madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

How much more malware is lurking in Linux official repositories?

By | June 14, 2010, 2:35pm PDT

The revelation that the open-source Unreal IRC server download has been infected with malware for some eight months is pretty worrying. But the added discovery that this Trojan horse made its way into the Gentoo distro is real reason for the Linux community to re-examine how trusted repositories are handled.

It’s true that compared to Windows, Linux is pretty safe bet if you want to remain protected from hackers. After all, the 1% or so usage share that the OS enjoys (combined with the fact that many of its users are pretty switched on) just doesn’t make it a worthwhile target to go after.

But there’s a big difference between the OS being a “pretty safe bet” and it being invulnerable. No OS is invulnerable. If someone wants in on your system, and they have the time and resources, they are likely to find a way.

But this is a major blunder. Allowing infected code to make its way into an official distro demonstrates how complacent some in the Linux community have become.

Which leads to the biggest and most important question of all - how can we, as Linux users, be sure that more malware hasn’t infiltrated official channels?

The idea that we can blindly trust official repositories of open source code is slowly eroding. Earlier this year Mozilla discovered that it had been hosting a Firefox add-on that contained malware. This latest incident should underline the need to beef up security to protect users.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Operating System, Malware, Linux, Spyware, Adware & Malware, Cyberthreats, Open Source, Operating Systems, UNIX, Viruses And Worms, Security, Software, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Talkback Most Recent of 88 Talkback(s)

  • No erosion.
    There will be no changes to how Canonical handles GnuPG in their repos.
    This is an obscure IRC chat server app, that only shows how inept some people can be.

    Gentoo is one of the few distros that requires you to compile from tar.gz EVERYTHING.

    I doubt they have the resources to verify/test code or certify vendor software.

    With Gentoo you literally compile your own kernel before downloading tarballs to yet do more compiling.
    I know b/c I've tried Gentoo. Is this necessarily a bad practice in terms of implementation? That's something for a separate debate.

    But, the risks of accepting any vendor's source remain.
    Distros must keep up their guard to ensure that all code admitted to the repo is certified clean and safe to use.

    That has been a sticking point for Canonical who don't 'willy-nilly' let source find its way into Ubuntu. It's a careful vetting certification process and if you scroll through the Synaptic database, only select programs have Canonical's blessing for support (LTS).

    Stay in the GPG 'ring of safety' repo and you are fine with Ubuntu Linux.
    ZDNet Gravatar
    Dietrich T. Schmitz, ~ Your Linux Advocate
    14th Jun 2010
  • An obscure IRC server that has not been accepted in the Ubuntu repositories
    @Dietrich T. Schmitz, Your Linux Advocate

    Gentoo is a very special distro, those who use it made an explicit choice of living on the bleeding edge and sometimes they will actually bleed.

    Gentoo lacks the manpower to police every package that's used in their fast paced releases, they don't maintain a true repository, they just mirror and redistribute packages.

    Those who choose to use Gentoo must have the means to deal with that situation because Gentoo is not for the faint of heart.

    That's how life is.
    ZDNet Gravatar
    OS Reload
    14th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @OS Reload
    Well put. I tried it and it was doable but most definitely not for the 'faint of heart'--Loverock maybe, but Average Joe? No.
    ZDNet Gravatar
    Dietrich T. Schmitz, ~ Your Linux Advocate
    14th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @Dietrich T. Schmitz, Your Linux Advocate

    Funny, if I only ran software that Microsoft certified as safe I would probably not get infected either. I fail to see how that makes Linux different or safer.

    It happened to Mozilla, it will likely happen sooner or later to anyone hosting repositories if it's worthwhile for someone to try to make it happen. At least I know I need to be careful. If you want to advocate Linux teach safe computing across all platforms rather than act as if a switch in OS will fix all your problems forever. It won't. Ubuntu has no idea what they are up against if they think their current usage base is anything like what it will be if they ever really catch on.
    ZDNet Gravatar
    LiquidLearner
    14th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @LiquidLearner

    Nice response.
    I totally agree knowing what a good hacker(s) can do when they really want.
    ZDNet Gravatar
    rhonin
    14th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @LiquidLearner
    It is the inherent OS design that makes it safer. It's not the obscurity, it is the OS security model.
    Educate yourself.
    And yes, if you run only MS certified software AND stay away from the web- you will be safe. A small issue you missed to mention.
    And yes, I am sure there are and will be Windows users who have not been infected, this proves nothing. Or they don't know they have been pwned.
    ZDNet Gravatar
    kirovs@...
    15th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @kirovs: you say - "if you run only MS certified software AND stay away from the web- you will be safe"

    Funny... I have been online since the days of Prodigy and CompuServe. My home system (Windows) has been online and connected to the public web over cable and/or fiber 7x24 since 2001. To date I have NEVER been hacked, infected by a virus, or compromised in any way. Period. Which means that my Windows system is every bit as safe as your Linux system.

    Please educate yourself instead...
    ZDNet Gravatar
    smtp4me@...
    15th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    Funny... I have been online since the days of Prodigy and CompuServe. My home system (Windows) has been online and connected to the public web over cable and/or fiber 7x24 since 2001. To date I have NEVER been hacked, infected by a virus, or compromised in any way. Period. Which means that my Windows system is every bit as safe as your Linux system.

    @smtp4me@...
    Funny but maybe with all this overconfidence, you don't even know it you've been pwned yet or not. And we only have your word for it.
    ZDNet Gravatar
    ubiquitous one
    15th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @ubiquitous one

    Or maybe some people just can't seem to fathom a Windows user that's actually competent in what they do. It's like saying the computer elite can only be Linux users.

    And, as the article makes a point of, they're just getting lazy and complacent in the very practices they lampoon Windows users for not doing.
    ZDNet Gravatar
    Royal_Knight
    16th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @ubiquitous one:
    I have been working in IT for 17 years, and have experience with IBM System 3090 mainframes and AS400's, DEC VAX 11-785 minis, every version of Windows and DOS, OSx, and even several flavors of Unix and Linux. I have probably forgotten more about computer security than you will ever know. I have not been pwned because I actually know what I'm doing.

    The bottom line is that it does not matter what OS you're running if you know how to secure both the machine and the perimeter. But you will never admit this because you would no longer be able to feel smug and superior simply because you are running Linux.

    Since you claim to be such a security expert, can you explain to me what a SYN flood is and what kind of harm it can cause? Can you explain the difference between NAT and PAT? Can you tell me what the SID suffix for the local admin account on every Windows machine is? Do you know what the acronym KDC stands for? (BTW - you can't cheat and use Google).
    ZDNet Gravatar
    smtp4me@...
    16th Jun 2010
    • Flagged
  • RE: How much more malware is lurking in Linux official repositories?
    @smtp4me@ brags...
    I have probably forgotten more about computer security than you will ever know.

    You have "probably forgotten" more about computer security that I'll ever know? Are you sure you meant to say that?

    lol... Well that's the most truthful understatement of the year.

    more lol... :D

    I have not been pwned because I actually know what I'm doing.

    Sure pal. And I have a bridge to sell you. What color would you like? ;)

    The bottom line is that it does not matter what OS you're running if you know how to secure both the machine and the perimeter. But you will never admit this because you would no longer be able to feel smug and superior simply because you are running Linux.

    But I am smug and superior and you declaring an absolute like you did proves my earlier point. You shouldn't say things like that. :)

    Since you claim to be such a security expert,

    I never claimed to be a "security expert". Those are your words. That is you jumping to conclusions. More of the absolutist in you, apparently...

    can you explain to me what a SYN flood is and what kind of harm it can cause? Can you explain the difference between NAT and PAT? Can you tell me what the SID suffix for the local admin account on every Windows machine is? Do you know what the acronym KDC stands for? (BTW - you can't cheat and use Google).

    See? No matter what I would say about that, it wouldn't matter to you because you got to Google first. You can't prove or disprove anything, but you do deal in absolutes and since you're so overconfident, you probably haven't done a virus or malware scan in years. Right?
    ZDNet Gravatar
    ubiquitous one
    16th Jun 2010
    • Flagged
  • RE: How much more malware is lurking in Linux official repositories?
    _
    @RoyalKnight@..says...
    Or maybe some people just can't seem to fathom a Windows user that's actually competent in what they do.

    Yes, given what I've seen out there, that is tough to fathom. No doubt. lol... grin

    It's like saying the computer elite can only be Linux users.

    Well that's what it seems to be turning into.

    But don't forget, most Linux users were windoze users at one time and didn't start on Linux. And many (like myself) still have to use both systems.

    I can't say the opposite holds true given all the NBMer FUD that I've read around here.

    And, as the article makes a point of, they're just getting lazy and complacent in the very practices they lampoon Windows users for not doing.

    Only a very tiny minority of an even smaller Gentoo community were involved in this. Unless you like to inflate inflate their numbers beyond the mere 450 hits they get per day over at DistroWatch.
    ZDNet Gravatar
    ubiquitous one
    16th Jun 2010
  • RE: How much more malware is lurking in Linux official repositories?
    @ubiquitous one:
    "See? No matter what I would say about that, it wouldn't matter to you because you got to Google first."

    Translation: you cannot answer the questions, so instead you come back with a lame comment about how I got to Google first, further confirming that you know nothing about security, and prefer to mask your short comings by diverting away from the topic. I'm still waiting for your answers...

    "You have "probably forgotten" more about computer security that I'll ever know? Are you sure you meant to say that? lol... Well that's the most truthful understatement of the year."

    So... impress me. Tell me what you know about computer security instead of simply picking apart what I have said. Again, I'm still waiting for your answers...

    "But I am smug and superior"

    Keep telling yourself that and maybe it will actually come true... cough... BTW I'm not overconfident, I'm knowledgeable, you should learn the difference. Yes I cannot prove it and you only have my word, but the same applies to you - I only have your word that you actually know something about Linux besides how to download and install it. Again, I'm still waiting for your answers...
    ZDNet Gravatar
    smtp4me@...
    17th Jun 2010
    • Flagged
  • RE: How much more malware is lurking in Linux official repositories?
    Translation: you cannot answer the questions, so instead you come back with a lame comment about how I got to Google first,

    That's right. I could have Googled it and given you the answers you wanted, but frankly, I don't think you know what it is either. You can't even remember what happened yesterday.

    further confirming that you know nothing about security, and prefer to mask your short comings by diverting away from the topic. I'm still waiting for your answers...

    Well old man, considering your still stuck in the tape drive era and don't even know how to do a simple malware or virus scan, I don't think you're terribly qualified to preach to me about your mail order knowledge. Even a child can do a simple malware or virus scan, yet that seems to be beyond your comprehension.

    So why don't you go back to the old folks home where you belong. Ya know...spend your days playing Parcheesi or something.

    So impress me. Tell me what you know about computer security instead of simply picking apart what I have said. Again, I'm still waiting for your answers...

    I think you've got it ass_backwards. You're the one who originally made the claim about not getting infected ever, and yet in the same breath you also said you've probably forgotten more about security than I will ever know. Well if you can't retain information, then I would be wasting my time talking to somebody who goes around making senile claims, now wouldn't I...

    Keep telling yourself that and maybe it will actually come true... cough... BTW I'm not overconfident, I'm knowledgeable, you should learn the difference.

    Old man, you've forgotten all about security so it's probably safe to assume you have a virus lurking somewhere and you don't even know about it. You've probably forgot you had one. lol...

    Yes I cannot prove it and you only have my word, but the same applies to you - I only have your word that you actually know something about Linux besides how to download and install it.

    Well you're just gonna have to go to bed tonight and wonder about that. Aren't ya now...

    Again, I'm still waiting for your answers...

    I don't think you have enough breaths left to do that, old man. Have you considered an new oxygen tent? wink
    ZDNet Gravatar
    ubiquitous one
    17th Jun 2010
    • Flagged
  • RE: How much more malware is lurking in Linux official repositories?
    @ubiquitous one:

    "That's right. I could have Googled it and given you the answers you wanted, but frankly, I don't think you know what it is either. You can't even remember what happened yesterday."

    A SYN flood is used in a denial of service attack, where the attacker sends burst of TCP SYN (request for connection) packets.

    NAT (network address translation) and PAT (port address translation) are firewall concepts and provide security by either masking an IP address or port.

    The SID (security identifier) suffix for the built-in local admin acount on all Windows systems always ends in 501.

    A KDC (key distribution center) is a function of Kerberos, and is used in both LDAP and MS Active Directory implementations.

    I realize these concepts are beyond the comprehension of a 10 year old, so I'm not expecting you to understand them. School is dismissed for today, junior, check back tomorrow if you would like me to teach you more. My comment about forgetting security, means that I have much more knowledge of the topic than you, not that I have forgotten it. But again, I don't expect you to understand.

    "Well old man, considering your still stuck in the tape drive era and don't even know how to do a simple malware or virus scan, I don't think you're terribly qualified to preach to me about your mail order knowledge. Even a child can do a simple malware or virus scan, yet that seems to be beyond your comprehension."

    Please re-read the entire discussion between us and show me exactly where I said that I do not run anti-virus or malware clients on my computer, and that I do not perform regular scans. I didn't say that, and I do run them. You are making assumptions, and handing out the very absolutes that you accused me of earlier - hypocrite. BTW - the comments about my age may be funny, but they have nothing what so ever to do with the topic which you keep avoiding. But since you went there first - I think I hear your parents calling, maybe you should change your diaper and go home.
    ZDNet Gravatar
    smtp4me@...
    18th Jun 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources