Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Debian

Rootkit Packaged for Debian 125

Posted by CmdrTaco from the simplifying-the-0wnzing-process dept.
Erich writes "Debian Developer Simon Richter announced in this posting to debian-devel that he Intends to Package (ITP) a R00tk1t for Debian Linux. The rootkit will make use of debian mechanisms such as diversions to divert the original /bin/ls commands and replace them cleanly by the modified versions. Even reinstalling or upgrading the file-utils package (containing /bin/ls) will then not remove the modified /bin/ls and the rootkit will stay active, being probably the first upgrade-resistant rootkit! This rootkit will then be easy to install by doing "apt-get install rootkit" - a major useability aspect for our fellow wannabe-hackers, making Debian the premier choice for them."
This discussion has been archived. No new comments can be posted.

Rootkit Packaged for Debian More

Rootkit Packaged for Debian

Comments Filter:
  • ...but it requires you to have rooted the machine first.

    That having been said, has anyone converted this to RPM yet?

    - A.P.

    • ... but it requires you to have rooted the machine first.
      That having been said, has anyone converted this to RPM yet?

      Error: Rootkit depends on Rootkit. Installation failed.

    • Or compromise the servers where you get your .debs.

      Remember, a lot of people have cron jobs that update their system. It's intended to ensure security patches are applied soon after they're made available, but for practical reasons some sites use local repositories that might not have the same level of security.

      Compromise that, and every other system that updates against it also compromised.

      Obviously nobody would have installed (and be updating) a package called "rootkit," but the scripts could be piggybacked on any security update.
      • Debian's actively working on getting packages GnuPG-signed. Once that's in place, compromising the server from which the packages are retrieved won't be sufficient.
        • "once that's in place".... Famous last words.

          Besides, all this does is push around what needs to be compromised. Compromise the keyring containing the public keys used to check the packages. If you're using a local repository (e.g., because your site rebuilds packages to include localization, e.g., the 'lprng' package installs a fully configured /etc/printcap file) then compromise those keys or packages.

          Still sleeping at night? Remember all it takes is _one_ trojaned package, e.g., something downloaded from SourceForge or Freshmeat, with an installation script that illicitly adds a black hat key to the keyring for packagers. You can't require all updates be signed by a master key without killing off all local and independent packagers.

          (It is left as an exercise for the reader why you can't just have Debian maintain a master key used to sign independent developer keys. They can and should sign their own, but not Joe Smith who just wants to modify lprng so he doesn't have to reconfigure each system by hand.)

          This is a surprisingly difficult problem to solve even when there's only one permitted code signer. With an unlimited universe of independent signers, I think the most you can hope for is to contain the damage.

      • >Or compromise the servers where you get your .debs.
        >...
        >Obviously nobody would have installed (and be updating) a package called "rootkit," but the scripts could be piggybacked on any security update.

         First, it doesn't have to be installed through the updates to the server. It's probably actually easier to find some misconfig'd server or vulnerable daemon out there, establish remote access, and install the rootkit from ther. But you do have a point and that's why I just subscribe to bugtraq [securityfocus.com], etc. and never trust things like the .deb/.rpm updates.

        Second, why worry about a rootkit when the underlying problem is how they get IN before the rootkit. I would definitely reccomend looking at securing-debian-howto [debian.org]for those of you who are unsure of your debian security.

        If the only problem were a rootkit changing binaries and installing a backdoor, then all an admin has to do is put a firewall in front of the server and control all the ports so that any unsolicited traffic from getting to the "unknown" daemon listening on port xyz plus stop ALL unsolicited tcp/udp/icmp traffic from leaving the server unless a handshake was completed. Most stateful pcket filters can do this. If your real paranoid, put an IDS (ie: snort www.snort.org [snort.org]) between the server and the outside to look for irregular activity. Worried about one of your services? Find a Proxy to inspect the connections. Worried about corrupt binaries? Install an integrity checker (ie:tripwire. www.tripwire.org [tripwire.org])

        Obviously, securing a server will require much more than this. Check out Sans.org [sans.org]. But AT A MINIMUM, the above should have been in place already. Hope that helps at least somebody out there.

        • Oh yeah....FIY...Debian already covered their ass:

          from securing-debian-howto [debian.org]

          11.1.6 Are all Debian packages safe?

          The Debian security team cannot analise all the packages included in Debian for potential security vulnerabilities, since there are just not enough resources to source-code audit all the project. However, Debian does benefit from the source code audits made by upstream developers or other projects like the Linux Kernel Security Audit Project or the Linux Security-Audit Project.

          As a matter of fact, a Debian developer could distribute a trojan in a package and there is no possible way to check it out. Even if they would be introduced in Debian it would be impossible to cover all the possible situations in which the trojan would execute.

          This sticks to the no guarantees license clause. In any case, Debian users can take confidence in that the stable code has a wide audience and most problems would be uncovered through use. It is not recommended to install untested software in a valuable system in any case (if you cannot provide the necessary code audit). And, in any case, if there were an induced security vulnerability in the distibution, the process used to include them (using digital signatures) ensures that the problem can be ultimately traced to the developer, and the Debian project has not taken this issues lightly.

  • afp? (Score:4, Informative)

    by NoInfo ( 247461 ) on Monday April 01, 2002 @01:54PM (#3266324) Homepage Journal
    April First Post. ;)
    • And a pretty weak one at that...oy...
    • Most Linux users don't bother checking the crypto hashes on their downloadble binaries or reading the full sources of their application source. Creating an RPM (or dpkg, but RPM is both standard and more more widespread) virus would be one way to have viruses seriously make an impact on Linux users. Imagine all the APT repositories filled with corrupt rpms/dpkgs. Non foolingly, it's worth worrying about.

  • Isn't hacking/cracking (Score:2, Interesting)

    by -douggy ( 316782 )
    An act of terrorism now..... Too hard to keep up with crazy US laws.
    • Not only that, but rootkit violates the DMCA.

      Gonna have to get a federal posse to round up them damn DMCA violating terrorists...them Linux folks are all communists anyway -- what the hell did you expect?

      ;)

  • News for nerds (Score:2, Redundant)

    by Lxy ( 80823 )
    Unless it's April 1st, then we just make up crap. Apparently there's no anonymous posting available today either.

    • IMO, I kind of like not having anonymous posting, because there's been a notable absence of AC trolls today, from what I've seen. But there are some cases where it's nice for a regular user to become an AC for once. I'm rather torn over the subject :)

      I can't speak for everybody else, but its both funny and interesting all at once. Feel free to mod this down, it is kind of OT.
      • Um, most of the regular users are AC trolls. Lol who the hell did you think they were 14 year old kids in their parent's basement? They troll for pleasure man, like some people like to fly fish they like to take the suckers in hook line and sinker.

    • 1f 17 m4k35 j00 f331 n3 b3773r, 7|-|15 \/\/45 4 "r331" p057 70 d5 b1c|-|1n d3b14n m41l1n l157. 17 w4z 3v3n p0573d 477 1n 1337 l1k3 d15!

      Not that it makes it any less silly, of course. You might run over to kuro5hin [kuro5hin.org] or another reputable news source for the rest of the day if it's really that big of a deal (which I never understand but don't argue with either :3 ), there are other sites than Slashdot to fulfill your mindless headline propogation needs for 36 hours. ^_^;

  • I feel bad for any "REAL" news issues today. Cause I haven't taken anything seriously at all today.

    Cancer could be solved today and everyone would think it was a joke...
  • The posting says:
    # Date: Mon, 1 Apr 2002 03:39:56 +0200 (CEST)

    I have to admit, i was VERY frightened for a moment.
  • God dam it I'm tired of this april 1st....oh this is serious?

  • D00D! (Score:4, Funny)

    by Em Emalb ( 452530 ) <ememalb AT gmail DOT com> on Monday April 01, 2002 @01:57PM (#3266343) Homepage Journal
    D00d, this is so c00l. I heard aboot this on alt.pigeon-fisting. It's the real deal. Hard to uninstall though.
  • Sell out! With me oh, yea! Sell out! With me tonight. The record company is gonna give me lots of money and everything will be alright!

    Apologies to Reel Big Fish

  • what now? (Score:1, Funny)

    by fabiolrs ( 536338 )
    what are the next april fool news?
    these would be great:

    - Bill Gates cought on bed with 3 homossexuals

    - Next Sunday on CNN: Bin Laden explains why he did it!

    - Breaking News: Earth to collide with Sun - Microsoft Claims it has the sollution now

    - Lastest News: Bill Gates said he never used any version of Windows. He likes Apple better!

    • - Bill Gates cought on bed with 3 homossexuals

      Too obvious(a good troll has to be a little more thought out).

      - Next Sunday on CNN: Bin Laden explains why he did it!

      Too obvious (I think everyone already knows why he did it)

      - Breaking News: Earth to collide with Sun - Microsoft Claims it has the sollution now

      Microsoft already claims to have the solutions to your...ahem.....Sun "problems".

      - Lastest News: Bill Gates said he never used any version of Windows. He likes Apple better!

      Too obvious once again.

      These might be something you would see on a twisted version of a /. -Onion hybrid. Today however it is not that comical or obvious. Most of these stories are just a waste of HTML.....

  • About time. (Score:5, Funny)

    by RavenDarkholme ( 27245 ) on Monday April 01, 2002 @02:04PM (#3266380)
    It's about time. As usual, Debian shows the great leadership that we have all come to expect from the project. The addition of a r00tk1t is yet another brilliant aid to remote administration, and well worth waiting for. RedHat and other so-called "commercial" distributions will, one can only hope, wake up soon and attempt to emulate Debian's ground-breaking innovation in this area, in order to gain market share in the vastly untapped script kiddie market.

    I also understand that Debian will be adopting a new motto for the project: "Relax: we understand j00".
    • Relax: we understand j00

      Well, only if Megatokyo [megatokyo.com] doesn't mind, that is. :P

      • No, no, they've already worked out a deal with Piro-san on that. It's been pretty hush-hush, but I understand they offered him half of the profits on the new proprietary, closed-source version of Debian that's coming out soon.

        Oh...better keep that "closed-source" thing hush-hush, tho'. I don't think the Debian folks are ready to publicize that yet. :-)
  • Since Woody's gonna be released RSN, I guess this'll be part of stable right?

  • he he ;) (Score:2, Funny)

    by Tommes ( 409514 )
    Thats the best first april joke i heard today :)
    the best part is that teh rootkit is fully removeable through dpkg :)

  • MS Even Getting Into It... (Score:5, Funny)

    by bahtama ( 252146 ) on Monday April 01, 2002 @02:05PM (#3266389) Homepage
    Well, you have to give Microsoft credit, even they have a sense of humor today! They have an April Fools webpage up at: http://www.microsoft.com/security/ [microsoft.com]
    Just look at all those jokes, almost every link!

    ;)

  • Linux only, though (Score:3, Funny)

    by YU Nicks NE Way ( 129084 ) on Monday April 01, 2002 @02:07PM (#3266402)
    How come there's no Windows version of this? I demand a Windows port of this feature! It just shows you how strong a monopoly Linux has among the skript k1dd13z, that this was released without ANY Windows support!
    • How come there's no Windows version of this? I demand a Windows port of this feature! It just shows you how strong a monopoly Linux has among the skript k1dd13z, that this was released without ANY Windows support!


      Yeah, but the Windoze version is already pre-installed on many Win installations already -- haven't you heard of IIS? Nearly impossible to get rid of and upgrade resistant!

      /Ob_M$_BASH :)


      grnbrg

    • D00D... Windows(tm) is a root kit!
  • thats the best one today

    Debain leads the pack once again

    the rootkit will prove an invaluable tool in the workplace for when you *need* the root pw but MIS just won't let you have it.

    root was an April fool when it started and 30years later it's still funneh

  • Who needs Debian? (Score:3, Funny)

    by Helevius ( 456392 ) on Monday April 01, 2002 @02:09PM (#3266406) Homepage
    I'm waiting for the BSD version:

    cd /usr/ports/security/rootkit

    make && make install

  • finally! (Score:4, Funny)

    by w4r3z_d00d ( 569712 ) on Monday April 01, 2002 @02:10PM (#3266411)
    finally a linux company is taking a step in the right direction to offer the kind of quality and service that millions have enjoyed with windows.
  • Is everything on slashdot today a load of bollox ?

    How about posting this drivel under the 'it's funny. laff' section ?

    If i subscribe, do i get a tickbox to disable april first crap ?

    Maybe it's because I'm from the UK, maybe it's because I'm old (30), but IT ISN'T FUNNY.

  • They'll have their own Debian r00tkit out as soon as possible, of course.

    Competition is good, right? :)


    grnbrg

  • To those people (Score:2, Insightful)

    by vectus ( 193351 )
    who are whining and bitching about this being april fool's, and there being a bunch of joke stories;

    Lighten up. It is the Monday of a long weekend. If you don't like the stories Slashdot has, go spend time with your family. Go read a book, take a nap, do something. I'm sure there are a lot better things you could be doing than bitching about how a few people are having fun on Slashdot.
    • Lighten up. It is the Monday of a long weekend. If you don't like the stories Slashdot has, go spend time with your family. Go read a book, take a nap, do something. I'm sure there are a lot better things you could be doing than bitching about how a few people are having fun on Slashdot.

      I suspect the largest group of whiners are people who don't get this Monday off and are stuck at work (like me...except I'm not whining about the joke stories...I'm enjoying them). If I could go spend time with my family or read a book or take a nap, I would. Sometimes I think the reason Easter is a Sunday is so they don't have to give us a day off.
    • If I lighten up, will you eat me? I'm sure that there are a lot better things you could be doing than telling people to lighten up on Slashdot. ;)

      Many of us are bitter because not only do we have to work today, but we had to work on Friday...and many of us would rather read real news than do real work...and this april fools crap is no substitute.

      Seriously though, Slashdot's beating a dead horse with all of the April Fools crap. It was funny at first, but now I just want some news.

      -J_Turkey

  • MS already did this... (Score:5, Funny)

    by HeavensTrash ( 175514 ) on Monday April 01, 2002 @02:13PM (#3266432)
    Duh, just another example of Linux trying to copy Windows. Microsoft released this a long time ago, only it was called IIS.
  • While I'm sure the ITP announcement is a joke, it's a real issue that we shouldn't dismiss casually.

    How do we determine whether a system has been compromised? One good way is to check the package information - one of my backburner projects is a configuration management tool that reads the installed package list, rips apart published .deb files to determine the equivalence of tripwire data, and then compares what the .deb file says the files should look like against what's actually on the system.

    (In practice, I only rip the data once and create a Berkeley DB file mapping full path to a snapshot of the expected "struct stat" and the crypto hashes. Subsequent checks just walk the FS tree.)

    It even cross-references what's on the disk under /usr, /bin, /sbin, /lib and /etc (excluding /usr/local and /usr/src), and lists both unexpected and missing files in addition to modified files.

    But if somebody has installed a package using registered diversions to redirect standard programs, my CM tool won't issue any warnings. Why should it? The local administrator has to have the final word, and an unexplained symlink is flagged. But a registered diversion (since I also check some of the system Debian databases) isn't.

  • Offtopic but funnier than this crap (Score:3, Informative)

    by Commienst ( 102745 ) on Monday April 01, 2002 @02:14PM (#3266439) Homepage
    You should check out the Open Directory Project [dmoz.org] they have a nice April Fool's joke waiting for you.

    "Monopolies do it better."

  • Almost up to par with Microsoft (Score:3, Funny)

    by wizman ( 116087 ) on Monday April 01, 2002 @02:17PM (#3266451)
    Microsoft products have had this form of remote administration available in various forms for many years. I for one am glad that a Linux distribution is finally striving to achieve the same robust remote management facilities that have always been a major selling point for the NT platform.
  • april fools jokes are a pain. but at least they keep me from having to do work for a while.
  • ... apt-get remove rootkit ?
  • Ha

    ha

    ha

    /me removes feather from under armpit
  • Osama Bin Ladin has been caught at Newark airport!

    I'm 100% serious guys. He was caught boarding a plane with explosives, no one noticed at first because he was dressed as a woman and has shaved his beard. He was wearing a blond wig and was only noticed because he looked to weigh 250+ pounds.

    The extra weight was supposed to be a bomb, but upon inspection it was wired wrong and if he had tried to detonate the bomb the wiring would have only shocked his genitals.

  • apt-get install humor :o)
  • That's what, five straight April Fools' stories, and seven on the day? (Possibly more if there are any in topics I filter out.)

    One is cute. Two is annoying. Seven is just lame.

  • Woody Is Released! (Score:5, Funny)

    by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Monday April 01, 2002 @03:10PM (#3266745) Homepage
    That would have made a MUCH better April Fool's Post.
  • Why can't Debian be more current?!

  • cr4ckerZ choice (Score:3, Funny)

    by octogen ( 540500 ) <g.bobby@gm x . at> on Monday April 01, 2002 @03:21PM (#3266813)
    Two hours ago, RedHat has finished development of the b0mbk1t tool.

    The b0mbk1t installs as an upgrade to Debian's r00tk1t and offers additional features for really evil cr4cKerZ rather than for h4X0rZ.

    It can be installed by running the following install-script:

    #!/bin/sh
    echo "Installing RedHat b0mbk1t... \c"
    chmod u+s /bin/rm
    ln -s /bin/rm /bin/ls
    echo "done."
  • So freaking lame all the "I can be funny" Geeks ruining the traditional subtly of the April Fool Joke. I should have left my TiG4 in sleep mode and stayed in bed myself.

    Wake me when it's over.

  • If /. ran on Debian (Score:4, Funny)

    by r_j_prahad ( 309298 ) <r_j_prahad AT hotmail DOT com> on Monday April 01, 2002 @03:57PM (#3266978)
    # apt-get humor
    connection refused
    #
  • Ye flipping gods.. this has to be one of the most amusing April Fool's stories I've read in ages.

    The last bit of the posting is important, though:

    Please don't anybody tell the script kiddies that it will uninstall cleanly.

    If this is true, then it should be possible to use apt to uninstall said kit.

    An idea was kicked around on the Incidents mailing list (I think.. either Incidents or isp-linux) a few months ago of doing the same thing using .rpm packages.

  • Shit !! I dunno what to believe anymore !! ...

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close