Tux

...making Linux just a little more fun!

Linux malware, yet again

Rick Moen [rick at linuxmafia.com]
Mon, 14 Aug 2006 12:03:41 -0700

From: Michael Soibelman <not-here@there.net>
To: TAG <tag@lists.linuxgazette.net>
Subject: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
User-Agent: KNode/0.10.4
Date: Fri, 11 Aug 2006 03:08:51 GMT
This is not flame bait. Just an observation. As many of you know, I am a regular here. I try to help as many posters as I can. Though I am not a guru, I do have some knowledge and often get a "Thanks very much" from OPs. I've been using Linux since 1999 for 99.5% of my computer needs, and have finally made the transition to 100% after I got my scanner working. Though it did work for a while, the change to the 2.6.x kernel broke something needed for my scanner to work. So I kept a copy of W2K around just for the occasional image scan.

One of the programs I found while still a Windows user was a virus scanner from Trend Micro called PCcillin. Probably the best virus scanner for Windows users available. I say that because I had tried a few others and then, when I tried PCcillin it found several viruses the others had missed. Take it from someone who had actually had a hacker break into my box and physically fry my hard drive...this was a lesson well learned. Since the time I switched to Linux, I still have friends who use Windows. And I always recommend that if they are going to continue using Windows that they should buy PCcillin... I don't recommend using Windows, but if they must, at least they should get the best protection possible. I've convinced several people of the wisdom of using this anti-virus software and all have thanked me several times over. All have been saved by this program...

So, going back to my original question in the title of this article, how do we know when we're there? I have several anti-virus and anti-spam applications that are all free as in cost and free as in freedom installed. Also, a couple of rootkit detectors as well as port scan detectors, etc... So I think I'm pretty safe. Never have had any problems since I switched OS. But I'm sure the day will come when some clever hacker will (finally) produce a Linux virus... Mark my word, the day will come! But, as I said, I'm ready, as I'm sure most Linux users are. I just wanted to point out the fact that my favorite Windows anti-virus company has realized that the Linux users are a substantial market force. And, after all the wait, there free as in cost, online virus detection service is available for Linux! It's called 'House Call' and it works.... Free... Just like in Windows... You'll need to use Firefox or, well I forget the other Linux browser that works, but it does work.

I'm NOT saying anyone should spend there money on this product.. Just pointing out that there is one more commercial company to recognize the Linux community and offer their services/products. In the meantime, I'll just keep using the other free products available to Linux users. F-Prot is free for personal use. Of course ClamAV (with KlamAV front end) is a must. Spam Assasin, Bogofilter, etc... are all great programs that I highly recommend.

So I guess I'm just happy to see one of my 'old favorites' from my earlier days come to my now only OS of choice... My choice for Freedom... Linux.. The future, the present, the only OS for me. Gnu/Linux. For the rest of us.

P.S. We ARE there.... (they're not !!) :-)

P.S. Sorry for the rant but after reading so much garbage from the trolls we need balance and truth. We try to be fair and balanced... Not like the Fox Network.... LOL

From: Darrell Stec <darrell_stec@webpagesorcery.com>
To: TAG <tag@lists.linuxgazette.net>
Newsgroups: alt.os.linux.suse
Subject: Re: How do we know when we're there yet ?
Date: Thu, 10 Aug 2006 23:47:30 -0400
User-Agent: KNode/0.10.1
While downloading the (non-free) Windows version of F-Prot for a client (who had, all told, 883 virus/trojan/malware infect files on his computer and no it didn't exactly operate), I noticed in their features listing they claimed that F-Prot detected and disinfected 603 Unix/Linux viruses. From everything I read, there aren't nearly that many in the wild (something closer to zero, if I recall correctly). So, is this just creative advertising, or have I been blithely ignorant?

> I'm NOT saying anyone should spend there money on this product.. Just
> pointing out that there is one more commercial company to recognize
> the Linux community and offer their services/products. [...]

I noticed searching for an online virus checker for Windows that RAV antivirus states that they no longer have an online presence or operation since 2003. It that the guy who made viruses that only his product detected or was the first product to detect? I remember someone got caught creating viruses especially for his anti-virus product, and now is a guest at some correctional institute and will not have to pay for lunches (and coffee is free too) for the next 8 years or so.

From: Michael Soibelman <not-here@there.net>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
User-Agent: KNode/0.10.4
Date: Fri, 11 Aug 2006 04:13:38 GMT
Just read this: http://librenix.com/?inode=21

(Found a link to it at Groklaw.)

From: Rick Moen <rick@linuxmafia.com>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
Date: Fri, 11 Aug 2006 01:56:10 -0400
Michael Soibelman <not-here at there.net> wrote:

> So, going back to my original question in the title of this article,
> how do we know when we're there?  I have several anti-virus and
> anti-spam applications that are all free as in cost and free as in
> freedom installed.  Also, a couple of rootkit detectors as well as
> port scan detectors, etc... So I think I'm pretty safe.  Never have
> had any problems since I switched OS.  But I'm sure the day will come
> when some clever hacker will (finally) produce a Linux virus.

Michael, there have been Linux viruses for a decade. I have a list of about 50 or so of them on my Linux virus 'rant' page: http://linuxmafia.com/~rick/faq/index.php?page=virus

> Mark my word, the day will come !!

OK, let's say I e-mail you a copy of a Linux ELF executable for i386 infected with 'Bliss', the classic ELF-infector virus, written in September 1996. I send an accompanying message saying 'Hey, Michael, run this cool screensaver!'

Let's say you're really trusting, today, and don't ask yourself if it doesn't seem a bit strange to be installing binary software from strangers, when all of your other SUSE software was installed off your OS installation media, and it seems to have lots and lots of good screensavers.

You double-click on the little 'attachment' icon. Nothing particularly happens, except maybe you get the opportuntity to save the attachment to your ~/Desktop directory. You investigate, and find that -- aha! The "executable" bit got stripped. (This is a fairly automatic consequence of how the umask gets applied on received files, if you're curious. What I mean is: Even incompetent authors of e-mail programs would have to work hard to overcome that.[1])

You consider flipping on the 'executable' bit on the received file. At this point, a warning bell should be trying to get your attention in the back of your mind: You're plainly 'fighting' the system to make a task happen. Maybe there's a good reason why that bit was stripped? (At a minimum, you've had an extra opportunity to think about what you're doing.)

You overcome your doubts, and turn on the executable bit. Then, you use Konqueror, Nautilus, or some file browser (or just type './screensavername' in a terminal). The decoy program (screensaver) starts; so does the Bliss code.

Bliss looks around for other Linux ELF executables it can infect (to which you have write privilege). Case 1: Rats! It doesn't find any, because unprivileged users like yourself are by intention not given the ability to overwrite or otherwise modify installed system files (executables or other). Those live in places like /usr/bin, /bin, /usr/X11R6/bin, and so on -- and you can't touch them as a regular user. Bliss gives up, and mopes.

Case 2: Yay! Bliss finds a few small user-compiled programs that you've seen fit to build yourself in /home/michael/bin . It Blissifies the ELF binaries therein. Mwuhahaha! But that gives it no access whatsoever to anything else, and all you've really done is shot yourself in the foot -- a flesh wound, at most. Bliss has done nothing at all to your system as a whole, which is entirely intact.

Of course, I could have e-mailed you the additional instruction, 'Oh, by the way, Michael, you'll want to do "su -" before running this cool screensaver, so it can install itself.' At that point, dude, even Linux is at the mercy of someone who (figuratively) honours the serial-killer's request that you unlock your deadbolts, open the door to him, and toss out your weapons.

If you want something to worry about, be concerned about buggy Internet-client apps that can be attacked by deliberately malformed data, or buggy network daemons left running and not upgraded to fixed versions, or passwords stolen elsewhere on compromised shared servers (e.g., at universities).

But all but the latter can be addressed by proper use of YOU[2] and alternatives.

> I'm ready, as I'm sure most Linux users are.

I have good news: You can lose the anti-viral software and rootkit detectors.[3] Or, better yet, install a good file-based intrusion detection system (IDS), and call it 'anti-viral software'.

[1] The malware author, for this reason, might want to mail around his wares encapsulated in Zip or tar.gz archives, as those can preserve the contents' original metadata across e-mail transmission.

[2] YaST Online Updater, one of SUSE's package delivery mechanisms.

[3] Anyone who relies on 'rootkit detectors' such as chkrootkit and rkhunter as anything but at tertiary, afterthought measure is already in trouble. Their basic design of looking for characteristic filenames and binary signatures of intruder-hiding software observed in the past is like detecting burglers by the colognes they're known to favour: The tactic suffers from false positives, false negatives, and ignores more-promising places to prevent and detect intrusion.

As to 'port scan detectors', for Heaven's sake, don't bother. Port scanning, figuratively speaking, is twisting of your system's doorknob. Concentrate on keeping the windows and doors locked, instead, and not leaving the family silverware on the front porch.

From: BearItAll <spam@rassler.co.uk>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
Date: Fri, 11 Aug 2006 09:33:03 +0100
User-Agent: KNode/0.7.2
Michael --

What Rick is saying is true, the lengths we have to go to to run a virus on our system, and that if we do that then we are much more of a risk than any virus would be.

Then what Darrell says is also true, I think we all know by now that there is a bit of creative advertising going on in the anti-virus world.

There is still the problem that, as with many MS-Win viruses that needed users to take an action, there will be more and more Linux users coming into the fold who will be willing to go through the instructions to run the attachment in their e-mail.

I know we could walk away and say 'You're free to be a plonker if that's what you want to be'. But the trouble is that such people are still holding back computing, in the same way MS and its viruses have held back computing. They are likely to be still open to be spam relays, spies (no better tool than a Linux box for packet sniffing), etc. Anyone who communicates with them is also at some degree of risk due to the actions of the stupid or the gullible. It is very tempting to say that we have to force a level of security onto users; maybe we take care of the gullible with the level of security out of the box in most Linux distros, but how can we deal with the stupid or the rebel?

Plus the other risk which is 'Kewl gimmicky software' with a secret little payload that won't do anything until 2010. Of cause, if it is open source there is the chance of the payload being spotted, except of course that the payload doesn't have to be present at all until it is needed, as with some MS viruses. Which is why I believe Linux must steer clear of self-updating software.

The real next step security then isn't really anti-virus for Linux, because that isn't where our problems will come from. Our next step is for us all to properly embrace one of the application-caging systems, AppArmor or SELinux. Both are very well implemented, and it is very likely that the current implementation is only a first step. It has a way to go before it gives the same level as seperation as in a mainframe/UNIX, but I firmly believe that it will be necessary to take it closer to that.

At the moment, they are using application caging, and allowing Linux's natural user security to seperate users and data. I think in time this will have to go further, I know it will also cause a few frustrations 'The document I want is in another branch', but the primary goal must be that we and anyone who communicates with us become as safe as it is possible to be, without the need to lose any functionality.

Had they tried to leap that far in these first implementations then many would have simply not bothered with SELinux or AppArmor, so I for one am really pleased with the implementation and default settings of both, I think it is much more likely that people will keep it onboard this way.

From: Rick Moen <rick@linuxmafia.com>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
Date: Fri, 11 Aug 2006 12:23:58 -0400
BearItAll <spam at rassler.co.uk> wrote:

> There is still the problem that, as with many MS-Win viruses that needed
> users to take an action, there will be more and more Linux users coming
> into the fold who will be willing to go through the instructions to run the
> attachment in their e-mail.

Perspective helps, here: Any user willing to go through a complicated series of dumb moves to shoot his/her personal files in the foot using malware, just because a piece of e-mail tells him/her to, already had a much bigger problem: The user could wreak much greater havoc on those same personal files without malware.

That is, users already have an endless variety of ways to delete or corrupt their own files. The only remedy is for them to learn to not do that (just as the best way to learn why you need tested-good recent backups is to experience their absence).

Dealing with received malware by 'learning to not do that' is part of that same picture, but very small by comparison.

> ...how can we deal with the stupid or the rebel?

Papa Darwin is a pretty good (if somewhat violent) teacher. ;->

> Our next step is for us all to properly embrace one of the 
> application-caging systems....

Agreed. I'd also really like distros to install with AIDE or equivalent (http://www.cotse.com/tools/ids.htm) properly configured and running. File-based IDSes are second only to backups in the category of 'I know I should be running that, but haven't gotten around to it.'

(No, 'rpm -qa' does not qualify, on many grounds including not aspiring to check configuration files and not even trying to deal with non-moron intruders who replace the stored checksums in the BerkeleyDB files.)

From: BearItAll <spam@rassler.co.uk>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
Date: Mon, 14 Aug 2006 08:18:57 +0100
User-Agent: KNode/0.7.2
We are still getting news and newspaper reports of people falling for the 'Give us your bank details' scams.

Those same people are likely to go through a series of instructions if they are told to do so my an official looking e-mail.

I have tried over the years to understand those people that fall for the scams. But I don't understand them at all, unless it is to say that Dr Who is absolutely right, we are still just monkeys.

From: Rick Moen <rick@linuxmafia.com>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: How do we know when we're there yet ?
Newsgroups: alt.os.linux.suse
Date: Mon, 14 Aug 2006 14:13:52 -0400
Reminds me: _The New Yorker_ recently ran an utterly fascinating story on that very subject.

http://www.newyorker.com/fact/content/articles/060515fa_fact

Annals of Crime THE PERFECT MARK How a Massachusetts psychotherapist fell for a Nigerian e-mail scam. by MITCHELL ZUCKOFF Issue of 2006-05-15

[...]

----- End forwarded message -----


Top    Back