Ask Slashdot: Is GNU/Linux Malware a Real Threat?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Is GNU/Linux Malware a Real Threat?

Posted by timothy on Thursday May 30, 2013 @08:40AM from the send-you-this-file-in-order-to-have-your-advice dept.

New submitter m.alessandrini writes "I've been using Debian for a long time, and I'm not a novice at all; I install system updates almost daily, I avoid risky behaviors on Internet, and like all Linux users I always felt safe. Yesterday my webcam suddenly turned on, and turned off after several minutes. I'm pretty sure it was nothing serious, but I started thinking about malware. At work I use noscript and other tools, but at home I have a more relaxed browser to be used by other family members, too. Here I'm not talking about rootkits or privilege escalation (I trust Debian), I think more of normal user compromise. For example, these days much malware come from malicious scripts in sites, even in advertising banners inside trusted sites, and this is more 'cross-platform' than normal viruses. So, what about non-root user malware? How much could this be real? And how can you diagnose it?"

30 of 252 comments (clear)

someone's spying on you by Anonymous Coward · 2013-05-30 08:45 · Score: 5, Insightful

Your webcam turned on, then off, and you didn't ask it to? I think you need to figure out what happened first.
1. Re:someone's spying on you by 0racle · 2013-05-30 09:02 · Score: 4, Insightful
  
  You know it was more likely a misbehaving application polling the webcam and not anything nefarious right? As another poster said, Flash is probably a leading culprit.
  
  --
  "I use a Mac because I'm just better than you are."
2. Re:someone's spying on you by hobarrera · 2013-05-30 09:39 · Score: 3, Funny
  
  I avoid risky behaviors on Internet
  I don't think op has flash installed.
  
  [...]turned on, and turned off after several minutes[...]
  Even so, polling a webcam is a few seconds at most, not minutes.
3. Re: someone's spying on you by Anonymous Coward · 2013-05-30 09:50 · Score: 3, Funny
  
  Please, save up your money so you can buy a line feed or a paragraph tag.
4. Re:someone's spying on you by hairyfeet · 2013-05-30 11:36 · Score: 3, Insightful
  
  The simple fact is ALL OSes can get malware unless they are either so locked down on permissions that they are basically read only or are thin clients which are locked down at the server, but even the Linux community claims Android as Linux and its going to reach a million infections any day now so the argument over whether Linux malware is a threat? Pretty much over, that is what happens when somebody uses it for something popular, popular equals large target. Welcome to the club, the Mac guys that joined a couple of years back can show you the ropes, coffee and donuts are in the back.
  As for this specific case? As somebody who works on systems 6 days a week? Yeah...smells like he has an infection. Guys here can have a shitfit if they want but anybody who switches from an OS they know the ropes on to something completely new, I don't care if its Linux or Mac or Windows whatever? They are ALWAYS gonna be at higher risk than where they were simply because they don't know the new system and don't know what to watch out for. Hell he probably doesn't even know what should and shouldn't be running on his system or what to look for if there is a hijacked program or a backdoor installed.
  In this case, as much as I fricking hate to say it as I've found you have to wade through a LOT of shit and douchebags than run on pure smug and leetness in them places but in this particular case i don't see any choice, he is gonna have to go to the forums of his particular distro and tell them what is going on. They will have the most experience with that particular build, will know what is supposed to be running and what isn't on build blah blah whatever, and will be able to spot something that doesn't belong a hell of a lot faster than anybody here would.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
5. Re:someone's spying on you by ozmanjusri · 2013-05-30 15:38 · Score: 3, Informative
  
  As for this specific case? As somebody who works on systems 6 days a week? Yeah...smells like he has an infection.
  
  I doubt it. You're just too used to Windows.
  The Australian Communications and Media Authority's statistics breakdown shows of about infected 16,500 devices online at any one time, 20 Windows viruses make up more than 16,400 of the active IPs. Rarer Windows viruses, and Mac, iOS, Linux and Android infections all total less than 100 infections.
  http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_600121
  If the OP's computer IS actually compromised, it's far more likely to be a targeted attack or insider job than a random infection. My money's on a friend, family or associate with access to the machine.
  
  --
  "I've got more toys than Teruhisa Kitahara."
Preinfected by Anonymous Coward · 2013-05-30 08:45 · Score: 4, Funny

It would help if the manufacturers would preinfect their software so we could stop worry about "if" we are infected and move towards just accepting it.
*Disclaimer: I in no way work for, represent, or contract for Sony. (Sorry Sony lawyers made me add the preceding text.)
1. Re:Preinfected by CheshireDragon · 2013-05-30 09:16 · Score: 4, Informative
  
  It would help if the manufacturers would preinfect their software so we could stop worry about "if" we are infected and move towards just accepting it.
  This is actually happening with phones now. just read some of the permissions of Facebook, Chrome, Firefox and a few others. They can take a photo or record audio without your permission.
  
  --
  "That's right...I said it."
Don't worry by Black+Parrot · 2013-05-30 08:46 · Score: 4, Insightful

It was just Skynet checking out what you were up to. Or maybe the ATF. Or Russian Mafia. Or...
As for security, ~5 years ago read someone's account of watching while someone on the internet installed a root kit on his Linux box in a matter of minutes.
Presumably some platforms/applications are less likely to be compromised than others, but the safest assumption is that everything is compromised, or would be if the experts wanted it.

--
Sheesh, evil *and* a jerk. -- Jade
1. Re:Don't worry by Anonymous Coward · 2013-05-30 09:03 · Score: 5, Funny
  
  luser$ sudo apt-get install rootkit
2. Re:Don't worry by Anonymous Coward · 2013-05-30 09:24 · Score: 4, Informative
  
  How was the rootkit installed? Can you please elaborate on what security failures were involved?
  Not sure if you are looking for how he did it, or indirectly doubting the story, but in case this is in doubt - there are plenty of Linux rootkits.
  http://blog.sucuri.net/2013/02/linux-based-sshd-rootkit-floating-the-interwebs.html
  http://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections
  http://arstechnica.com/security/2012/11/new-linux-rootkit-exploits-web-servers-to-attack-visitors/
  http://packetstormsecurity.com/UNIX/penetration/rootkits/
  http://www.slideshare.net/AndrewCase/omfw-2012-analyzing-linux-kernel-rootkits-with-volatlity
  list could go on for quite a while..
Do you deal with customers? by DougOtto · 2013-05-30 08:49 · Score: 5, Informative

When I ran Linux on my laptop for work I always ran some form of AV. I really wasn't concerned about my own machine being compromised. The scenario that bothered me was the potential for a client to send me an infected file which could get forwarded to another customer. Do to the nature of our business, at the time, that would've been rather embarrassing.

--
Solving Unix problems since 1989...
Obligatory xkcd by Anonymous Coward · 2013-05-30 08:56 · Score: 5, Interesting

http://xkcd.com/1200/
Your webcam by girlintraining · 2013-05-30 08:56 · Score: 5, Funny

Yesterday my webcam suddenly turned on, and turned off after several minutes.
Hey, sorry about that. I was trying to get the girl next door that's leeching off your wifi. She's so cute! But when I turned on the webcam, I knew I had the wrong person. Also, dude, put some pants on. Nobody wants to see that.
Oh, and that stuff about Linux having malware? I'm sure you have nothing to worry about. The Year of the Linux Desktop hasn't come yet (though they say it'll be this summer for sure!), so you're safe. All the malware me and my friends at the Evil League of Evil make for Linux is designed to worm its way into web servers, ftp, etc., to spread malware to Windows boxes. We aren't interested in your personal life. You're a nerd, running Linux. We haven't found a single case of one of you having a life yet. Hell, you don't even have a decent car, man.
oh oh, gotta go, the webcam is up and... oooooh my....

--
#fuckbeta #iamslashdot #dicemustdie
Yes by Anonymous Coward · 2013-05-30 08:58 · Score: 5, Insightful

As long as you have people on Ubuntu forums posting "sudo apt-get " as the solution to everything without explaining what they do, and as long as you have people willing to copy/paste the commands without understanding what they are doing, then malware is a threat.
The same groupthink plagues the Arch Linux forums. Blindly copy/pasting commands that someone else put on a wiki does not make you elite, it makes you an idiot.
The same issue exists in adding repositories from untrusted sources. What's the point of running an enterprise-class operating system if the first thing you do is add a third party repo from Russia and update the kernel with something ending -kmod?
The critical mass of idiot users still reside in Windows, where things like UAC and walled gardens exist to protect them somewhat. At least there, you have to know the administrator password to do real damage. Ubuntu and all the new user-friendly distros are content to put every new account in /etc/sudoers and allow you to use your own password to gain root access. Any operating system is prone to malware so long as people are willing to bend security practices.
If I ran servers... by Nutria · 2013-05-30 08:58 · Score: 4, Interesting

then I'd worry a lot. Rootkits for privilege escalation, SQL injection attacks against poorly-written 3rd-party and locally-developed databases, PHP, CMS & web framework vulnerabilities, etc, etc, etc.
For home use, I'm concerned about router vulnerabilities (Tomato helps but is not perfect) and MITM attacks (but there's nothing I can really do about them except keep my s/w up-to-date, while praying that vendors do the same).

--
"I don't know, therefore Aliens" Wafflebox1
Re:It's easier to exploit. by Nutria · 2013-05-30 09:01 · Score: 5, Insightful

Linux is much easier to exploit than Windows. All of its internals are well understood, and there are more things one can do with shell access.
2003 is calling. They want their FUD back.

--
"I don't know, therefore Aliens" Wafflebox1
Re:Define "real" by VortexCortex · 2013-05-30 09:02 · Score: 5, Interesting

Getting struck by lightning is real. Worrying about/preparing for it very much is silly. Draw your own conclusions about how this applies to malware on a Linux machine that's kept up-to-date and the user avoids risky behaviors.
For lightning, make a will, and you're covered. For Linux, make backups, and you're covered.
My home has a lightning rod. So do all the tall buildings downtown. I have UPS and surge protectors, and even surge arresting breakers in my home's electric service panel. It's not just worrying over lightning, it's also worrying over accidental electrocution (all circuits are GFCI protected in some form, which has saved my bacon more than once); The power spikes and drops in this city are pretty bad. Every time it rains or the wind blows a bit we get little power hiccups. My home has been struck by lightning 3 times in the past 20 years. My neighbors behind me have had a tall pine tree struck, and the neighbors across the street showed up at my doorstep at 3am one morning after a particularly loud thunder clap -- The large china-berry tree in their front yard was struck and it fell over on their house.
Just like with Malware and any OS, there is far more you can do to prevent against lightning or electrical damage. I've never lost a system to power issues, and I have many. In addition to backups I use VMs -- Oops, virused a VM image, restore from snapshot -- It's like a backup, but smarter.
I got a virus for Linux once by trime · 2013-05-30 09:05 · Score: 5, Funny

But I couldn't get the damn thing to compile!
1. Re:I got a virus for Linux once by maxwell+demon · 2013-05-30 09:22 · Score: 3, Funny
  
  You probably forgot to install libmalware.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
2. Re:I got a virus for Linux once by H0p313ss · 2013-05-30 10:08 · Score: 3, Funny
  
  You probably forgot to install libmalware.
  That was deprecated in favor of libopenmalware ages ago, do try to keep up.
  
  --
  XML is a known as a key material required to create SMD: Software of Mass Destruction
3. Re:I got a virus for Linux once by Austerity+Empowers · 2013-05-30 10:57 · Score: 4, Funny
  
  libmalware depended on libkeylogger3.6.1 which depended on libmalware0.9 and fuck...
  I installed windows and it was so much easier to get rootkitted. Damn linux dorks.
4. Re:I got a virus for Linux once by aklinux · 2013-05-30 11:22 · Score: 5, Funny
  
  YOU HAVE NOW RECEIVED THE UNIX VIRUS -
  
  This virus works on the honor system:-
  
  If you're running VMS or a variant of unix or linux, please forward this message to everyone you know. Afterwards, delete a bunch of your own files at random.
5. Re:I got a virus for Linux once by elashish14 · 2013-05-30 17:13 · Score: 4, Funny
  
  Obligatory: http://archive09.linux.com/articles/42031
  Sadly the article is a bit out of date, and Wine has hopefully increased support by now.
  
  --
  I have left slashdot and am now on Soylent News. FUCK YOU DICE.
Re:Linux's Biggest Threat is Human Engineering by Time_Ngler · 2013-05-30 09:23 · Score: 5, Informative

Also, do not ever copy and paste commands directly in your terminal from an untrusted website, even if you do understand them:
http://thejh.net/misc/website-terminal-copy-paste
Updates, backups, and Flash by raymorris · 2013-05-30 09:34 · Score: 3, Funny

Assuming you don't do silly things like run completely unknown commands, you're pretty safe. JavaScript and Flash is cross-platform, though. I've seen one Linux system where their Yahoo email account was compromised, probably by malicious JavaScript. It might have been phishing, though, or a combination. The main things I do for security are - run most updates provided by the distro and browser, have backups, don't run services I don't use, and I have a separate browser for Flash and Java. Most Flash is ads or pointless eyecandy so I don't miss not having Flash in my daily browser. Even YouTube doesn't need Flash these days, so I open the Flash browser maybe once per month, if that.

TEEX.com has some free online cybersecurity courses that may have good reminders for your and your family members regarding safe browsing habits and simple security practices.
Re:lsof is your friend by buchner.johannes · 2013-05-30 09:43 · Score: 3, Informative

Should be /dev/video*

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Re: It's easier to exploit. by Anonymous Coward · 2013-05-30 09:57 · Score: 3, Funny

2003 is calling? Don't forget to warn them about Vista and Windows 8!
Re:It's easier to exploit. by mlts · 2013-05-30 10:17 · Score: 4, Insightful

That is what SELinux and AppArmor are for. They might not be 100% (as there were some kernel exploits that could be used to bypass those), but with proper policies in place, something getting UID 0 would be pretty limited in what it can accomplish.
OS X also has a similar mechanism in place.
Linux also has a bunch of different distributions. A bug that causes SSL keys to be very weak in Ubuntu is not going to affect RedHat systems.
This doesn't mean Linux is worry-free, but it is more secure than people think. To cite an anecdotal example, the proof is in the pudding -- look at all the amateurish Apache servers and LAMP stacks out there. If Linux had major issues in general, there would be major screaming on almost every forum how insecure the OS is.
Re:Linux's Biggest Threat is Human Engineering by tconnors · 2013-05-30 12:59 · Score: 3, Interesting

From your link it seems the actual danger is in copy/pasting and then hitting enter BEFORE looking at what it is you typed. If you select something to copy, then paste and notice the pasted output is significantly difference to what you selected, alarm bells should ring very quickly (unless the difference is really subtle of course).
Hint: copied text can contain embedded newlines. And the first line of text will be some obfuscated form of stty -echo, if you have read the posted source, so you won't even know.

Then again, this seems mostly hypothetical. Does anyone actually have an example of something like this being used in a nefarious way on a Linux site?
Well, it's impossible to prove something doesn't exist, and since this whole slashdot story originated because someone's computer did something unexpected, perhaps the OP is an example of where this was used?