Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Linux Virus Alert 501

marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."
This discussion has been archived. No new comments can be posted.

Linux Virus Alert

Comments Filter:
  • "However, Russell said it would be "dead simple" to attach the virus to a useful program, such as a tool that exploits a security hole, and beguile some users into running it. What's more, a malicious user could upload the virus to a Linux download library. "


    At least our email programs dont auto execute attachments.

  • by JeremyYoung ( 226040 ) on Saturday January 05, 2002 @07:12PM (#2792006) Homepage
    ...the virus requires users to run an infected program from an account with "root" permission.


    Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
    • I run almost every binary I can find while i'm logged in as root.... If im gonna mess something up, im gonna do a damn good job of it....
    • by Anonymous Coward on Saturday January 05, 2002 @07:39PM (#2792097)
      hmmm.. social engineering anyone?

      localhost:~$ tar zxf some-random-binary-0.0.1.tar.gz
      localhost:~$ cd some-random-binary-0.0.1
      localhost:some-random-binary-0.0.1$ ./runme

      This program must be run as root.

      localhost:some-random-binary-0.0.1$ su
      Password:
      localhost:some-random-binary-0.0.1# ./runme

      Sucka!


      Another point.. when was the last time you actually checked the code of something you've compiled? lets say instead of some-random-binary, it's some-random-young-sourceforge-app. Jeez, get off your fucking high horse.
      • by Lumpy ( 12016 ) on Saturday January 05, 2002 @08:39PM (#2792271) Homepage
        Actually quite often. Anything that requires running as root dont get installed unless it is a major important app. (Sorry but superWarezSniffer1.2 is not a major important app)

        I did look through airsnort, and the other "grey area" apps that I use for security and curiosity. Games? never get ran as root, every other app? never as root.

        Sorry but if you have to run it as root, 90% of the time it is a sign of poor code and will probably suck anyways...
      • How many times do you run binaries from people you don't know? The e-mail route is likely to be the least effective.

        The upload scenerio is likely to be more worriesome and unfortuanlty few people will take preventive measures, until this method has been proven to be valid (as in lots get infected from a cracked program).

        Matt
      • by Raul Acevedo ( 15878 ) <<raul> <at> <cantara.com>> on Saturday January 05, 2002 @09:19PM (#2792377) Homepage
        It doesn't matter if it requires root privs to run. Most programs have to be installed as root, and that's all that is needed. The make install step can do something nasty without telling you (how many people fully read & understand the Makefiles in the above scenario?), or it can install a trojan version of ls or any other program.
        • by foobar104 ( 206452 ) on Saturday January 05, 2002 @11:53PM (#2792776) Journal
          how many people fully read & understand the Makefiles in the above scenario?

          Which brings up an interesting point: write-only code. I've tried to read and understand autoconf-generated Makefiles a few times, and given up with my head spinning. They're a tangled web of M4 macros and such.

          Computer-generated code is notoriously hard to read, and install scripts are one instance where reading the code is important.

          I only wish there were a way to improve autoconf and other code generating programs without having to have a massive security breakdown happen first to inspire the work.
          • But you can read the file before it is processed by autoconf and/or automake.

            If you trust those 2 programs to not have backdoors (along with all the M4 macros) and to correctly process their input files, the config.in and Makefile.in are a lot easier to read.

            It's the same thing with a C source file: you don't read the ELF executable, you read the C file. The source to a lot of configure scripts is config.in, and the source to Makefile is Makefile.in (or Makefile.am, I do not have a lot of experience with it).

            Of course, what doesn't help is that a lot of trees use recursive Makefiles, so you have to read all of them and check that they are not modified during the installation. Then, the build system is out of the equation and you can concentrate on the actual program.
      • by ljaguar ( 245365 ) on Saturday January 05, 2002 @10:04PM (#2792522) Homepage Journal
        OK, I'm really sick and tired of those people who say "Oh, I run binaries as root, so you do too."

        Have you every thought of /usr/local?
        ./configure --prefix=/usr/local?

        My /usr/local is writable by my staff. My staff consists of... me. So, I have root, my desktop login and staff. Just install stuff on /usr/local, as staff. Voila. Staff can't touch my $HOME or any of the system binaries. So any malicious script (at install time aka make install) is pretty much contained in... /usr/local.

        Let's say I run a infected binary in /usr/local/bin as my desktop login. I loose my stuff. You can argue that this is just as bad, but my system is still not compromised.

        This isn't rocket science, guys.
        • I loose my stuff.

          Proof that information wants to be free.

          Now, if you happened to lose your stuff, that's bad.

          Sorry, pet peeve of mine.

          Lose: as in to misplace, lost, not win.
          Loose: to release, to untighten, relax.
          {where is the Angryflower on this particular topic?}
          .
    • by marnanel ( 98063 )

      It's not impossible for the trojan to have infected a trusted binary, unless you're sure that root only runs programs that have always been not only writable only by root, but also in directories only writable by root.

      It doesn't need to be as extreme as making /bin/ls world writable. For example, who has the right to change things in /usr/local/bin? Some distros make /usr/local/bin writable by a group called "staff", and on any system it's possible that you allow trusted users to put things in /usr/local/bin, or at least to compile programs which you then put into /usr/local/bin. And then that directory is often in root's path.

      That would mean that a sufficiently trusted user who ran an infected binary could then allow the infection to spread to root. (People are often rather less careful with non-root accounts.)

    • by adadun ( 267785 ) on Saturday January 05, 2002 @08:10PM (#2792186) Homepage
      Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
      I realize of course that you are joking, but I do believe that a lot of users run a lot of untrusted stuff as root. How many times have you run "make install" as root? I certainly have done it a few times for software packages that I downloaded from untrusted sources and without having read through the entire Makefile first. Who knows what kind of programs that I might unwillingly have run as root?

      RPMs or other packages that are downloaded from more or less untrusted locations without encryption signatures might very well run a few evil scripts during the installation process (which, of course, is done as root).

      To be really sure, one should always install new programs in a chrooted jail; the software should be installed in a totally new branch of the filesystem tree and the installation process should not be able to read of write to other parts the filesystem.
      • by BlueWonder ( 130989 ) on Saturday January 05, 2002 @09:48PM (#2792463)

        How many times have you run "make install" as root?

        Never. I want to have full control over and knowledge of where each file is installed.

        If the Makefile has been generated with GNU Automake (which is true for maybe 90% of all Makefiles I encounter), there is an easy solution: Install with make install DESTDIR=~/tmp as ordinary user, and if you agree with the file layout under ~/tmp, cp the files to their final location as root.

      • How many times have you run "make install" as root?

        No longer. You guys have got me so paranoid about running things as root now, I made a new account called "safe" to safely install programs. Although I found I had to make the UID of that account be 0 in order for it to work correctly...
    • Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.

      So you never install any software for multiple users huh? What OS do you run? It sure can't be Linux...
    • That wasn't completely accurate. You can infect executables that you have write permision to just fine. Anything in your home directory, for example. On the vast majority of systems, you'll need to be root to infect /bin. (If you don't have to be root to write to executables in /bin, you've got worse problems.)
    • by ddilling ( 82850 )

      True, but...

      The issue is, the same people are vulnerable to this on linux, as are vulnerable on Windows -- the people who really don't know better.

      It will be difficult to believe the linux community is serious about building an OS 'that grandma can use' until we accept that grandma really might 'fall for' the idea of a virus that needs to trick the victim into running as root.

      So long as experts (or at least, knowledgeable users) who are serious about security are the only ones running a given OS, of course their machines will be safe from viruses.

  • by Nicopa ( 87617 )
    As we speak (write?) there are surely a couple of computer labs paid by McAfee, Norton, etc. trying to create some kind of successful Linux virus/worm. =)
  • by davidstrauss ( 544062 ) <david&davidstrauss,net> on Saturday January 05, 2002 @07:13PM (#2792009)
    A patch that allows the virus to exploit Windows will be released in Service Pack 1 for Windows XP.
  • Why is is there are more viruses for MS platforms than Linux platforms? Does it have something to do with the OS itself- more secure, perhaps? Is it just because Linux users are usually more knowledgeable and careful about such things?

    Or is it just that virus writers focus their efforts on MS software? (And if it's the last one, why do malicious coders focus on MS? Is it just to spread FOAD and, indirectly, their favorite OS?)

    • Any smart Linux user doesn't usually run their computer with root permissions. Until Windows XP, all consumer versions of Windows (9X, Me) ran all users at an eqivalent to root level, enabling viruses to wreak havok at any time. Macs were the same way before OS X, but virus writers still targeted Windows because of the large installed base.
    • by NecroPuppy ( 222648 ) on Saturday January 05, 2002 @07:22PM (#2792047) Homepage
      Part of it's because of the relative lack of security on a Windows box; only NT and XP had/have an administrator level where regular users aren't allowed to do things.

      95/98 let anyone run just about anything as default. And XP actually does this too... Default accounts are set up as administrator without passwords.

      And while you can run everything from an administrator account (got root?) under Linux, the type of person who installs Linux generally knows better than to do so.

      It's because of the limited access that most accounts have that makes viruses difficult to write under Linux.

      As to why malicious coders concentrate on MS, it's because it's easy. The coders at MS keep making the same mistakes over and over again. Look at the UPNP exploits.
      • only NT and XP had/have an administrator level where regular users aren't allowed to do things.

        But it doesn't work very well in partice. Example, Microsoft Filght sim 2002, when run from a normal user account, tells you you need to run it from an admin account. You see, rather then each user having their own config/save files, there's global config/save files which all users must be able to write to. The same applies to lots of other windows programs too.

        Many users will just give themselves admin privledges (or login as admin) and be done with it. So the problem will still exist for a while.

      • Part of it's because of the relative lack of security on a Windows box; only NT and XP had/have an administrator level where regular users aren't allowed to do things.

        95/98 let anyone run just about anything as default. And XP actually does this too... Default accounts are set up as administrator without passwords.


        Let me add some items to your list...

        - Linux installers are usually very good at teaching newbies the dangers of the root account. They will also make it real easy and natural to setup secured user accounts.

        - The community is very good at reminding each other not to run as root, be it in weblogs, readmes, changelog, etc. In fact, they even go on running jokes about it. At the end of the day, it makes a wonderful job at passing the word to new users.

        - Since there is already a critical mass of carefull users on linux, programs that use more permissions that they need to can expect to receive flews of angry emails. Under w2k/xp, where most home users run in administrator, those that do not are less likely to complain. The end result is, windows software too often crashes and bugs up unless run as root.

        - Under Linux, it is real easy to become root the time of one punctual action (su, sudo, fakeroot), then relinquish the extra permissions. Under w2k, you have to create a shortcut to the executable, right click, check 'run as a different user', click ok, double click, click on the password field, enter the root password. A real pain in the ass. And again, alot of programs that would run otherwise correctly as administrator won't work with this method. In which case you have to save all your work, log out, log in as admin, run that program, log out, log back in, restart all the program you were using. Blah! Easily a ten minutes process.

        - Under windows, it is always trivialy easy to runs programs. So much so, that I'm extra careful whenever I'm reading mail under windows, and slow down my perusal to be sure not to stumble and accidentaly run a virus. Under linux, running untrusted program is a two step process: first give it the permission to run (chmod +x virus.exe), then run it (./virus.exe) .

        - Finaly, viruses need to pull their infection/clean up ration over the 1.0 bar in order to survive and outbreak. Linux, with it's smaller installed base and it's biodiversity of distributions, makes it hard for a virus to find its next vunerable target. With that in mind, we can expect somewhat more Linux viruses the day it takes over Windows as everyone's operating system.
      • Because there are many more WIndows boxes, and virus writers like to have their virus run on as many machines as possible.
    • Why is is there are more viruses for MS platforms than Linux platforms?

      The main reaseons are thus:

      1) Microsoft attemps to grab marketshare by adding any 'feature' that appeals to the masses, rather than adding security that appeals to a few smart people.
      2) Microsoft's security model has had only a few years of evolution, the UNIX/Linux/BSD model has had almost twenty years of networked connected time to get it right.
      3) Microsoft is gready. Raher than give you a patch to fix the secutity problems of your old Microsoft software - they would rather force you to pay for their newer version.
      4) Microsoft programmers are inept. Microsoft attracts greedy and underqualified programmers with the lure of stock options. Good programmers either work for themselves or for a company that puts pride in their work. Good programmers seldom do it for the money - witness the wonderfull security of the shoestring-budget OpenBSD versus the 1.2 billion USD Windows XP that had to be pathced within a month of it's consumer release.

      In short - Microsoft's bad security is actually good for their bottom line, it forces you to pay money for their 'upgrades.'

      • 4) Microsoft programmers are inept. Microsoft attracts greedy and underqualified programmers with the lure of stock options. Good programmers either work for themselves or for a company that puts pride in their work. Good programmers seldom do it for the money - witness the wonderfull security of the shoestring-budget OpenBSD versus the 1.2 billion USD Windows XP that had to be pathced within a month of it's consumer release.


        Microsoft lures greedy good programmers with the stock options carrot-and-stick too. It is well known that among Microsoft's tactics for ruining competitors during the nineties was simply hiring their best programmers away. Their shitty software is usually a result of shitty management decisions, not necessarily their engineers.
    • by tuffy ( 10202 )
      Unix-alikes are built from the ground-up to prevent accidents (particularly from non-root users) from damaging the system. DOS-alikes assume a single, all-powerful user that is free to annihilate anything at will. Viruses have an easy time exploiting the latter, but have a tough time propagating on the former. And, without an easy route for propagation, Linux viruses simply can't gain a foothold to cause any real damage.

      Naturally, the average user skill and level of vigilence by Linux developers helps too. But I think the basic design plays a big part in the lack of viruses.

    • Why is is there are more viruses for MS platforms than Linux platforms?

      Because there is a market for Anti-Virus software for windows! If there were virii for linux boxen then the anti-virus software would be likely opensource [or GPL]. No market.

      Just think, a design flaw of windows makes the anti-virus people $70 a sale. If microsoft was going to bundle anything, it should be an anti-virus utility.

      XP got onto the right track with copying linux's multiple user accounts - hopefully they will start to restrict the users more.
  • by lostchicken ( 226656 ) on Saturday January 05, 2002 @07:17PM (#2792025)
    #!/bin/sh
    cat /dev/urandom > /dev/hda1

    There. It's a virus.
  • MS Plot? (Score:2, Funny)

    by Knunov ( 158076 )
    Scene: Redmond, Washington - early Saturday evening in a building on the Microsoft campus.

    MS Coder #1: "Dude! We made the front page on Slashdot! Bill is gonna hump our legs for this!"

    MS Coder #2: "Cool! When we finish RST.c we might even make CNN!"

    It could happen...

    Knunov
  • Pretty crazy stuff (Score:2, Interesting)

    by linzeal ( 197905 )
    "Uriah Welcome, an administrator for the popular SourceForge repository of open source programs for Linux, said the unit of VA Software Corporation does not scan files uploaded to the site for viruses."

    Um, he further states that it would be "trivial" to add such a feature. Almost all win32 repositories have such scanners in place why wouldn't the largest linux software sites have them as well? Have we become too trusting of the "many eyes" theory?

    • by pete-classic ( 75983 ) <hutnick@gmail.com> on Saturday January 05, 2002 @07:40PM (#2792103) Homepage Journal
      Well, the primary reason would be the lack of any viruses to scan for.

      It is only "crazy" to not scan for viruses from the mindset that viruses are out there. It isn't crazy to take a road trip in a car that doesn't have a spare innertube if the car uses tubeless tires.

      It is also important to note that this article is not about a virus. It is about a trojan. There isn't really any way to do an automated check for unknown trojans on any platform, since the scanner can't know what the program is supposed to do in to first place to figure out if it is doing something else as well.

      The question with Linux binaries is are they what they claim to be. That question is generally answered with an MD5 sum from a trusted source. This renders the case of unknown trojans moot.

      -Peter
      • If people are going to downloading the uploaded software, then not scanning it for virii (trojans or anything else for that matter) is completely irresponsible.

        I now know not to trust Sourceforge anymore. If I don't have the time to audit the code I won't download it.
      • by linzeal ( 197905 )
        The question is not whether you or I will md5sum every binary and look over every peice of source before we compile it. The question is should we expect this of the average human being that may use linux for the same reason most people use windows 32 and nothing more.

        This is a trust issue and the entrusting of power into people that may or may not be up to or care for the task. RPMs are as easy to install as a setup.exe for people as long as there is not a slew of dependencies (which has been lessened with the advent of "smart" installers). It is that ease of use which is dangerous without precaution as we have seen with microsoft products. Implementing safety measures beyond those that we as accomplished users have grown accustomed to is a rising concern and still needs to be addressed.

  • According to the article, the virus uses the exterior gateway protocol (EGP). I've never heard of this, though I could just be naive.

    What services use this EGP protocol?

    I'm assuming that if my box doesn't run anything that uses this, then it's not vulnerable to exploitation.

  • by Eryq ( 313869 ) on Saturday January 05, 2002 @07:20PM (#2792039) Homepage

    Unlike some Windows-based viruses that travel like wildfire using vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is unlikely to spread widely, according to Russell.

    One short sentence to compare and contrast the MS Virus Deployment System with Linux. I also like the part where he says that most Linuxers are more "sophisticated" (must be why our mascot wears a tux).

    • Okay fine. You have a mail spool, saved messages, locally cached messages, and sent mail files in your home directory right?

      cat /var/spool/mail/you; cat ~/.addressbook
      parse out every email address
      for each user
      mail -s "Hey look at this!" ++ $virus
      • I might of spoken too fast here, not fully realizing the original poster's point.

        My previous message is about viruses spreading via email to other users. As for getting a virus on in the first place, use one of those remote holes that pop up from time to time. :) Or stop using outlook and switch to Eudora. ;)
  • heh (Score:4, Funny)

    by Order ( 469817 ) on Saturday January 05, 2002 @07:21PM (#2792042)
    Linux, an alternative to Microsoft's Windows.

    Heh, couldn't they just write "An operating system"?
    • Instead of which of the two names that you mention? :-)
    • Blockquoth the poster:


      Linux, an alternative to Microsoft's Windows.

      Heh, couldn't they just write "An operating system"?


      Heck, we should just be glad that there's a news organization that can even conceive of an alternative to Windows.
    • Re:heh (Score:3, Funny)

      Yeah I noticed that too, wtf?.

      The movie star was seen drinking Jolt Cola (an alternative to Pepsi-Cola's Pepsi).

  • I didn't see anything in the article about how it actually propogates. It didn't read like a worm, so what binaries (tarballs and RPMs) are suspect? Anyone? Anyone?
  • by startled ( 144833 ) on Saturday January 05, 2002 @07:28PM (#2792064)
    Do NOT run "deltree /Y *"-- this is a very dangerous trojan that could potentially destroy your system!

    The worst part is, it's already infected 100% of all DOS 7 systems.

    (Is is just be, or does it seem silly to give any time to a "virus" that requires you to run a binary while rooted?)
    • (Is is just be, or does it seem silly to give any time to a "virus" that requires you to run a binary while rooted?)

      A lot of smart alecs here are making light of this, but let's face it, the smart thing is to give time to any virus at all. Tell me you've never, ever, left yourself in as root by mistake. OK, now tell me no-one else has. 'Nuff said.

      • Well, I've certainly never left myself as root while running unfamiliar executables. I can't tell you no one else has, but I think it's quite minimal.

        But sure-- a little blurb on /. can't hurt anything, and might save a couple boxes. We still have to make fun of it, so that anyone it hits will feel really bad about it when they read about it later on their friend's box....
      • that's why I change the colors on the root shell to be as painful as possible. Lots of bright green does the trick. You tend to never forget your root that way, and try to stay away from being logged in as root.

        or you just use 'su' more often..
  • by Greyfox ( 87712 ) on Saturday January 05, 2002 @07:31PM (#2792075) Homepage Journal
    To make it look like it's actually a threat. Oh yeah, it'd be dead simple to entice users to download a binary as root and run it. Yeah, once we give the user a frontal lobotomy and he believes everything we say, it is dead simple to do that. Oh yeah, it'd be a major threat if it infected binary files on sourceforge...

    Has anyone actually seen this virus in the wild? I can't imagine it'd actually propigate...

    • Oh yeah, it'd be dead simple to entice users to download a binary as root and run it.

      Yes, very simple.

      "Check out this cool theme! Just run install.sh." Then the installer then says "you must be root to install this theme, please enter password:". Now before you even know you are rooted it's scanning your address book for other victims.

      What? You say you're not that stupid? Fine. While you're laughing at everyone else getting slammed by such as transparent trick, remember that the people maintaining the site where you grab your "trusted" binaries from might be one of them.

      The only really secure solution is extreme paranoia.
      • There are several answers to this. Besides the 'never run strange things as root' mantra, there is also the 'compile from source whenever possible' mantra, as well as the 'patch system from local and remote exploits judiciously' wisdom.

        Alternatively, for the Ultra-Paranoid, you can simply run OpenBSD where most everything you need is included in the base install, and all "approved" 3rd party apps (ports/packages collection) have at least had source code closely examined by people with minds for code far better than yourself.
    • And if it were actually a threat, then maybe this might be a noteworthy story. But nobody uses Linux anymore!
  • by cliffy2000 ( 185461 ) on Saturday January 05, 2002 @07:32PM (#2792076) Journal
    More virii. Glad that no one likes the Mac but me and two other people... Sevendust is the last major threat we had...
  • What about... (Score:2, Redundant)

    by bjsvec ( 19546 )
    ./configure
    make
    su -
    make install

    I'm sure everyone doesnt audit every line of code
    before doing this...

    -b
  • by Restil ( 31903 ) on Saturday January 05, 2002 @07:54PM (#2792145) Homepage
    I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.

    Programs that exploit security holes are far and wide. Yet, they are typically released as source code, usually attached to messages in security mailing lists. We can take a quick glance over this source before compiling it and running it. And besides, if it IS your typical exploit code, nobody needs to run it as root. To do so would defeat the purpose of having an exploit in the first place.

    I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.

    -Restil
    • I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.

      Damn, I'm impressed. I could probably kick out a binary to do the same but it would take me more than a minute just to write the ELF header, not to mention the object code source. Of course if you meant write a program I'd be suprised if it took someone a full minute to do this. I know what you meant just f'ing with you a little.

  • by gorre ( 519164 ) on Saturday January 05, 2002 @08:00PM (#2792158) Homepage
    Who would run a virus that is distributed as a binary only? Everyone knows no self respecting linux user uses software unless the source is available! Until they release this virus under the GPL I for one will be staying well clear of it.
  • Umm (Score:2, Informative)

    Perhaps I'm wrong on this, but this is a trojan, not a virus. Viruses reproduce and spread automatically, and from the article's description, this does not. Requiring users to run something at each point that it infects is NOT a virus, it is merely a trojan horse.
  • by tiny69 ( 34486 ) on Saturday January 05, 2002 @08:15PM (#2792194) Homepage Journal
    Managed security provider Qualys obtained a copy of one new variant last month from an "outside source," according to Gerhard Eschelbeck, vice president of engineering.
    So he wasn't actually infected by it. Sounds like someone gave him a proof of concept prototype.
    To date there have been "limited" reports of the new RST variant in the wild, according to Eschelbeck.
    Reports to who?
    To replicate, the virus requires users to run an infected program from an account with "root" permissions.
    Only a complete moron would run would do this.
    Although many Linux users do not run anti-virus software, they are generally more sophisticated about security threats and are unlikely to click on executable e-mail attachments, he said.
    Exactly. From what I've heard else where, it sounds like the "virus" is similar to the old COM virues from the MSDOS days. Yes, they may have a copy of a "virus", but the whole thing sounds fishy to me.
    • He was probably mailed a copy, same as I was. (That is, someone said "here's a virus I found", not that they were trying to hide it.)

      I've got no way to tell that the person who sent me my copy isn't the author, but I've also got no reason to suspect he is.

      In any case, this is why I can't speak to whether the virus is "in the wild". But, it exists, and it works, so I passed the info along.
  • I'm a security researcher.
  • Finally, the most popular genre of windows software has been ported to Linux! Goodbye, WINE!
  • by _aa_ ( 63092 ) <j AT uaau DOT ws> on Saturday January 05, 2002 @08:36PM (#2792261) Homepage Journal
    ...the only real security hole is 'User Error'.
  • Not only are people bothering to write viruses for it, the popular press now refers to Linux as in "programs written for Linux, an alternative to Microsoft's Windows".
  • I've been running nothing but linux for the past month. During that month we've had (for example) the huge XP hole, plus any number of viruses (and a couple of virii ;-). The *first* time I boot into windows, I load up /. and what do I find but a story about a linux virus?

    My glass is half full.

  • by CatherineCornelius ( 543166 ) <tonysidaway@gmail.com> on Saturday January 05, 2002 @09:10PM (#2792345) Journal
    A reminder is perhaps due here that the first internet worm program to cause significant damage (the Morris worm) was released in the 1988 and infected UNIX systems through a well known vulnerability (yep, good ole gets(3)) in the fingerd daemon.

    And waddaya know, UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later, despite the fact that we all know that it doesn't check for buffer overflow and that a buffer overflow _can_ be used (read: _has_ been used in the past) to make a program execute code of the worm writer's choice and bring a significant part of the internet grinding to a halt.

    • A reminder is perhaps due here that the first internet worm program to cause significant damage (the Morris worm) was released in the 1988 and infected UNIX systems through a well known vulnerability (yep, good ole gets(3)) in the fingerd daemon.

      And waddaya know,UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later...

      The Morris worm and other aspects of infosec history reflect the security landscape. Information security has been horrid in the past. It has been bad in more recent times. But there are improvements. Or, at least, improvements in some circles. Within the nebulous Unix (and Unix-like for the purists) environment, security has made vast improvements. While this does not mean these environments are bullet-proof, they are far removed from other environments that are ripe for malicious code.

      The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.

      However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind [cert.org] spread amoung Solaris hosts to deface IIS sites. The ramen [sans.org] worm attacked Linux (specifically RedHat) hosts. And there were reports [cnet.com] of ramen code being modified and sent on its way. And then there was another Linux worm called li0n [sans.org].

      In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.

      Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.

  • by gozie ( 153475 )
    Who's your favorite Looney Tunes character?
    Bug's Bunny
    Daffy Duck
    or
    Elmer FUD
  • by Roger Whittaker ( 134499 ) on Sunday January 06, 2002 @05:53AM (#2793410) Homepage
    I'm often asked - `won't viruses for Linux start to appear once Linux gains more desktop users?'. And I always explain what it is about Linux and Unix-like operating systems in general that make this very unlikely (the strict separation between root and users in particular). However, at present we have a situation in which there is a very strong sense of mutual trust: if you see some code being offered for download in the usual places you know that it's very unlikely that it will harm your system if you build it / install it as root.

    It is worth thinking about the possible dangers of these particular waters getting muddied - as Linux gains more users, there will be more people around with less sophistication about these matters and there could be more people deliberately offering dangerous code for download.

    So there are some reasons for concern but they are based on faults in the potential users, not in the OS.

    Roger Whittaker
    SuSE Linux Ltd London
  • by Error27 ( 100234 ) <error27@[ ]il.com ['gma' in gap]> on Sunday January 06, 2002 @05:56AM (#2793417) Homepage Journal
    I remember when slashdot first talked about the RST trojan. [slashdot.org] That time Qualys did an abysmal job reporting on the virus. (Read the comments on the article.)

    The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it. :P

    The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
    #-----
    zcat foo.tar.gz | tar -xv
    if source
    cd foo/
    ./configure
    make
    fi
    cd ..
    su
    cp foo /usr/local/tar/
    ln -s /usr/local/bin/foo /usr/local/tar/foo/foo
    #-----
    Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.

    (Normal .debs would install normally because debian developers are trusted.)

    On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and .doc files and all kinds of stuff that should be data but instead is executable.

    These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.

    I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.

    • OK, for one, the ubersimple install script only works for ubersimple apps and still leaves all your .o files hanging out there (not to mention he forgot the -r on cp)... for two,
      Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server.
      As a matter of fact, we don't. Amongst the major latest/greatest distros there are three or four different versions of the 2.4. kernel with different patches floating about, and then there are those Potato purists (not that there's anything wrong with that!) still running 2.2, or the bleeding edgers running 2.4.16 or better... a lot of us do run apache, but some run TUX, and there are others; there are three different versions of BIND out there in addition to djbdns and dents, and sendmail is rapidly becoming passe' in favor of qmail (for those comfy with djb's scrooey licensing issues) and postfix (for those like me that aren't)....

      Linux, and the Unix world in general, is so hard to write virii for *because* of the sheer heterogeny of it all. Sure, we've developed tools over the years to deal with such things (autoconf), but the fact remains that you're never really sure just what you're going to get when faced with a given machine that has "#" for its administrator prompt... in point of fact, we already *have* diversified.

      And then there's the fact that most of the folks that own those hash prompts are, in fact, paranoid bastards who won't, in fact, install a random package from a random source without at least some recommendation, much less save out an ELF file, go "su", and run the darn thing.... or if he does happen to be Joe Sixpack, he's at least been shown by his guru buddy how to run whatever updater thingy the distro comes with, so he's at least got a good chance of having all the latest patches... unlike That Other OS, wherein the fix came in months before Code Red hit, and there were still a couple of million machines unpatched...

      Of course, a large number of those machines were left unpatched because the "sysadm" didn't want to reboot the machine just to patch the darn thing... it still chaps my hide that patching a *service* (Universal Plug'n'Play comes to mind) requires a fscking *reboot*....

      So, no, heterogeny (and good software update practices) are, in fact, already alive and well in the world of Tux and Chuck... and so are a few million pairs of eyeballs keeping watch over their systems by night just to see what they throw at us next.

  • by Anonymous Coward on Sunday January 06, 2002 @10:57AM (#2793800)
    Not trying to sound like a troll, but this post is an example of what is holding linux back from being a major contendor in the desktop OS market. Time and time again i see people saying that no self respecting linux user would run a program without first examining the makefile and looking over the source. The VAST majority of home computer users would have no idea how to do that, and that is even assuming they had any knowlege of coding. How likely is it that a new user would download the source if a binary is avalilble? Convenience and simplicity is what MS is targeting, and by all acounts it is working. Hate MS all you want, but the fact of the matter is that windows is run by virtually all home computers and is far more familiar and user-friendly for most simple tasks. It may not be as powerful, as secure, or as elegent at *nix, and though some may say is dumbs down the computing experience so that any moron can use a computer, that is precisely why MS owns the home computing market. The average person would not WANT to check the code for every program he or she installs, even if that person knew enough about linux and programming to make a difference. Sure, maybe all of those people that post on /. are smart enough not to get hit by this or any other virus, but /. readers do not make up the majority of computer users, as much as everyone wishes they were. Elitist atitudes about the linux 'community' is what keeps linux away from the general home computer community. As shown in this post, Linux users are just as bad at trying to downplay the possibility of being hit with a virus. Go count how many of the posts go on about how there is hardly any risk at all of viruses in Linux. I use and love linux, but instead of finding the type of constructive development I was hoping to find on how viruses were playing a part in linux, I found a bunch of people pounding their chests as to how THEY are so damn good that there is no threat to them, and how if you actually are hit by this virus, there must be something wrong with your head.
  • more info (Score:3, Interesting)

    by sweasel18 ( 548724 ) on Sunday January 06, 2002 @03:20PM (#2794507)
    The incidents post which provides more info on the virus can be found at:
    http://www.securityfocus.com/archive/75/247481

    I agree this virus isn't a huge threat. I do believe some people here are underestimating it a little. You do not have to be root when running the infected file... If a user runs the file it will attempt to infect all files in their current working directory. Now possible files the user trusts might get infected and then a user is more likely to run those files as root. Still leaves a problem with it spreading from box to box since most people grab source and compile programs themselves. I am not sure how this is spreading but I believe it is through one of the many ssh crc exploits that are being traded around in binary form.

    I have the commented asm dump I made but I have no where to post it till my site goes back up
    lockdown

A complex system that works is invariably found to have evolved from a simple system that works.

Working...