Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated]

Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated]

Summary: Every time I write about Windows security software, I get a predictable flood of responses from Linux advocates who claim that they don't need any such protection. Today comes a shining example of why they're wrong.

SHARE:

Update 12:30PM PDT 14-Jun-2010: It's much worse than it appears. According to this report, the malware-compromised code was included in the official Gentoo distribution:

Would you consider it to be a big deal if it was found in a distribution? Gentoo just released an update to remove the backdoor.

http://packages.gentoo.org/package/net-irc/unrealircd

I'm sure there will be others, I believe the package is also available in Arch. I haven't really looked to see if it was anywhere else.

The Gentoo bug report (warning: Gentoo's certificate does not resolve to a trusted Certifying Authority) reports that it is VERIFIED and CLOSED with this comment:

The unrealircd taball in the gentoo mirrors _is_ affected ( Unreal3.2.8.1.tar.gz ) but the Manifest file's signatures match the _unaffected_ tarball. This discrepancy is how the backdoor was discovered.

So, please just flush the tar.gz from gentoo's mirrors, teach people to not blindly run ``ebuild *.ebuild manifest'', and unrealircd's SRC_URI does not include the current upstream tarball location:

SRC_URI="http://www.unrealircd.com/downloads/${MY_P}.tar.gz"

(unrealircd's mirror system was compromised by the attacker and so the tarball is temporarily being hosted at the official site).

There's a great deal of comment in the Talkback section of this post about how official repositories can be trusted. It appears that system broke down thoroughly in this case.

Every time I write about Windows security software, I get a predictable flood of responses from Linux advocates who claim that they don't need any such protection. Today comes a shining example of why they're wrong.

If you downloaded and installed the open-source Unreal IRC server in the last 8 months or so, you've been pwned. Here's the official announcement:

Hi all,

This is very embarrassing...

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.

This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).

Two additional details in the announcement added extra helpings of irony:

It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

Right. Because even server administrators believe that open source and Linux software are impregnable by design, the official download of a widely distributed server product has been infected with a backdoor that gives bad guys complete ownership of the system. Oops.

And my favorite part:

The Windows (SSL and non-ssl) versions are NOT affected.

Again, that's right. A similarly infected Windows file in the wild would be detected within days if not hours after a routine virus scan by someone checking the download before installing it.

Meanwhile, Mac users shouldn't get complacent either. Intego has reported two in-the-wild outbreaks of a Trojan horse program found on game sites and a gruesome piece of spyware that tags along with screen savers and other freebie apps. (And Intego says they found copies of the unwanted software even after the original distributor claimed to have removed it.)

If you think all of this sounds familiar, you're right. Welcome to the world Windows users lived in back in 2003 or so. The good news for security professionals who use Linux or a Mac? They have years of lessons to draw on courtesy of their Windows peers.

(Thanks to F-Secure's Mikko Hyponnen for the tip, via Twitter.)

Topics: Linux, Malware, Open Source, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

618 comments
Log in or register to join the discussion
  • RE: Linux infection proves Windows malware monopoly is over

    Good thing I don't download crap to my Mac.

    Where's that Dieter Shultz guy?

    XD XD XD
    hill60
    • Ed. its clear you have a preference for MS

      Dont get me wrong Visual Studio is a great development language, and Office was once good, but OpenOffice is just as great.

      Now regarding viruses on Linux, ok you found one possible place where someone whit out much knowledge would get infected and have control of and IRC network. On a daily basis most people visit sites on windows boxes that get infected every time by many possible vectors. Duh..

      You are speeding FUD nothing else. I never liked your comments but this one is one of your worst columns.
      Uralbas
      • Wakeup and Smell the Malware

        As other OS gain popularity, they too will become fodder for attack. How about this little piece of information to wake you up in the middle of the night, what else could be infecting your system that you do not know about?
        BobinAtlanta
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas

        While I agree that this article isn't much more than an "I told you so", OpenOffice is not remotely comparable to Office 2007/2010. Also, Visual Studio is an IDE, not a development language. You can use C#, C++, VB, Python, ASP.NET, HTML, Javascript, F#, and a ton of other languages.
        spivonious
      • RE: Linux infection proves Windows malware monopoly is over

        You really need to finish first grade, oops that's 1st grade, before commenting on something.
        brianbarry
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas Then why do you bother reading, or even opening the link??
        bye-cycle
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas Openoffice is only just as great for a casual user. I've yet to learn to enjoy the Office ribbon, I rarely use office cause I'm a casual Openoffice user. But there are MANY features that are missing from Openoffice that are available in MS office. Also, it's nearly impossible to pass documents between them.

        "On a daily basis most people visit sites on windows boxes that get infected every time by many possible vectors. Duh.."

        Wait... wheres the FUD coming from *fud* *fud* *FUD* *FUD*, yes I think its over here.
        shadfurman
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas So why are you reading his blogs anyways? There is nothing "FUD" about what he said. He's stating the facts. How often do you see Linux "zealots" posting a comment on a Windows blog [after let's say a security issue] with a response like "Wipe Windows. Install Ubuntu 10.4." or "LInux never has security issues".
        Gis Bun
      • Visual Studio is not a language

        @Uralbas Visual Studio is not a language and Open Office is not 'just as great', it is big and even more bloated that MS Office which is amazing to me that such a thing is possible.

        I have had a Windows XP laptop on the internet with a static IP address protected only by the standard Windows firewall for 4 years until I replaced it and never once was it compromised. The point is that there is nothing inherently more secure about a standard Linux distribution over Windows. If an idiot is able to run Linux it will become compromised. Anyone thinking that their Apple or Linux machines are more secure than a Windows machine is an idiot waiting to happen.
        balsover
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas

        Troll, Visual Studio is a development environment.
        Spiritusindomit
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas Infected directly by visiting websites? Whos spreading FUD now. That kind of bull hasn't happened in years. And that kind of stuff only really ever happened to IE users anyway. And normally ones who didn't do their updates. So don't accuse people of spreading FUD when you are truly spreading FUD.
        Jimster480
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas --- do you have spell or 'English' grammar check?
        kschmid2
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas - Visual Studio is not a development language. If you're going to complain about someone else's writings, at least make sure yours are accurate.
        Rinzai
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas
        I use MS Office at work, and OpenOffice at home. MS Office has far fewer bugs than OpenOffice from what I can tell, though most of those bugs are merely annoying. OpenOffice is used at home because it's free.
        gypkap9
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas

        You are overlooking the obvious, Uralbas. If there has been "...one possible place", then other exist as well but have yet to be compromised on a large enough scale to raise alarms.
        I might be a n00B, but this incident shows that you just as vulnerable as me if a REPOSITORY HAS BEEN COMPROMISED!
        nkfro
      • Nope, I changed my mind and deleted it...

        N/T
        Betelgeuse58
      • RE: Linux infection proves Windows malware monopoly is over

        @Uralbas "On a daily basis most people visit sites on windows boxes that get infected every time by many possible vectors. Duh.."

        That's the biggest exaggeration I've seen in a long time, even here.
        waterhzrd
      • RE: Linux infection proves Windows malware monopoly is over

        @D2 Ultima: "That's apparently something Windows users must "tremble while worrying about; approaching each Patch Tuesday with fear". And that's a quote from a Linux user right here on ZDNet."

        Exactly, a quote from a Linux user. That didn't really sell the point too well, especially since I, and many many other windows users don't "tremble" or "approach patch Tues with fear" and I also don't ever get hit with malware or any type in either my old XP install nor on Win7. Why? Because I don't click on stupid crap, and I don't live on shady websites.
        waterhzrd
        • obviously....

          Obviously you don't look after groups of machines with a varied range of user.
          beau parisi
    • RE: Linux infection proves Windows malware monopoly is over

      When the malware is anonymously installed in a drive by fashion then call then you can call the MS malware monopoly over. But not when the software is manually downloaded and manually installed. That is just mismanagement by the user
      deaf_e_kate