Looking At The New Linux Trojan

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

This will be interesting..

[PopeAlien]

This could be interesting- It'll be interesting to see if just because there are more linux/apache servers out there, that means this thing will spread more and do more damage than Code Red. Or perhaps the linux machines will be better maintained than the NT machines.. We'll see.

Cute kittens

[Graymalkin]

The problem with saying "oh yeah this is easy to detect/fix" is that you're not looking from the standpoint of non-linux geeks. I've never really had a problem with trojans or virii on any of my Windows machines because I know how not to pick them up. They're headaches because most people don't know how to avoid them. The same goes with all the people who picked up a copy of RedHat and run around as root because they don't know any better. Linux is only as secure and efficient as the people using it. Weenie.

bout frigging time

[Anonymous Coward]

maybe this will finally silence the L1NU> RULZ \/\/1nd0w5 5uX shills that have plagued /. for so long. Eat that, bizznatch!!

Re:It's an email virus!

[dytin]

A dumb person may play chutes and ladders for fun, while a smarter person might play chess. Just because you have to be smart in order to play chess does not make chess bad.

The same is true in operating systems. Just because it is easy doesn't make it good.

These journalists must be desperate for attention.

[hebble]

First: why is Apache mentioned AT ALL? It sounds like this thing only "spreads" (if you can even call it that) when someone is brain-dead enough to READ their EMAIL as a user who can WRITE to IMPORTANT BINARIES! That has nothing whatsoever to do with Apache. Is it just to support the idea that there are a lot of Linux servers?

As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant. The email-vector mechanism can't even take advantage of address books, since Unix mail clients are so far from standardized.

It's a Virus not a Worm.

[AftanGustur]

Why on earth do people think that this code can infect machines remotely over the Internet ? Does it say so anywhere in the article ?? No !!

From the article:
The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system.

It's simply a trojan that you will have to get in mail or on a floppy and execute YOURSELF.

Then it will infect other executables on your system, but in no case will it be able to infect any other systems without human assistance (i.e. executing a binary on that computer).

Whoever thought this is even remotely as scary as Code-Red is in need of some serious medication.

Re:Don't worry, this is no Linux Code Red

[Anonymous Coward]

I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

Am I the only one that thinks the phases "Windows" and "no risk" should not be refering to each other?

We trust our severs with linux, but not our email. We'd rather use a product known to get hit by the Virus-of-the Week(TM)!

Consipiracy theory ... NOT

[Pat__]

Do not attribute to malice what can be explained by stupidity.

Who ever wrote this article is just plain silly!

Impact on Linux

[Registered Coward v2]

To me , the real issue here is whether this trojan will have much of an impact on Linux boxes, but its impact on people's perceptions of Linux.

If the popular media picks up a story that "LINUX USERS FACE DEADLY TROJAN (film at 11)", it will help create a perception of vulnerability, and its a small step to go to "and since Linux is freely distributed, who knows what can lurk in that copy you download..." While techies familar with Linux will have a reasonable grasp of the true threat and how to overcome it, what about the deciosn makers who are deciding what to implement at their companies? The ones that set budgets and decide what IT will implement (and IT may not have much of a say in the decision) will remmebr "Linux - oh yeh, that's the system that got hit with that DEADLY TROJAN."

Re:Trojan 101

[WildBeast]

I used to run win9x, if it's so insecure, how come I never did get infected? Besides, if you ever worked in tech support, you would know how much trouble some people have just to enter their username and password. It's crazy. Besides, now all MS OS's are going to be NT based.

I know a lot of Linux users who always use the root account.

Non-issue

[praedor]

This is no more an issue than the is the "threat" of linux-based viruses. C'mon. Only a complete IDIOT would would "infect" his system with this sort of virus/trojan.

Linux COULD be affected by a virus IF root ran a virus-infected app or if one of the linux office suites develops a hole-laden macro system ala Word - IF that macro was run as root.

This is no threat or problem to any linux system except those few morons who do everything as root and would actually download and run an unknown application off the net as root.

This is a sham. This is FUD. This is either an M$-supported FUD or an attempt by some bozo to get web hits and, as another poster mentioned, harvest email address. Hello spam!

Re:Technical detail:

[Some Dumbass...]

Uh oh. Does anyone know how to play online games like Unreal Tournament and Quake III without opening the appropriate UDP ports to incoming packets (from the game servers, of course)? Since UDP isn't stateful, I can't use connection tracking, can I?

I bet that if crackers do start scanning Linux boxes for this trojan, ports like 7777-7778 (UT) and 27015-27106 (QIII) will be primary targets.

Re:Technical detail:

[SilentChris]

"Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about."

Except if it's a home machine with no personal/financial information on it, is connected to a cable line that can't do any damage sending data up its 128K upstream, and is running a few rudimentary firewall, you don't have much to worry about. Some people take their security WAY too seriously.