Looking At The New Linux Trojan 263
Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an
executable, which you must run to infect other binaries (i.e. you must run
this as root). This means that infection vectors include, but are not
limited to email attachments, but you must of course save the binary, then
set it executable, and then run it, as root, to do any real damage.
Alternatively you must download binary software and run it (again as root to
do any real damage). In other words someone must run binaries of unknown
origin as root, and if this is common practice then you have larger policy
and education problems to deal with." So - comparing it to Code Red is a bit dubious.
Ulterior Motives at vnunet? (Score:1, Interesting)
Needless to say; not trusting the source, I skipped that particular article.
Has anyone else had that happen with that site and that story?
What file did they find did this trojan infect? (Score:5, Interesting)
This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.
Give me a break... (Score:3, Interesting)
This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.
Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.
Re:Technical detail: (Score:2, Interesting)
Re:This will be interesting.. (Score:2, Interesting)
The article even mentioned (more than once) Apache and how many servers on the net run it.
So what? Unless I missed a paragraph, Apache has nothing to do with it!
Re:Partial isinformation (Score:1, Interesting)
First they ignore you, Then they fight you, Then your win.
Has anyone even seen an attempted attack? (Score:2, Interesting)
As has been repeatedly pointed out, it would take a complete idiot to save an unknown binary file, chmod it, and run it as root. But you would have to *get* the binary before you could do that. Most of the talk about Linux virii and trojans is very hypothetical. Independent of all the theoretical reasons why they don't occur widely on Linux there is the empirical fact that there has never been anything affecting the same percentage of Linux systems that Cod Red or Sircam did for MS products.
This case seems no different. All the hype is little more than a scam by an anti-virus software company.
Whatever! (Score:3, Interesting)
In other words this trojan is likely to affect the vast hordes of Linux users that always log in as root, use their Linux box to read email, and who automatically install and run binaries that the receive off the Internet.
All five of them.
Seriously speaking, this is one of those areas where Windows users see how easy it is to use email to trick Windows users into triggering trojans and they figure that Linux must be similarly vulnerable. It isn't.
First of all, most Linux users, even new Linux users, don't do much of their work logged in as root. In Linux it is trivial to use su or sudo to become root as necessary, and this particularly trick is one of the first that most Linuxers learn. Second of all, Linux does not make it easy to run foreign executables. No Linux client I can think of allows you to simply click on an attachment and automatically run it. Besides that, even if the person does run the executable how does it spread. Windows email viruses rely on the fact that they can programatically access the Outlook address book. Even Windows users who use Eudora or Netscape Messenger are immune to this trick. Under Linux the question of how the trojan is going to email itself to my friends is even more difficult. There are literally hundreds of mail clients that see active use. Your trojan would need to parse many different kinds of text based address books (heck, there are probably three different Emacs packages that one could use as an address book).
And when all was said and done the chance of this trojan spreading are nearly nil. After all, even if one Linux user got infected, and the trojan successfully mailed itself to 200 of his closest friends chances are good that very few of these friends would be running Linux, and chances are even better that none of those friends running Linux would be similarly vulnerable (or nearly as dense). The trojan would refuse to spread, and that would be the end of it.
Comparing this trojan to the Code Red worm is laughable.
No Evidence No Crime (Score:1, Interesting)
NMap [nmap.org]
correct me if i'm wrong
CAEthaver2 [sf.net]
--mikeeusa--
>> Any properly administrated linux box has a >>decent iptables / ipchains script. If not, it's >>about time to read the docs.
>>From what I've read in the article, tripwire >>should be able to detect an infection. Not so >>much to worry about, I guess.
>>... and of course nmap to scan for open 5503 >>ports (damn, it's now illegal to do so here at >>our university).
Wait a second... (Score:2, Interesting)
(In all fairness to them, they do provide source alongside the pre-compiled binaries, so the security-conscious can audit the code and recompile.)
This reminds me a lot of a rant [linuxmafia.com] or two [linuxmafia.com] by Rick Moen [linuxmafia.com] of SVLUG [svlug.org] fame. The main problem is sysadmin inexperience. Granted, you can still trash your own files (and lose all your user data), but the system will be safe. So just run untrusted executables as a different, non-privileged user, if you must run them at all.