Slashdot Mirror
LinuxPPC Autostart Worm
JD Fant alerted
us to an article appearing over at macintouch
that claims that the new R5 of LinuxPPC was released with a benign
worm on it. Apparently it can't spread, but it is there (the
page has comments from Jason Haas)
"t is a worm a very well know/common one. How ever it infected a cdrom it can't get out of. When they mastered the CDROM they turned off the autorun flag which is aparently part of the mechanism of infection."
They didn't purposely turn off the flag, it is off by default under Linux when burning a MkHybrid CD.
The worm failed to turn on the Autorun flag, since it doesn't run on Linux, since it is a Mac OS binary.
Can't you remove the Red Hat splash image by removing the call to XBanner in one of the start up scripts?
I don't know of a Mac user that doesn't know of the autostart worm. It is easy to let your guard down with the Mac, we are not the target of the crackers who are out to prove themselves or get revenge against the empire.That's one nice thing about being a niche market, sure beats the hell out of worrying everytime you boot up.
What's important is that we were told of it's existence. I cannot be critical of the coders, they are human(an assumption), and they have busted butt on this. Remember this is *not* Micro$oft, they will tell you there is a problem before they have a fix in place.
Kudos for the LinuxPPC team!
photosMy Photostream
No not really. Other commercial companies have distributed media containing this worm. Macintouch has also reported on the response of the Mac users after discovering this type of problem. Ric Ford has also posted the response of the guilty parties.
LinuxPPC, Inc is no better nor worse in this regard.
What are you saying? Detecting, reporting, and owning up to a worm/virus that is distributed os best done by non-commerical companies? Do you know the difference between LinuxPPC.org and LinuxPPC.com?
Use of the RedHat installer is Free. Everything that RedHat writes is GPLed. Which means you could use anypart of it in anyother distro with out and fear of redhat as long as you make the source available and give them credit. I'm not sure why linux PPC would put a Large redhat in there release other then maybe to gain some acceptance with the people who think RedHat := linux
Sorry for the worth notation I just took a CS final today and had to write psudo code in worthiam style.
"There is no spoon" - Neo, The Matrix
"SPOOOOOOOOON!" - The Tick, The Tick
It is a worm a very well know/common one. How ever it infected a cdrom it can't get out of. When they mastered the CDROM they turned off the autorun flag which is aparently part of the mechanism of infection.
"There is no spoon" - Neo, The Matrix
"SPOOOOOOOOON!" - The Tick, The Tick
If this is the same autostart worm we got on all of our macs about 6 months ago. It is a pain to clean up. It propagates using quicktime. I slows macs down alot and crashes them. It also just about killed our nt sever with macintosh shares.(at the time we did not have a any linux server). I would cause a pause on all the macs in the plant every 10 minutes or so. If you watched the little lights on the nt server they would be hammered and it would bsod more that usual.
--
Joshua Curtis
Lancaster Co. Linux Users Group
Huh? You still have finals at this time of the year? I would like to think that you folks in the valley should be working in the fields by now.:-)
/. I'll swallow my pride for more info (this is more like Ask Slashdot).
Thanks for your info on the gpl and redhat; I should have known that. Perhaps, it may be that RedHat==Linux, so that LinuxPPC used this to gain acceptance. However, I keep thinking that this was an arrangement so that RedHat would maintain/update their installer for the PowerPC chip. Note: the mac end installer for R5 is entirely different than the RedHat installer. The new LinuxPPC Linux installer is okay, but it doesn't seem to have the same level of fine-tuning control that the RedHat installer has.
This is a dangerous post as I am still working on this new release. Perhaps I should keep my ignorant mouth shut until I am more informed about this. However, this is
I think it speaks to the power of open source software that this was caught
Dare I dispute the Awesome Magical Force of OSS and ask how OSS had anything to do with the catching of this worm?
The virus is a Macintosh virus; it was detected by Macintosh virus detectors. Last time I checked, none of them were in any sort of open-source licensing agreement. I'm sure the people who caught it were using one of the numerous AppleScripts I've seen, or a freeware app, or maybe even something commercial like Virex. But again, not open source stuff AFAIK.
OSS really has nothing to do with this, guys. I like OSS as much as the next guy, but just because someone caught a Mac virus on a Mac Linux distribution CD doesn't mean we should (as we always seem to do) go running in the streets shouting the praises of OSS.
But what do I know, I'm just a Mac user.
how can it be a worm if it cant spread?
you might as well call IE5 a worm because it has
spread heaps and makes computers slow.
Hey nitpicker: LinuxPPC is offering a free CD to people who want it. Check their site for the link to the autostart update.
Where are you seeing a RedHat logo? I see a LinuxPPC.org logo. Which installer did you use?
Um, I think you are showing your ignorance here.
Autostart is a Macintosh-ONLY work that propagates by taking advantage of the fact that most Macs are set to automatically execute certain 'flagged' applications on a CD when it is inserted into a drive. Autostart is about the only halfway dangerous virus/worm-like activity the Mac platform has had in about 5 years or so (it was a Big Deal on all of the Mac sites a year or so ago).
Anyhow, since this worm got burnt on the Linux side of things, it is apparently not available on the standard HFS Mac parition - ergo, it cannot run or do any damage. It is dead before it ever had the opportunity to cause damage. This isn't a macro virus, folks, it can't do anything just by being there. It has to execute code like any other self respecting virus.
Now, the fact that they didn't notice it for a while may be cause for concern, but it's not exactly that big of a deal. If you make a Linux distribution, how often do you scan for Windows or Mac virii?
- Darchmare
- Axis Mutatis, http://www.axismutatis.net
- Jeff
I believe it is far more interesting that the R5 spread the word as quickly as they did where as Microsoft wasn't even going to mention anything about their IIS 5.0 'problem' until they had a fix.
1. It's IIS 4.0, not 5.0.
2. The problem with IIS 4.0 is nothing to do with viruses or worms.
3. Microsoft posted a workaround to all members of its security mailing list about 5 hours ago; NTBugTraq posted the same message shortly afterwards. Every NT sysadmin who's anyone has plugged this hole by now.
Please stop spreading FUD, it does you a disservice.
Cheers
Alastair
-- "I believe the human being and the fish can coexist peacefully." - George W. Bush, 29 September 2000
I realize this is somewhat off topic, but is anyone else having problems installing R5? I've tried both the X installer and the redhat one, and it likes to lock up my system about fifteen percent into installing the packages...is this just me? any help would be greatly appreciated.
so, if on a CD there happen to be both open source software and a virus, and you find that virus, that shows something about the power of open source?
bla
You'd be running OpenBSD, an OS with total code review. Anyhow, contrary to some of the other comments here, I think that this detracts from the credibility of the open-source movement - and from that of collaborative, loose-knit development processes. This really needs to be kept from happening again if the suits are to take us seriously.
-lx
No MS bug was ever handled as quickly as OSS does its hiccups
The ship sank. Get over it. (This sig was cut out from another's shirt and painstakingly hand-posted)
Actually that first would most likely be considered an exploit.
A few people asked how it can be a worm if it doesn't actually spread.
First some background, way back when (sometime in '95) Apple introduced a new autostart feature to QuickTime. If you've used win95 you probably know how this works, you pop in a CD and it automatically launches an application for you.
According to http://developer.apple.com/qa/qtpc/qtpc12.html, Apple's implimentation works like this: the developer puts the autostart application's file name in a magic place in the first few blocks of the drive. When the drive is mounted and the AutoStart feature is enabled (its a simple check-on, check-off feature) the application launches.
The Worm is simply an autostart application that copies itself to the startup drive so that it is launched at every boot, and then procedes to copy itself to every mounted partition (hard drives, zip drives, network drives, etc.) about every 30 minutes and enables the autostart blocks on those volumes. After infecting the other volumes, it goes about your system overwriting various files with random data.
Anyway, I believe the Linux PPC CD contains the AutoStart Worm application but the CD doesn't contain the blocks that actually tell QuickTime to launch it. You also can't accidentally launch it because the file is hidden, meaning you have to use a seperate utility, not the Finder, to even see that it's there.
There are 3 names that the various strains of the Worm use for the autostart application filename. This is what the antivirus software looks for, and what they find.
Well, that's about all I know on the issue. Perhaps more than any of you wanted, but I find this kinda thing interesting. I am kinda curious why we havent seen a similar worm taking advantage of the Windows 95 autostart feature...
...excuse me, sir. There appears to be a worm
in my apple.
Like many in the BSD world, you are confused about how Linux operates. NetBSD, FreeBSD, and OpenBSD are distributions, and are therefore properly compared to Debian, Red Hat, or SUSE, not Linux. Different distributions will have better or worse security policies.
Your claim that this incident is an argument in favor of OpenBSD's "total code review", however, is utter crap: OpenBSD's code review would not necessarily have saved an OpenBSD distributor from making a mistake like this. The bug could have been introduced at the last minute by whoever pressed the CD-ROMs. The worm was not present as source code in the original distribution, so there is nothing to catch by doing a review. And the OpenBSD people are good, but they are not perfect.
The Linux vendors definitely need to improve their security reviews. However, even with the way it is now, it's far better than what we used to get from commercial Unix vendors (who would typically ship with critical files world-writable, with programs setuid that were never designed that way).
really embaressing if it blew up with all the
rippin' on Microsoft we've been doing lately =)
Seriously, though; I think it speaks to the power
of open source software that this was caught
before it spread to badly...
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
It took them so long to get R5 working, and they ship it with a worm? That's gotta hurt.
Anyway, I hope it was caught before too many people were exposed (although it appears to be dormant).
-Rafi Remove the Spanish to email me.
what has this to do with open source??
bla
Macintouch also reported that no user has been infected with the strain. The worm was also present on a Marilyn Manson interactive CD, but it was the "dead" form, incapable of spreading, even though it sets Agax and Early Bird off.
J.
damned vulpine http://sb.drtwister.com/
This was posted not long ago
start"
Subject: Update on AutoStart bug on R5 discs
Date: Tue, 15 Jun 1999 15:24:39 -0400
From: Jason Haas
Organization:LinuxPPC Inc.
Newsgroups: comp.os.linux.powerpc
We have concluded that the AutoStart worm cannot spread from R5 CDs tousers. No one has reported being infected by the discs, and several people have reported that having the disc in the machine does not cause their machine to become infected.
When we burned the master CD, we used the Linux program mkhybrid, and did not activate the auto-start option. We believe this prevents the worm from spreading to new machines from the disc.
We will have a new pressing of the disc available in about two weeks for users who would like to receive a new, clean copy of the disc.
Jason Haas,
LinuxPPC Inc.
end"
cheers,
mitch
Then again, if you've never used the distribution before, or don't use Macs, it might seem novel and worth reporting about. Macintouch pretty much laid it out earlier, however: the worm is dead and harmless.
It could have also been used as FUD against LinuxPPC.
J.
damned vulpine http://sb.drtwister.com/
Since this worm can't spread,
does this mean it's dead?
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
Problems at www.macintouch.com already? Don't tell me so many /.ers are flocking over there to read the news already? Or perhaps the worm that I can't get any details about at the moment got them... :)
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Virus not active. End of story.
I guess that pretty much kills any further discussion.
Autostart 9805-A. I was not too please when a Virex scan gave me this message when I loaded my R5 CD yesterday. I'm almost speechless in describing what I feel about this.
I don't care if this thing won't spread. It is highly unprofessional to send out a CD with a virus on it (or something that will flagged by a virus scan). There are also some minor "glitches" with the distro. For instance, in one of the readme files, this instruction is given.
Where is the old RedHat installer?
a) Just pass redhat as an arguement to the
To the ?? If you have used BootX before, you would probably realized that this is a parameter to pass to the kernel arguments. They might also wish to spell argument correctly. Note: I am not blaming these nitpicking mistakes to original author of the doc. Remember, this is Linux. Have other ppl review the source.
Nonetheless, I have installed R5 and it looks pretty good. Serious testing starts tomorrow. As a side note: I just realized that I am a totally pathetic (but extremely loyal) Apple/Linux supporter whom is willing to overlook glitches.:-)
I just have one last bitch. I start up LinuxPPC at runlevel 5 and eventually get greeted with the login screen. Off in the upper left hand corner is a fairly obnoxious and rather large RedHat logo. I was wondering, is this the result of some agreement between LinuxPPC and RedHat for the use of the RedHat installer?
Don't flame me if I made mistakes in spelling or grammar in this post (since I nitpick on this issue). I don't have another pair of eyes reviewing my post.
It has been done. The normal use for windows autostart was breaking the screensaver lock. (yes it works). Another brilliant hack I saw pulled was to leave a windows95 autostart CD labelled 'Porn Collection' around a lab. It actually autostarted format/u c:
Last time I checked, the definition of a worm is a self-propagating virus. If it can't spread... then it's not a worm.
arrg...
I guess it shows how little I use the macos anymore. Only use it now to check the CD actually shows up right under the MacOS. Drat. Nonetheless, no harm done - luck has it using mkhybrid froze it( thanks tom ).
Besides that, I hope it works well - It's one of the first with a live X based installer!
jcarr @ linuxppc
companies do not have.
.02
The ship sank. Get over it. (This sig was cut out from another's shirt and painstakingly hand-posted)