Sign In/My Account | View Cart  

advertisement

AddThis Social Bookmark Button

Linux Users: Welcome to the World of Malware

   Print.Print
Email.Email weblog link
Discuss.Discuss
Blog this.Blog this
Preston Gralla

Preston Gralla
Oct. 27, 2004 11:55 AM
Permalink

Atom feed for this author. RSS 1.0 feed for this author. RSS 2.0 feed for this author.

Linux users are often smug about the state of their computer security, rightly criticizing Windows for its numerous security holes, but overlooking their own vulnerabilities.

Now it's their turn to suffer.

Over the last several days, Linux users have been targeted by a phony email claiming to be from the Red Hat Security Team, claiming that a vulnerability in fileutils-1.0.6 could "allow a remote attacker to execute arbitrary code with root privileges." The email tells people to download a patch to fix the problem.

The patch, of course, contains malicious code that compromises the system it's run on.

Linux users: Welcome to my world.

This kind of thing is old hat to PC users. Just this morning, for example, I received four phony emails purporting to be from eBay and PayPal, but which were really phishing exploits.

Linux users are going to have to get used to this kind of thing. They'll have to learn to be suspicious of any email they receive, and pay as much attention as possible to keeping their system patched - using only legitimate patches, of course.

In a way, this security exploit may be a backhand compliment to those who use Linux. They should figure that if malware writers have finally taken notice of them, it means that they've finally arrived.

Preston Gralla is the author of Windows Vista in a Nutshell, the Windows Vista Pocket Reference, and is the editor of WindowsDevCenter.com. He is also the author of Internet Annoyances, PC Pest Control, Windows XP Power Hound, and Windows XP Hacks, Second Edition, and co-author of Windows XP Cookbook. He has written more than 30 other books.

  • Acute disappointment
    2004-11-03 13:13:52  RickMoen [Reply | View]

    I'm woefully disappointed by this article, having come here in expectation that it would meet O'Reilly's generally high standards and allow me to learn something new on the subject. Instead, I find a piece that I can only hope reflects profound and embarrassing ignorance.


    • The e-mail purported to be from Red Hat's Security Team, yet it wasn't GPG-signed. All such alerts are GPG-signed.
    • It purported to be a company security alert, but wasn't on the alerts mailing list. All RH alerts go to that list.
    • It purported to direct users to the Stanford University Red Hat mirror -- yet the cited directory wasn't that mirror, but rather (very obviously) the shell account tree of some individual. (It turned out to be, predictably, a compromised account, after I alerted Stanford Security to the problem and they immediately removed the file, hours after this scame was launched.) All RH security packages are issued from the company's official updates directories.
    • Leaving aside the obvious dodginess of expecting people to believe that Red Hat would issue security updates from unrelated university servers, let alone some individual's shell account on that server.
    • The file pointed to wasn't GPG-signed, either. All RH security packages are GPG-signed.
    • The file pointed to wasn't an RPM. (It was a tarball of a shell-script trojan, rendered into C-code format using Francisco Rosales's Generic Script Compiler in an effort to obscure its purpose.) All RH security packages are issued as RPMs.


    In order for some gullible Linux user to be fooled by this, he would not only have had to ignored all of those extremely blatant warning signs, but also have retrieved the tarball, unpacked it, figured out (from the Makefile) without a README that he had to do "make inst" (because the miscreant botched the Makefile, omitting any default "make" target) then become the root user, and last type "./inst" to "apply the patch" [sic].

    So, you're assumping a Linux user who's simultaneously sophisticated enough to download badly bungled source-code tarballs and compile them, and also mind-bogglingly stupid enough to run flagrantly untrustworthy code from an unverified source with root-user authority. This probably describes the empty set.

    We of the Linux community are well aware that epic levels of stupidity do occur, and are prepared to help such users by saying "Wow, that's a really big hole you just shot in your foot. Would you like to learn how to aim elsewhere, next time? We're glad to teach you."

    Meanwhile, an alleged security expert claiming this is something new and shows that Linux users must newly "be suspicious of any e-mail they receive" is either extremely ignorant or is shading the truth. I'll be polite and assume ignorance.

    Mr. Gralla, not a single one of the 123 MUAs available for Linux can run escalate to root authority by itself. Not a single one unpacks and builds dodgy malware from source by itself, su's to root, and runs it with root authority. To the best of my ability to tell, not one of the 123 even saves received files with the executable bit set. If any ever did -- even the last of those -- the community would have at the author with the Clue-by-Four of Enlightenment until he fixed it or the entire world knew that the software was reckless as, well, Outlook Express or Internet Explorer, and thus to be eschewed by all.

    O'Reilly can surely do better than this.

    Best Regards,
    Rick Moen
    rick@linuxmafia.com
  • This article is stupid
    2004-11-01 11:12:56  Jimmy_King [Reply | View]

    Perhaps if it had gone into detail about the nature of the "attack", it would have been interesting, but as it stands, big deal. Linux users get phishing scams on a daily basis, too. The people that send those don't research what OS you use and only send them to Windows users. As others have said, it's just that the majority of Linux users know how to recognize that stuff and so aren't fooled by it.

    This "new" thing is no different, as far as I can tell from the little bit of detail here. Someone sends an e-mail with a link to a file claiming to be from Redhat, hoping people are stupid enough to download and run it. So? It's a file to run as opposed to a website to enter your credit card information, who care? The concept is the same and nothing new.

    Let me know when they start distributing something that could run without me having to download something without looking at a URL, especially if it manages to do some damage without me logging in as root and then running it. Now don't get me wrong, I'm not saying it's impossible... the likelihood of executing automatically is not high, but if it happens, it could execute some sort of buffer overflow against something that runs as root, so it's possible, it's just unlikely unless someone makes a linux web browser which will allow a script on a website to download a file without my knowing, chmod it to be executeable, and then run it. At that point, it's still making the assumption that I have that program running, which I may or may not, and even if I do, my specific distro may or may not be susceptible to it.
  • Malware pretty much orriginated on unix systems
    2004-11-01 08:08:29  simon_hibbs [Reply | View]

    Preston does refer to the fact that Linux is pretty resistant to attacks, but it's instructive to not why this is so.

    It's because Unix grew up in accademic environments, where hacking by hughly educated and motivated students with too much time on their hands is par for the course. Unix security was forged in the midst of the most hostile user environments on earth - college campus networks. The very first worms and viruses were essentialy unix software.

    By comparrison, the environment in which MS Windows grew up - the ordered world of the company office, often without a network - was a cosy and relatively safe environment. It's only when the internet connected Windows PCs on cosy corporate and home networks to the wider world that they became vulnerable. I remember reading about unix viruses long before I encountered my first MS-DOS virus on a PC.

    Unix and unix-like systems have much better in-built security because it's in their genetic heritage, and it got there through a ruthlessly Darwinian process.


    Simon Hibbs
  • hmmm....
    2004-10-30 07:20:47  b0xii [Reply | View]

    "Preston Gralla is a well-known technology expert".

    Wow.
  • I'm sorry, but you're a bit confused
    2004-10-29 15:51:31  rcrelia [Reply | View]


    Just because someone sends out a phishing email doesn't mean that an operating system is suddenly more exposed or vulnerable. You can't really believe that, can you? If so, you better stick to writing your cute little "Windows Hacks" books there, my friend. :-)

    Most GNU/Linux users are versed enough in security issues to know how to spot phishing attacks. If not (there are more and more new users daily), then at least they have some reassurance by the fact that GNU/Linux, BY DESIGN and OUT OF THE BOX, is a heckuva lot more resistant to compromise than any product ever to come out of Redmond.

    I love how all these Windows users and proponents are saying "If Linux were as widespread as Windows, it'd have the same problems". Such attitudes really reflect a lack of understanding of basic operating system design and computer security issues. Time will tell I'm sure. I, for one, am looking forward to the show. Popcorn anyone? ;-)

    --rc


  • this kind of thing is old hat to nix users
    2004-10-29 09:17:49  emacsuser [Reply | View]

    These rootkits have been available in the Unix world for years. Being used to repeatedly test systems permanently connected to the Internet years before the advent of Windows servers. Nothing new here. Just a scare thought up by the AV companies to sell more product.

    'A "root kit" is a series of modified programs all centered around the idea of helping you to keep access to a Unix system once you have gained root priveleges there. It might path 'ls' not to show your files and directories. It might patch 'ps' now to show your processes. It might patch 'login' to always allow you in if you enter a special "magic" password. The possibilities are nearly unlimited.' Date: Apr 28 1996

    msg: <will.830726872@command.com.inter.net>#1/1

    "the root kit comes to mind .." Date: May 22 1995

    msg: <1995May22.183618.26824@sei.cmu.edu>#1/1
  • What a yawn
    2004-10-29 05:55:33  blackhole [Reply | View]

    The comments were somewhat interesting but the article was really a yawn. I would be interested to know what the malware actually did (I have seen a partial analysis) and any realistic assessment of how much damage it did (how many fools were there). The author claims to be a "technology expert," but it sounds like he may not have much knowledge beyond things that have been personally "blessed" by Bill Gates.

    And I would like to second what others have said about the fact that phishing schemes affect everybody and always have. Using a decent browser may make life a little harder for the phishermen, but they schemes certainly are not OS dependant.
  • Dave Cross photo Missing the Point
    2004-10-28 03:07:04  Dave Cross | O'Reilly AuthorO'Reilly Blogger [Reply | View]

    Point 1: Linux users are "PC users". It really annoys me when Windows users fail to realise that.

    Point 2: Linux users have been getting phishing attacks for just as long as anyone else on the internet. The difference is that we're generally clued up enough to ignore them.

    Point 3: I didn't see the email but I assume it was HTML email that contained a link to download the "fix". That link would not have been to the Red Hat web site which would have aroused my suspicion and I would have investigated further before clicking it.

    Linux users don't claim to have some inherent immunity to phishing attacks like this, but generally they do come from a culture where you are far less likely to click on random links in email or install random pieces of software.
  • Linux and Phishing
    2004-10-28 02:28:31  dscotson [Reply | View]

    Why would Linux (or Mac etc.) users be immune to Phishing emails asking for bank details or account passwords? It just doesn't make sense.

    Linux users also get bombarded with virus emails and have their email addresses stolen from other peoples outlook address books and faked so we get bounces telling us we have a virus. We don't actually get viruses but still, when your network is clogged with thousands of such virus emails you still can't work on the internet in peace.

    Not to mention the time spent cleaning up family members' machines.

    Don't think that just by moving to a sane platform you can totally escape having your day ruined by Microsoft's mistakes every once in a while.
  • Not Quite
    2004-10-27 15:16:03  bairdcarr1 [Reply | View]

    I'm sorry, but attacks like this are just not going to work very well. Most Linux users are not going to be installing software like this at all. I feel like I am already spoiled by the ease with which I can install software or updates. So if I am the average Linux user, I wait for my distro to release updates, and with one click or one command all software updates or security releases are downloaded and installed automatically. This is the future of Linux, and the one reason why no other OS can compete. There is just more available for Linux, and it's easier to install. Your thinking just has to change from what you could purchase or pirate under windows to what you can apt-get under Linux.



    Now... The vulnerability inherent in this whole thing is the update sites and mirrors. With any apt or urpmi system you can add your own sources, without any verification that the files on the source have not been tampered with. At least none that the average user is going to bother with.





    This is also part of the reason why there will NEVER be the security problems under Linux that there ARE under Windows. There are almost 400 distros of Linux, each doing things either slightly different or drastically different. There are hundreds and thousands of mirror sites for downloads of software or distros. I have 3 different Linux distros running at home. The systems that DO have the same distros are not the same, even if they have the same software installed. The versions are different among other things.





    Microsoft is a huge, single, nearly stationary target. Linux will be a huge, fast-moving herd, with thousands of targets in all shapes and sizes. One shot will not take down the whole herd. It will barely register in the whole scheme of things.
  • Steve Mallett photo This is going to sound -really- smug, but...
    2004-10-27 14:31:35  Steve Mallett | O'Reilly Blogger [Reply | View]

    I spotted this one right away. I don't recall what exactly it was about it, oh yeah the crap URL, but I didn't get close to this.

    Alas, Windows made me a better malware sniffer.
  • Kyle Rankin photo Old hat to Linux users too
    2004-10-27 13:26:03  Kyle Rankin | O'Reilly Author [Reply | View]

    Of course, many Linux users are Windows expatriates, or still use Windows in some capacity, so they are already accustomed to seeing malware sent via email.

    I would say one thing on the average Linux user's side is the number of hoops this kind of malware would have to jump through to be installed. First they have to untar the package, possibly build it or run a script, and unless they are foolish enough to run the script as root, they still only will see damage within /home.

    This proves that proper security procedures (such as "Don't run random programs that are emailed to you as root") have their place in any OS.
Showing messages 1 through 14 of 14.

Return to weblogs.oreilly.com.



Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.

Creative Commons License This work is licensed under a Creative Commons License.



-->