Slashdot Log In
Looking At The New Linux Trojan
Posted by
Hemos
on Sat Sep 08, 2001 03:09 AM
from the peering-under-the-hood dept.
from the peering-under-the-hood dept.
Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an
executable, which you must run to infect other binaries (i.e. you must run
this as root). This means that infection vectors include, but are not
limited to email attachments, but you must of course save the binary, then
set it executable, and then run it, as root, to do any real damage.
Alternatively you must download binary software and run it (again as root to
do any real damage). In other words someone must run binaries of unknown
origin as root, and if this is common practice then you have larger policy
and education problems to deal with." So - comparing it to Code Red is a bit dubious.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Technical detail: (Score:4, Informative)
Unless it also reconfigures my firewall to allow incoming traffic to port 5503 and higher and fiddles with my hosts.allow file, I'm not particularly concerned. Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about.
Partial isinformation (Score:5, Informative)
Whoa, cowboy!
However, your advice to use kernel firewalling is sound. 'Defense in depth' is the only way to go.
Parent
Re:Technical detail: (Score:2, Interesting)
Re:Technical detail: (Score:3, Insightful)
Except if it's a home machine with no personal/financial information on it, is connected to a cable line that can't do any damage sending data up its 128K upstream, and is running a few rudimentary firewall, you don't have much to worry about. Some people take their security WAY too seriously.
This will be interesting.. (Score:2, Insightful)
Re:This will be interesting.. (Score:2)
Code Red required no action on the part of the user/administrator other than having an unpatched system. This requires someone to be careless.
This is further mitigated by the fact that, likely, the majority of infected machines won't be infected with full root access, rather it would be some random unpriveleged user who infected the machine.
And even further, compare a typical Linux administrator to a typical NT administrator. 'nuff said. We patch our boxes, read security bulletins, run firewalls, and don't run random attachments.
Re:This will be interesting.. (Score:2, Interesting)
The article even mentioned (more than once) Apache and how many servers on the net run it.
So what? Unless I missed a paragraph, Apache has nothing to do with it!
Re:This will be interesting.. (Score:2)
Re:This will be interesting.. (Score:2)
1) Why use Mac OS X as root? It sets you up as Administrator (less than root) and allows you to create lesser user accounts.
2) My Mac OS X box talks to my cable modem just fine, and did so at installation time when I told it I would like to connect to the internet.
So either you're a super-troll and I've just fed you, or you're smart enough to get root on OS X (no easy task) but dumb enough to not get the cable modem up and running with one click.
I'm just waiting... (Score:2)
links (Score:2)
Description here: http://www.tuxedo.org/jargon/jargon.html#back door
BTW, why is slashcode telling me I've violated the postercomment compression filter when I attempt links?
It's an email virus! (Score:2, Redundant)
Re:It's an email virus! (Score:2, Insightful)
The same is true in operating systems. Just because it is easy doesn't make it good.
What file did they find did this trojan infect? (Score:5, Interesting)
This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.
Re:What file did they find did this trojan infect? (Score:2, Informative)
that would be like installing a patch from microsoft that was infected with a virus.
most people have to trust someone and for those who dont there is always the sourcecode.
a similar story in history (Score:5, Funny)
Re:a similar story in history (Score:3, Funny)
Cute kittens (Score:3, Insightful)
Re:Cute kittens (Score:2)
People running around as root are probably not going to get an email attachment, change it to a binary and run it... I would wonder if they would even know how to do that.
The other point is that most of the Linux community is well informed. It would be a lot less of a problem b/c we know what the hell is going on. If you see something odd happening you would immediately fix it.
Knowing what port is runs on, etc is all helpful information that will stop most of the attacks from happening.
Re:Cute kittens (Score:3)
Whatever! (Score:3, Interesting)
In other words this trojan is likely to affect the vast hordes of Linux users that always log in as root, use their Linux box to read email, and who automatically install and run binaries that the receive off the Internet.
All five of them.
Seriously speaking, this is one of those areas where Windows users see how easy it is to use email to trick Windows users into triggering trojans and they figure that Linux must be similarly vulnerable. It isn't.
First of all, most Linux users, even new Linux users, don't do much of their work logged in as root. In Linux it is trivial to use su or sudo to become root as necessary, and this particularly trick is one of the first that most Linuxers learn. Second of all, Linux does not make it easy to run foreign executables. No Linux client I can think of allows you to simply click on an attachment and automatically run it. Besides that, even if the person does run the executable how does it spread. Windows email viruses rely on the fact that they can programatically access the Outlook address book. Even Windows users who use Eudora or Netscape Messenger are immune to this trick. Under Linux the question of how the trojan is going to email itself to my friends is even more difficult. There are literally hundreds of mail clients that see active use. Your trojan would need to parse many different kinds of text based address books (heck, there are probably three different Emacs packages that one could use as an address book).
And when all was said and done the chance of this trojan spreading are nearly nil. After all, even if one Linux user got infected, and the trojan successfully mailed itself to 200 of his closest friends chances are good that very few of these friends would be running Linux, and chances are even better that none of those friends running Linux would be similarly vulnerable (or nearly as dense). The trojan would refuse to spread, and that would be the end of it.
Comparing this trojan to the Code Red worm is laughable.
This explains a lot... (Score:5, Funny)
The Worst Thing Of All (Score:2, Funny)
At this time, the Remote Shell Trojan source code is not known to be available.
This...thing violates the GPL and everything Open Source stands for! They could sell it commercially, and not even contribute back to the code base! That's just so, so, so non-Stallman that it makes my middle finger itch!
Don't worry, this is no Linux Code Red (Score:5, Informative)
Code Red required no user activity at all. A typical orphaned Linux box standing around in a corner would not be at risk, the same machine running IIS would have been a sitting duck for CR. There are a lot of orphaned servers out there with standard Redhat or IIS installs. These are the real danger. Any remote-root security holes on these popuplations are cause for real concern.
I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.
I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!
Regards,
Xenna
Re:Don't worry, this is no Linux Code Red (Score:2)
They'd also need to be running as root.
Re:Don't worry, this is no Linux Code Red (Score:2)
When they are actually on campus, they have a choice of eudora, simeon (I think), elm (ssh/telnet into an irix server), or webmail.
Why use outlook?
(* the majority of Exeter, UK's comp sci students dont know a mouse from a monitor either!)
Trojan 101 (Score:2)
doTrojan();
doMainApp();
}
There, I just wrote myself a new "Linux Trojan". The thing is, a "New Trojan" is actually nothing new at all. Basically, all you need is a bit of code that seems userful to the user, a bit of code that the user never gets to see, and a user to run it. I can write a perl script that will happy crank out "New" trojans by the trillions. Disk space is the pure limit to the number of perfectly unique "Linux Trojans" I can make.
I know a lot of people will use FUD like this to point out that Linux has it's flaws too, but that is complete garbage. A trojan is not a threat to a competent user on a machine with even the barest levels of user authentication and security. It is only a threat to the naive or the foolish.
Re:Trojan 101 (Score:2)
Unless the Linux user has done a chmod -R 777 / recently, the windows user is going to be in serious trouble while the Linux user is fine. Why is that? Because Microsoft has some serious mental problems when it comes to security in thier non-NT environments.
A trojan is not news. Horribly gaping flaws in security models may be, but the trojan itself is one out of a hundred trillion million trojans just like it.
Re:Trojan 101 (Score:2)
Now for the obligatory aergument by analogy:
The Linux filesystem and user permision are like a government. What they set up is a something akin to a "legal system" in the computer. Sure, malicious programs can try subvert that (which this program TRIES TO BE, BUT IS NOT SUBTLE ENOUGH). When such a rogue program is detected, this system can help you to diagnose programs, isolate the infected binaries and "jail" them. In Windows 9x, there is no government, there is only chaos.
Give me a break... (Score:3, Interesting)
This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.
Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.
Not an Apache worm (Score:2)
Contrarily to what the summary hints at through the mention of Code Red, and Apache, this is not an Apache worm. It's a trojan that you actually have to execute yourself in order to be infected. Thus, if you don't blindly execute e-mail attachments, and download programs from untrusted sources, you should be safe. Moreover, the trojan is rather primitive and doesn't try to manipulate the file modification dates to hide its presence. Thus a simple ls -ltrc
These journalists must be desperate for attention. (Score:5, Insightful)
As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant. The email-vector mechanism can't even take advantage of address books, since Unix mail clients are so far from standardized.
I don't have much faith in the analysis (Score:3, Informative)
Wait, so it listens on a UDP port, but it can be compromised using TCP? Do the people that analysed this actually bother proof-reading, or do they simply not understand what they write??
It's a Virus not a Worm. (Score:3, Insightful)
Why on earth do people think that this code can infect machines remotely over the Internet ? Does it say so anywhere in the article ?? No !!
From the article:
The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system.
It's simply a trojan that you will have to get in mail or on a floppy and execute YOURSELF.
Then it will infect other executables on your system, but in no case will it be able to infect any other systems without human assistance (i.e. executing a binary on that computer).
Whoever thought this is even remotely as scary as Code-Red is in need of some serious medication.
A new one has been found! (Score:5, Funny)
FOR IMMEDIATE RELEASE
Overview
The Really Silly Command Virus identified by Blackant Systems has the potential to remove all files from a hard drive. It was recently spotted in the wild a few days ago when a junior sysadmin logged in as root on a production server and executed a shell script he had been emailed from a user known only as script_kiddie@hotmail.com.
Impact
Given a detailed analysis of the source code behind this virus, it is possible that the Really Silly Command Virus may eventually mutate into a self-propagating worm.
Recomendations
Blackant Systems reccomends that every sysadmin who would run shell scripts from untrusted parties be shot.
In order to determine if your email may contain this new virus, please look for the following first few lines in a shell script:
#!/bin/sh
#1337 script by script_kiddie!!!
#props to all my homies!!!!
rm -rf /
#this doenst seem to work yet...
mail $0 $1
If you find a file with similar lines, do not execute it on your server, but remove it immediately. Blackant Systems will be releasing a utility to identify stupid sysadmins shortly.
What counts (Score:4, Funny)
I'm sorry but i felt it had to be said even if I loose karma
His arm has grown long indeed.... (Score:3, Flamebait)
This "alert" is clearly bought and paid for by MS. The idea that a machine running Apache is "vunerable" to a trojan that depends on a superuser saving and running an email attachment of unkown origin (or a normal user somehow setting the suid bit on the attachment) is so stupid that it can't be stupid: it must originate with someone that has a vested interest in spreading FUD.
Let's see now, who do we know that doesn't like Linux, is having a major launch of a new version of their OS and is known for sponsoring "research" that shows that Linux is the tool of the Devil? Hmm.... Is it Bill, the mild mannered janitor? Could be, could be!
TWW
Consipiracy theory ... NOT (Score:2, Insightful)
Who ever wrote this article is just plain silly!
The New Linux Trojan! (Score:5, Funny)
Cindy: Oh Harry, You're so smart! It really turns me on!
Harry: Oh wow!
Cindy: As soon as you finish that, I'll think up something to allow us to Celebrate!
Harry: Oh, WOW!!!
<horse braying>
Singers: "TROJAN MAN!!!"
Trojan Man: Looks like you two are planning to... exchange private keys?
Harry & Cindy: Well... Uh... I don't...
Trojan Man: Try new Linux Trojans! The Condom for the virus conscious!
Harry & Cindy: Thanks Trojan Man!
Trojan Man: My job is done here!
<horse braying>
Trojan Man: Yes, we'll find a philly for you some day...
Hey, geeks can dream, can't they?
OK, let me get this straight (Score:2)
2) You have to download, chmod +x and run a binary program from an email, presumably one that doesn't come from someone you know
3) You have to be stupid enough not to notice that
...
Can anyone say "stupid man's trojan"?
Has anyone even seen an attempted attack? (Score:2, Interesting)
As has been repeatedly pointed out, it would take a complete idiot to save an unknown binary file, chmod it, and run it as root. But you would have to *get* the binary before you could do that. Most of the talk about Linux virii and trojans is very hypothetical. Independent of all the theoretical reasons why they don't occur widely on Linux there is the empirical fact that there has never been anything affecting the same percentage of Linux systems that Cod Red or Sircam did for MS products.
This case seems no different. All the hype is little more than a scam by an anti-virus software company.
Blah Blah (Score:2)
Comparing a few newbies potentially being stupid enough to run an executable recieved in E-Mail as root to Code Red is quite a stretch.
Impact on Linux (Score:4, Insightful)
If the popular media picks up a story that "LINUX USERS FACE DEADLY TROJAN (film at 11)", it will help create a perception of vulnerability, and its a small step to go to "and since Linux is freely distributed, who knows what can lurk in that copy you download..." While techies familar with Linux will have a reasonable grasp of the true threat and how to overcome it, what about the deciosn makers who are deciding what to implement at their companies? The ones that set budgets and decide what IT will implement (and IT may not have much of a say in the decision) will remmebr "Linux - oh yeh, that's the system that got hit with that DEADLY TROJAN."
Not enough details... (Score:2, Troll)
I have tried many of the linux email programs at one time or another--pine, elm, mutt, postilion, balsa, tk-rat, kmail, evolution and sundry others to numerous to recount. And lets face it people, for proper email viruses you need an advanced Microsoft email client. Outlook is a good example.
First there is the problem of automatic or almost automatic execution. Linux email clients have not yet achieved the same optomistic attitude towards code in email attachments as Outlook. However, anyone who has used Linux is already familiar with this and I do not need to elaborate.
Then, because Linux lacks any sort of standards (http://microsoft.com for more information), there is no easy way to send emails out to everyone on the persons list. The easiest thing would be to use perl. But even this is poses problems and the Qualys guys don't mention anything about perl or how it sends the emails out.
Personally, I really doubt Qualys knows what it's talking about. Look at how many times [google.com] Qualys has been talked about in the context of linux. Compare that to a reputable Linux endeavor. [google.com]
And also... Any security company should know that the only way to clean an infected computer is to reinstall. Installing more close source software on top of the close source virus seems like a silly thing to me.
(Not that I think Qualys would deliberately do something wrong but they don't seem competent enough to analyse this virus thouroughly or program a bug free fix).
It's almost fun (Score:3, Funny)
Anyway, it will be fun to see if the crap media picks this one up "uh no! a worm on Linux, we always knew it would happen! we haven't seen it yet, but someone mentioned it may get worse than CodeRed!"
But I'm really happy
Re:Not a big deal.. but then... (Score:2)
I was going to post something to the same effect. Thanks for beating me to it.
Re:Not a big deal.. but then... (Score:2)
Quoth chmod(1):
And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.
That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)
Also, firewalls that only allow connections to be initiated to needed services can be of assistance. Apparently such a firewall would help in this case, but an attacker can set up a remotely intiated proxy or kill off the real daemon that's supposed to be running and replace it with a 'custom' version.
Re:Not a big deal.. but then... (Score:2)
However, last time I looked, the user requires root privileges to make the file setuid root. And you can't copy setuid root files from one place to another as a non-priveleged user whilst retaining the setuid bit.
So no, this bit is not a concern when combined with trojans, given reasonably normal security practices.
Re:bout frigging time (Score:2)
Re:Show us the actual thing (Score:2)
A few years ago I was perusing the virus database of a large anti-virus company. They categorised virii in various ways, and one of the attributes was where it had been found. The majority were 'laboratory only'.
Now, what does that mean? If it's only been found in the 'laboratory', then it must have been created there.
I'd be delighted if someone who knows can enlighten me as to what 'laboratory only' really means.