
Linux also has a bunch of different distributions. A bug that causes SSL keys to be very weak in Ubuntu is not going to affect RedHat systems.
This doesn't mean Linux is worry-free, but it is more secure than people think. To cite an anecdotal example, the proof is in the pudding -- look at all the amateurish Apache servers and LAMP stacks out there. If Linux had major issues in general, there would be major screaming on almost every forum how insecure the OS is.
. . . should always be unplugged or covered up when not used, period. I love Debian myself, but as long as you have any kind of proprietary software on there, you don't really know what all of its behavior is and what it can be set up to do. Even if your system is totally free of this nonsense, that's not to say that an upgrade won't change that. That on/off light that webcams have - they're starting to go away; an iPad camera, I'm sure you're noticed, doesn't have one. You won't even know if your device is being turned on in the future.
Unplug that thing, just common sense.
DVD would be a step backwards. That's done with PXE these days.
My home has been struck by lightning 3 times in the past 20 years.
Do you live in central Florida? I understand that's "Lightning Alley". PITA electrically, but fun to watch.
He said "get a will and you're covered". I don't think he was talking about losing a computer to lightning, but getting struck personally while you're walking around.
That said, there are things you can do for that, too... try not to be the tallest object during a thunderstorm (ex, don't be in a boat on the lake, don't be in the middle of a field, and don't hide under the tallest tree). As you point out, there are very few times when burying your head in the sand is the best move.
I was just look to see what's going on at your place . . .
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
1% of 10% is smaller than .7% of 90%.
Yes, it is. But if you discuss infection risk for users and infectability of a platform, percentage of user base is the right measure.
Time to run OpenBSD on your laptop?
Tomorrow is another day...
Two questions:
On my system, I've got noscript configured to deny all by default and all the other users (with log-ins) are configured the same way be default. If they want to change things, they can do so for those sites where it's a must to have scripts but they've already learned to be very careful about that and ask if they don't know for sure.
Mod me up/Mod me down: I wont frown as I've no crown
> The best security only comes when you dont trust anything, even yourself. It is only then that you can make proper decisions...
Are you sure?
*Still* negative function...
That's easy on Linux. Much easier than on Windows because everything is just a file, there's no registry or anything like that, and no copy protection. In some of the very first Linix distros, that's pretty much how the installer worked - it treasured a "backup" of a default system. Just copy the files and install the bootloader, basically.
I created a system that backs up your Linux system to a virtual machine, so the backup can be booted directy, or be restored by copying it to a hard drive. Even cooler, Linux can act as an external drive enclosure, so the empty machine can be plugged into the backup and booted from the backup file directly, wirh the hardware believing it's booting from a local drive...
No, it isn't. Unless it's a fortune pudding for mathematicians.
The Tao of math: The numbers you can count are not the real numbers.
That should work better.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Until you realize it's possible for malware to escape the sandbox....(at least it's been done in concept, anyway).
I'm starting to think GNU is the problem with "GNU/Linux" these days.
You mean Linux? What moron walks around saying "gee in yoo Linux"?
In practice, I've taken "GNU/Linux" to mean any Linux-based operating environment that is more similar to Fedora or Debian than to Android. What clearer term for Linux-that-is-not-Android do you recommend?
Reading the replies some mentioned flash, Flash for Windows defaults to Webcam on, so thought I'd
check my Flash for Mint as I wasn't sure if I had set the settings. Mint is my start in Linux and used infrequently.
Things led to preferences, Network Proxy pref's showing that 127.0.0.1 as being ignored, hit the help button
and get a standard Mint manual of which "network proxy" isn't found.
http://i39.tinypic.com/2z5uf80.jpg
No help, I see if it means what I think it means and put "127.0.0.1. slashdot.org" in my HOSTS file,
saved, rebooted then logged into slashdot.org
http://i41.tinypic.com/2s99gr8.jpg
Crap the only thing being blocked are sites placed into my router. I've been wide open the entire time while thinking
some 19400+ sites I have blocked in my HOSTS file, haven't been.
No, I don't trust Mint anymore after today, I've no clue what other surprises are "built in".
If it's FUD, explain WHY it's FUD. To a lot of people this sounds fairly reasonable and logical - the internals are open and accessible, hence flaws should also more easily visible compared to a closed system. Honestly it can also seem logical enough to me to question why it's FUD to think otherwise.
If you're suggesting that its openness also means rapid fixes, there's enough anecdotal evidence to suggest this doesn't always happen in practice.
To a lot of people this sounds fairly reasonable and logical - the internals are open and accessible, hence flaws should also more easily visible compared to a closed system.
It does seem logical, but the fact that sooooo many flaws have been found in Windows, Flash, Acrobat Reader, etc, etc belie the hypothesis that source code makes it easier to find exploitable bugs.
"I don't know, therefore Aliens" Wafflebox1
Here I'm not talking about rootkits or privilege escalation (I trust Debian), I think more of normal user compromise.
Privilege escalation is a very real threat, even in Linux, and particularly when an attacker has user-level computer access already.
As with the OS X userbase, the Linux userbase is fairly blaise with regards to the possibility of being compromised.
So far, the platform has been relatively safe, however as it gains popularity on the desktop expect more end-user focused malware (vs. the traditional sort of rootkit) to be developed. Given the vulnerabilities these days are mostly found in flash, java, javascript, etc, and your DATA is just as valuable (if not more) than root on your machine (and is available from your user account), I'd say that it is inevitable that sooner or later we'll see a cross-platform or Linux / OS X exclusive exploit get significant penetration.
Given that very few OS X or Linux users actually run any form of malware protection - IF something breaks out in a serious manner, it's likely to be a pandemic.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Sure, do all your browsing in a VM. I'll still steal your credit card details, identity, etc.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
2003 is calling? Don't forget to warn them about Vista and Windows 8!
They've had plenty of forewarning by 2003.
Inheritance is the sincerest form of nepotism.
You accidentally tapped a hotkey combination you were unaware existed.
Hey now, does anyone besides me remember past posts, regarding DOJ/FBI's own malware, CIPAV? It was a capable malware that knew the difference between Windows, Mac, & Linux (BTW-did anyone ever solve the legal dillema of scrubbing a customer pc and finding it? Do we remove it as we are paid to & obstruct justice or leave it and do a partial job?) Next, I recall a recent find, within about a year, an equally capable malware, found by F-Secure, in Bogota, which reconfigured itself, prior to attacking either of the three. Obviously, linux malware infestation by governments and otherwise is certainly possible!
Nah - go for eCom Station - *nobody* uses that shit anymore, and you can dust off those ancient OS/2 skills!
Quo usque tandem abutere, Nimbus, patientia nostra?
Does it support uefi?
Tomorrow is another day...
I've been running a Linux LiveCD, booted toram, no AV or anything, just basics like NoScript, to see how many attacks/infections would come in. Two years now and there have been none.
It seems a widespread belief in the security field that security through obscurity (http://technet.microsoft.com/en-us/magazine/2008.06.obscurity.aspx, http://en.wikipedia.org/wiki/Security_through_obscurity) is not a good security measure (it is better than nothing, but it isn't on par with real security measures).
In this sense, the openness of GNU/Linux makes it easier for people to understand and secure systems while Windows' closed-sourceness makes it harder.
It could be argued that openness means easiness to crack into, but that is not really important because you don't need to understand exactly how a system works to crack into it (I am not well versed in cracking, but I know that some reputed crackers use techniques such as randomly changing bits in the input one at a time until an application crashes and go from there). That means that open or not, crackers can exploit a system. But, an open system is easier for security professionals to review and therefore to fix (that does require intricate knowledge of how the system works).
In that sense, openness means better security. In the most extreme case, you could review all parts of Linux and therefore run only code you trust yourself. In the case of Windows, you have to trust Microsoft (in itself, that is not a problem as you need to have a network of trust, the problem is that you are FORCED to trust them).
Just bear in mind that there are maybe 20 kernel binaries for Windows (XP, Vista, 7, 8, each with their own service packs), which represent ALL of the windows installs, whereas we have thousands of binaries for linux at a certain moment (each distro with at least 1 kernel update/month from maintainers, but maybe not everyone applies it at the same time).
So again, why would anyone target linux?
I've written some myself, disguised as a 'Facebook hack tool',
Technically, it was not disguised... only, it was nonspecific about who was being hacked.
Hi, thanks, this is a very useful insight. I did not realize the webcam has a microphone too, and perhaps I had some processes related to mic.
You're right, I must resolve someday to extend my knowledge and study how they work.
Thanks
Michele
There are common code segments across large parts of that ecosystem. eg: what fraction are running any kernel between version 2.6.37 and 3.8.8? (http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/ ; top google link for 'may kernel exploit')
There are many different combinations of the same software options, with a few extra patches; I don't believe there are nearly 'thousands' of unique code bases, and even then there has to be very large exposed code segments common to many of them. (eg: What if a remote code exploitation flaw was discovered in Apache? )
Having said that, the variability in file paths, memory locations, patches, versions available, or even what windowing system libraries are would make any potential issue much more limited in scope compared to over 1/3 of all computers on the net affected by either a xp, or windows 7 flaw.
Mount home and tmp as non executable link
AccountKiller
however viruses require "active" cooperation of the user. you don't have good attack possibilities to infect servers. Windows servers are not a huge part of botnets, it's the windows workstations (and a lot of them are using illegal copies so they're not properly updated). Targeting linux workstations would be "easier" in that regard however desktop usage of linux is still not high enough (and the users tend to be more computer literate) to be feasible. add the diversity to it and you'll realize you have much better chance of success (and larger possible profit) targeting windows or android...
Actually, I have seen something similar recently on a kubuntu 12.04 machine. The web cam just went on on its own. If I remember correctly, it went off as soon as I killed skype. I am not sure whether this makes it more or less concerning, but my guess is that skype is involved.
This machine is fully patched and uses pretty strict firewall rules. Of course, this his my wife's machine, and my guess is that her browsing habits are not very safe. She me told that the cam went on and off on its own several times before...
That assumes that he uses only those ancient Presentation Manager apps, and not to run DOS or win16 apps. As long as that's what he does, your suggestion is valid. Somehow, OBSD doesn't sound like a good idea for a laptop - make it PC-BSD, and have PF on it.
Are the viruses/malware infecting the kernel or userland? If they are infecting the kernel, they are simply Linux viruses. If they are infecting only the shell and upper layers of the OS, we'll happily call it GNU malware. As in malware that infects GNU, not as malware that respects your 4 freedoms.
You just need to edit /etc/hosts. That'll fix it
You didn't cite anything, so you haven't proven your "facts."
But even if Linux did have "dozens more" published vulnerabilities than NT, that's a very small margin as a percentage.
On top of that, you're assuming that that proves anything. We all know the NT kernel has many unknown, unpublished vulnerabilities. Some of them may never be published because they may only be discovered by blackhats. On the other hand, Linux's source can be examined by anyone and patched in a matter of hours by major distros, compared to days or weeks or months by Microsoft.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
...and it's trying Linux again...
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."