Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Linux Software

Looking At The New Linux Trojan 263

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.
This discussion has been archived. No new comments can be posted.

Looking At The New Linux Trojan

Comments Filter:
  • Technical detail: (Score:4, Informative)

    by AMuse ( 121806 ) <slashdot-amuse@nosPam.foofus.com> on Saturday September 08, 2001 @04:14AM (#2266510) Homepage
    It installs a backdoor which listens for incoming connections on UDP port 5503 or higher, and allows remote attackers to connect to, and take control of, an infected system.

    Unless it also reconfigures my firewall to allow incoming traffic to port 5503 and higher and fiddles with my hosts.allow file, I'm not particularly concerned. Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about.
    • by sigwinch ( 115375 ) on Saturday September 08, 2001 @04:46AM (#2266558) Homepage
      Unless it also ... fiddles with my hosts.allow file, I'm not particularly concerned.

      Whoa, cowboy! /etc/hosts.allow only affects friendly programs that bother to parse it (e.g., inetd, or programs that use tcpwrappers). An unfriendly program is free to ignore it.

      However, your advice to use kernel firewalling is sound. 'Defense in depth' is the only way to go.

    • Re:Technical detail: (Score:2, Interesting)

      by Josuah ( 26407 )
      A lot of computers are set up with loose UDP. All those computers, which are quite a few, would let incoming traffic go to 5503 if a local program opened the port.
    • Uh oh. Does anyone know how to play online games like Unreal Tournament and Quake III without opening the appropriate UDP ports to incoming packets (from the game servers, of course)? Since UDP isn't stateful, I can't use connection tracking, can I?

      I bet that if crackers do start scanning Linux boxes for this trojan, ports like 7777-7778 (UT) and 27015-27106 (QIII) will be primary targets.

    • "Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about."

      Except if it's a home machine with no personal/financial information on it, is connected to a cable line that can't do any damage sending data up its 128K upstream, and is running a few rudimentary firewall, you don't have much to worry about. Some people take their security WAY too seriously.

  • This could be interesting- It'll be interesting to see if just because there are more linux/apache servers out there, that means this thing will spread more and do more damage than Code Red. Or perhaps the linux machines will be better maintained than the NT machines.. We'll see.

    • No, it won't be very interesting, unless if a whole lot of Linux users decide to run random binary attachments all of a sudden. This trojan is not propagated in the same way as Code Red at _all_. Code Red was a worm, this is a trojan. It doesn't self-propagate at all.
      • not only do the linux users have to be braindead
        enough to run binary attachments, presumably
        they would have to be reading their mail
        as "root" to infect appropriate files.

        i certainly dont read my email as root.
      • I agree. Even the article tried to hint that this could be as bad as Code Red, but that's simply bogus...

        Code Red required no action on the part of the user/administrator other than having an unpatched system. This requires someone to be careless.

        This is further mitigated by the fact that, likely, the majority of infected machines won't be infected with full root access, rather it would be some random unpriveleged user who infected the machine.

        And even further, compare a typical Linux administrator to a typical NT administrator. 'nuff said. We patch our boxes, read security bulletins, run firewalls, and don't run random attachments.
        • No kidding!
          The article even mentioned (more than once) Apache and how many servers on the net run it.
          So what? Unless I missed a paragraph, Apache has nothing to do with it!
        • Security is hard stuff to get right no matter how diligent you are. Let's not overestimate the average Linux admin. I've got examples (myself included) of people who hadn't learned everything they needed to know before putting a Linux box into a dangerous position. However, I will grant you that Linux is just by nature harder to exploit with this sort of thing. I almost have to think this is a proof of concept to demonstrate to the world how ineffective an email-based virus is on a Linux platform.
  • I'm just waiting for the first linux worms which install a trojaned copy of gcc (see "trusting trust").
    • Original here: http://www.acm.org/classics/sep95/
      Description here: http://www.tuxedo.org/jargon/jargon.html#back door

      BTW, why is slashcode telling me I've violated the postercomment compression filter when I attempt links?
  • The Trojan contains self-replicating virus-like capabilities and has similarities to the Windows-based Back Orifice tool, putting Linux boxes at risk of remote control.

    Ok, does anyone remember Back Orfice as being a major threat to the Windows operating system world? The only people that have the potential to be infected by this new virus are those that are dumb enough to run the program. If you get an email from someone, and there is an attached program to it, most people wouldn't run it. I don't think that this virus has any potential to be a threat because Linux users are generally smart enough to not run every program that they get sent to them.
    • I don't think that this virus has any potential to be a threat because Linux users are generally smart enough to not run every program that they get sent to them.

      Well if you're aiming at getting linux to the desktops then you're clearly aiming to get a good userbase of such "dumb" people. Those who come from a M$ background might be used to running email attachments (probably even cribbing on why can't it run automatically) So such trojans can cause a havoc and scare away such users.

      • Windows has hundreds, if not thousands of different trojans and email viruses that have been written for it. Not every one of them gets to be as widespread as the 'I Love You' virus or Code Red, but nonetheless they exist. The fact that there exists a poorly written email virus/trojan for the Linux operating system is not a true threat and really shouldn't deter anyone from using Linux. No matter what operating system you use, the threat of malicious code will exist.
  • Come on, the impact will be minimal or not at all. Although theoretically you COULD run this email attachment if you receive it, how many Linux users are stupid enough to do that? Technically Linux is just as susceptible to these things as M$ Windows, but we have one big advantage: the majority of Linux users are not morons around computers.
  • This really doesn't seem like a big deal. The virus does not hide very well; it modifies executable files, creates a file in /tmp, only runs as the user that executed the virus. Although it has potential to spread easily; how many *nix users run arbitrary code (attached executables in e-mail)?
  • by Anonymous Coward
    Hmmm...I went to read the story there, and when the page loads *bammo*; there's an pop-up ad for M$ server obscuring the page ... and since I'm not running gator (or equivalent), I'm pretty sure that's from the site itself....
    Needless to say; not trusting the source, I skipped that particular article.
    Has anyone else had that happen with that site and that story?
  • by BrookHarty ( 9119 ) on Saturday September 08, 2001 @04:25AM (#2266529) Homepage Journal
    It says initially surfacing in the /bin directory, ok what file? What distro? What rpm? What .tgz do I have to watch out for? Little more info please. I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

    This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.
    • I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

      Oh yeah? What about a (for example) debian admin who does "apt-get update" or whatever and theoretically has a trojan "ls" installed as an update.

      • that would imply that the debian servers were some how compromised. this is not impossible, but fairly unlikely.

        that would be like installing a patch from microsoft that was infected with a virus.

        most people have to trust someone and for those who dont there is always the sourcecode.
        • For basic, non-security updates, I hit one of the mirrors for all my apt-get fun. While it may be unlikely that one of the main debian servers would be compromised, I wonder if they mirrors wouldn't be more vulnerable...

          I guess these are the chances we take in binary upgrades, but I'm not sure that source would be much more safe, at least for those of us who don't personaly audit every single source update we do (I know I don't have the time).
  • by Tregod ( 441880 ) on Saturday September 08, 2001 @04:26AM (#2266531)
    "...a guard at the top of the castle gates spots something in the distance, just beyond the walls. What could it be? Its...a giant wooden penguin! Imediatly, guards from different corridors of the castle rush to percieve what appeared to be a gift from the gods. All at once, they hoisted the behemoth bird onto a make shift wagon and hauled it within the castle. After much celebration and talk of good tidings, the kingdom lay it's head to rest. Later on that night, the wooden bird's bottom opened, releasing thousands upon thousands of Bill Gates' shock troops, sent to terrorize the castle and townspeople."
  • That Code red "easily detected and patched"?
    The real problem is stupid sysadmins, how many servers (or computers in general) out there are susceptible to exploits that are years old..

    Damn, some skript kiddie tried to hack my box but had the netbus server running on his box. It was kinda amusing for a while there..
  • Since the virus runs as the user who executed it, the chances of it causing havoc on a web server (like code red did) are minimal. Even on a normal linux box, the admin will be smart enough not to run an email attachment (it's not as simple as double clicking to run it) and if some "dumb" user runs it then it's no big deal. The systems isn't comprimised.

    But this could be a big issue when linux is used in offices (where the "dumb" people work) not everyone is a *nix guru.

    • Since the virus runs as the user who executed it, the chances of it causing havoc on a web server (like code red did) are minimal. Even on a normal linux box, the admin will be smart enough not to run an email attachment (it's not as simple as double clicking to run it) and if some "dumb" user runs it then it's no big deal.

      I was going to post something to the same effect. Thanks for beating me to it. :) Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?

      • Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?
        It's the setuid bit, not the sticky bit you need to worry about. Sticky bit on a regular file was a way of old to keep such executables in VM instead of having them flushed. (On directories, it means only the owner of a file in the directory or root can rename and delete the file, even if other users have write permission on the directory.)

        Quoth chmod(1):

        On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files.

        And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.

        That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)

        Also, firewalls that only allow connections to be initiated to needed services can be of assistance. Apparently such a firewall would help in this case, but an attacker can set up a remotely intiated proxy or kill off the real daemon that's supposed to be running and replace it with a 'custom' version.

        • And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.

          However, last time I looked, the user requires root privileges to make the file setuid root. And you can't copy setuid root files from one place to another as a non-priveleged user whilst retaining the setuid bit.

          So no, this bit is not a concern when combined with trojans, given reasonably normal security practices.

  • Cute kittens (Score:3, Insightful)

    by Graymalkin ( 13732 ) on Saturday September 08, 2001 @04:31AM (#2266541)
    The problem with saying "oh yeah this is easy to detect/fix" is that you're not looking from the standpoint of non-linux geeks. I've never really had a problem with trojans or virii on any of my Windows machines because I know how not to pick them up. They're headaches because most people don't know how to avoid them. The same goes with all the people who picked up a copy of RedHat and run around as root because they don't know any better. Linux is only as secure and efficient as the people using it. Weenie.
    • I have seen less and less people trying to IRC as root, trying to use root all the time, etc... The distribs I have used in recent years RH and Debian (don't remember what Slack did) ask you to create a user and that you use that...

      People running around as root are probably not going to get an email attachment, change it to a binary and run it... I would wonder if they would even know how to do that.

      The other point is that most of the Linux community is well informed. It would be a lot less of a problem b/c we know what the hell is going on. If you see something odd happening you would immediately fix it.

      Knowing what port is runs on, etc is all helpful information that will stop most of the attacks from happening.
      • You make good points but none of them are worth a shit. You do not take into account all of the people who watch TechTv and were told by Leo Laporte that running Linux was a cool and smart thing to do. These people know shit about computers but found themselves a Linux for Dummies book and actually got RedHat or Mandrake installed on their system. I don't give a fuck about this particular trojan but I was making a point about all of the linux users that DON'T know something odd is happening. Do you really know what every single line in /var/log/messages actually means? And saying the linux community is well informed is the most bullshit thing I have ever heard of. The people that run around in root will find a way to run some foreign program that they got in their mail. The next trojan will be sent as an RPM or be in a tar.gz that gets included by a rogue header. You wouldn't recognize a trojan out of thousands of lines of code, don't give yourself that much credit. The Linux community is the most pompous overzealous group of computer users I have seen in a long time. They are NOT well informed they are well hyped.
    • Whatever! (Score:3, Interesting)

      by Jason Earl ( 1894 )

      In other words this trojan is likely to affect the vast hordes of Linux users that always log in as root, use their Linux box to read email, and who automatically install and run binaries that the receive off the Internet.

      All five of them.

      Seriously speaking, this is one of those areas where Windows users see how easy it is to use email to trick Windows users into triggering trojans and they figure that Linux must be similarly vulnerable. It isn't.

      First of all, most Linux users, even new Linux users, don't do much of their work logged in as root. In Linux it is trivial to use su or sudo to become root as necessary, and this particularly trick is one of the first that most Linuxers learn. Second of all, Linux does not make it easy to run foreign executables. No Linux client I can think of allows you to simply click on an attachment and automatically run it. Besides that, even if the person does run the executable how does it spread. Windows email viruses rely on the fact that they can programatically access the Outlook address book. Even Windows users who use Eudora or Netscape Messenger are immune to this trick. Under Linux the question of how the trojan is going to email itself to my friends is even more difficult. There are literally hundreds of mail clients that see active use. Your trojan would need to parse many different kinds of text based address books (heck, there are probably three different Emacs packages that one could use as an address book).

      And when all was said and done the chance of this trojan spreading are nearly nil. After all, even if one Linux user got infected, and the trojan successfully mailed itself to 200 of his closest friends chances are good that very few of these friends would be running Linux, and chances are even better that none of those friends running Linux would be similarly vulnerable (or nearly as dense). The trojan would refuse to spread, and that would be the end of it.

      Comparing this trojan to the Code Red worm is laughable.

  • "but it certainly isn't good"

    Ya think?!?
  • by ASCIIMan ( 47627 ) on Saturday September 08, 2001 @04:40AM (#2266554)
    Now we know why slashdot has been down so much the last couple days.

  • At this time, the Remote Shell Trojan source code is not known to be available.

    This...thing violates the GPL and everything Open Source stands for! They could sell it commercially, and not even contribute back to the code base! That's just so, so, so non-Stallman that it makes my middle finger itch!

  • I thought not. So what platform is this for? x86?

    So this thing infects Linux running on a specific platform, and only when the victim decides to run a strange, unknown binary attached to an email.

  • by Xenna ( 37238 ) on Saturday September 08, 2001 @04:48AM (#2266562)
    For starters to get infected with this animal requires activity on the part of a user on the Linux box.

    Code Red required no user activity at all. A typical orphaned Linux box standing around in a corner would not be at risk, the same machine running IIS would have been a sitting duck for CR. There are a lot of orphaned servers out there with standard Redhat or IIS installs. These are the real danger. Any remote-root security holes on these popuplations are cause for real concern.

    I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

    I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

    • This "virus" is just an exploit. A successful virus most often takes advantage of a chain of exploits.

      The next remote hole that pops up can be combined with this technique to produce an interesting effect.

      1. cause remote hole
      2. infect with "worm/backdoor/trojan/whatever"
      3. rinse repeat
    • I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

      They'd also need to be running as root.
  • Maybe I'm missing the point, but Code Red was a MAJOR problem as it was able to use a remote IIS exploit to gain the permissions it needed. Thus it was able to make full use of computational speed to replicate (no user interaction required).
    This trojan needs users to individually execute it, AND those users need privileged permissions for it to have a major effect. This will not result in the massive waves of infection that we saw with Code Red.
    Hell, all linux needs now is to make friendly software that installs this easily ;-)
  • Why should I believe this Qualys firm? They do not say where they found this code. They do not even mention that someone else found this trojan. It seems a little unlikely to me that the first appearance of a trojan would be at a security firm, unless it originated there.

    Most important though, they do not show an actual binary which allows me to verify their claims. The only thing they give me is a detection program, I would check THAT for trojan code if I were you! Actually the detection and cleaner program come in source code, and appear to be what they claim to be after a quick glance.

    • Yep, I've thought for a long time that the anti-virus software companies have a lot to be gained by writing viruses themselves (I'm using a loose definition of the word 'virus' here).

      A few years ago I was perusing the virus database of a large anti-virus company. They categorised virii in various ways, and one of the attributes was where it had been found. The majority were 'laboratory only'.

      Now, what does that mean? If it's only been found in the 'laboratory', then it must have been created there.

      I'd be delighted if someone who knows can enlighten me as to what 'laboratory only' really means.
      • Just a WAG here, but it could be that may virus writers just write them for fun and fame. Write a quick virus, put in your name or the name of something you are interested in, send it off to the virus labs from an anon account, and you are in a virus database ad infinitum. No real harm done.
  • "The Trojan is most dangerous if it is executed by a privileged user as it inherits the credentials of that user, effectively allowing it to take full control. "

    "Qualys also warned that the size and scope of the Trojan could be massive. Over 58 per cent of websites worldwide currently use Apache servers for which Linux is the most popular platform"

    Any sysadmin opening a bin on an production webserver deserves all he gets.
    Plus the fact that most FW/routers will block the incoming udp connection makes even an infected box "safe"
  • void main() {



    There, I just wrote myself a new "Linux Trojan". The thing is, a "New Trojan" is actually nothing new at all. Basically, all you need is a bit of code that seems userful to the user, a bit of code that the user never gets to see, and a user to run it. I can write a perl script that will happy crank out "New" trojans by the trillions. Disk space is the pure limit to the number of perfectly unique "Linux Trojans" I can make.

    I know a lot of people will use FUD like this to point out that Linux has it's flaws too, but that is complete garbage. A trojan is not a threat to a competent user on a machine with even the barest levels of user authentication and security. It is only a threat to the naive or the foolish.
    • Or, check out my more advanced trojan:

      int main() {

      return doStuff();


      Can't even see it ;)
    • How many times...?

      main() RETURNS INT!!!

      Stop reading Schildt.

      Now write both of the following declarations out 100 times each.

      int main(void);
      int main(int argc, char ** argv);
  • Give me a break... (Score:3, Interesting)

    by toupsie ( 88295 ) on Saturday September 08, 2001 @04:59AM (#2266578) Homepage
    I have 12 to 24 hits a day from unique IPs that are Code II/III probes (hundreds all combined). To compare this worm/virus/trojan to Code Red is just plain old marketing hype. Linux to me is a server OS (quickly ducks). I use Mac OS X as my desktop OS -- its a personal thing (Darwin + Quartz + Aqua + X > Linux + X). The last thing I would do is open an e-mail attachment on a server that doesn't receive or need e-mail (duh). Code Red didn't need e-mail, it just needed a newbie with Windows NT/2000 w/ an unpatched IIS installed to spread -- which most of my probes come from (at least what nmap tells me).

    This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.

    Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.

  • Just for the hell of it I tried the tool that they proivide to test for it.

    Well it would not run, as it said that this exploit does not work with IP addresses with 0 in it, weird.

    Plus you need permission to write to the /bin directory, normally only root can do this. And if someone is running as root they may have many more problems than just this trojan.

    Just seems a spin to "ready" the Linux market for their anti-virus ware IMHO.

  • everytime a Trojan comes out, people blame it on dumb users, on unsecure OS's, etc. I don't see anyone blaming the author of the Trojan.

    I say, find the author and prosecute him.
  • Just pointing out the obvious for those of you who might have been fooled by the summary's language:
    Contrarily to what the summary hints at through the mention of Code Red, and Apache, this is not an Apache worm. It's a trojan that you actually have to execute yourself in order to be infected. Thus, if you don't blindly execute e-mail attachments, and download programs from untrusted sources, you should be safe. Moreover, the trojan is rather primitive and doesn't try to manipulate the file modification dates to hide its presence. Thus a simple ls -ltrc /bin and ls -ltr /bin should reveal its presence.
  • Nothing but sensational trash. It is nothing like Code Red. I'm not an expert, but from the shabby detail in the article I can see several reasons:

    • Market share - vulnerable installs of Linux are not widespread enough to reach a critical mass. CR became huge because every second host practically was running a vulnerable install. (So I exaggerate the number - but evangelism aside, there aren't THAT many vulnerable hosts out there.)
    • No scanning attack - it stays on the local system
    • No privilege elevation - its only a user level root shell. Someone could potentially upgrade that via another buggy daemon or a ptraceable kernel, but otherwise you are limited to Jim Bob's shell. Still a concern, but not as bad as r00ting.

    They shouldn't compare it to Code Red. CR was a disaster because a company called Microsoft encouraged people to install trash software that shouldn't have passed QA.

    They should instead compare it to, say, an Outlook virus because it spreads via email:

    The replication process of the Remote Shell Program can only effect binary files within the access privileges of the user who launched the originally infected program.

    Have a read of Michael Parenti's Monopoly Media Manipulation [michaelparenti.org] and see how many of the points you can spot in press release.

    A lot of sensational bollocks.

  • by hebble ( 35128 ) on Saturday September 08, 2001 @05:17AM (#2266604)
    First: why is Apache mentioned AT ALL? It sounds like this thing only "spreads" (if you can even call it that) when someone is brain-dead enough to READ their EMAIL as a user who can WRITE to IMPORTANT BINARIES! That has nothing whatsoever to do with Apache. Is it just to support the idea that there are a lot of Linux servers?

    As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant. The email-vector mechanism can't even take advantage of address books, since Unix mail clients are so far from standardized.

    • As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant.

      Careful. Sometimes its the simple ones that are most effecive.

      Hi! I'm a sig virus! Please copy and paste me to your signature file so that I may propagate!
      • No, this trojan is literally pathetic. Basically if you run it as root it would wreck your day. Big whoop, who runs foreign executables as root?

        In other words this trojan is no more dangerous than the following two line super sh trojan.

        /bin/rm -r /*

        I could send that out in a million emails with the subject line of "Click here for a good time." and no one would end up with an erased hard drive.

        Now, it certainly is possible that this trojan could be combined in a very deadly fashion with the next Linux remote root exploit. But what's the point. Why in the world would you need a fancy back door tool to remotely control a Linux box? It would be easier just to install a hacked version of the sshd daemon that didn't ask for a password for user "m@ster". Once you've got root on a Linux box there's plenty of remote admin tools already installed.

        • "...simple ones are the most effective.." followed by a sig with a so-called virus pleading the user to propogate it via direct action (copy and paste to their own sig). Joke.

          Granted - the whole situation is a bit of a joke.

  • by phaze3000 ( 204500 ) on Saturday September 08, 2001 @05:24AM (#2266615) Homepage
    It also installs a backdoor in the infected host, listening on UDP port 5503 or higher. An attacker could connect to this port via TCP

    Wait, so it listens on a UDP port, but it can be compromised using TCP? Do the people that analysed this actually bother proof-reading, or do they simply not understand what they write??

  • by AftanGustur ( 7715 ) on Saturday September 08, 2001 @05:32AM (#2266624) Homepage

    Why on earth do people think that this code can infect machines remotely over the Internet ? Does it say so anywhere in the article ?? No !!

    From the article:
    The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system.

    It's simply a trojan that you will have to get in mail or on a floppy and execute YOURSELF.

    Then it will infect other executables on your system, but in no case will it be able to infect any other systems without human assistance (i.e. executing a binary on that computer).

    Whoever thought this is even remotely as scary as Code-Red is in need of some serious medication.

  • by friscolr ( 124774 ) on Saturday September 08, 2001 @05:38AM (#2266631) Homepage
    Advisory # 44526



    The Really Silly Command Virus identified by Blackant Systems has the potential to remove all files from a hard drive. It was recently spotted in the wild a few days ago when a junior sysadmin logged in as root on a production server and executed a shell script he had been emailed from a user known only as script_kiddie@hotmail.com.


    Given a detailed analysis of the source code behind this virus, it is possible that the Really Silly Command Virus may eventually mutate into a self-propagating worm.


    Blackant Systems reccomends that every sysadmin who would run shell scripts from untrusted parties be shot.

    In order to determine if your email may contain this new virus, please look for the following first few lines in a shell script:

    #1337 script by script_kiddie!!!
    #props to all my homies!!!!
    rm -rf /

    #this doenst seem to work yet...
    mail $0 $1

    If you find a file with similar lines, do not execute it on your server, but remove it immediately. Blackant Systems will be releasing a utility to identify stupid sysadmins shortly.

  • What counts (Score:4, Funny)

    by Faux_Pseudo ( 141152 ) <Faux.Pseudo@ g m ail.com> on Saturday September 08, 2001 @05:39AM (#2266632) Homepage
    I don't mind if there are trojans nad virii for linux as long as they are GPLed and Open Source.

    I'm sorry but i felt it had to be said even if I loose karma
  • by nagora ( 177841 ) on Saturday September 08, 2001 @06:36AM (#2266682)
    ...if he can throw virus alerts all the way from Redmond.

    This "alert" is clearly bought and paid for by MS. The idea that a machine running Apache is "vunerable" to a trojan that depends on a superuser saving and running an email attachment of unkown origin (or a normal user somehow setting the suid bit on the attachment) is so stupid that it can't be stupid: it must originate with someone that has a vested interest in spreading FUD.

    Let's see now, who do we know that doesn't like Linux, is having a major launch of a new version of their OS and is known for sponsoring "research" that shows that Linux is the tool of the Devil? Hmm.... Is it Bill, the mild mannered janitor? Could be, could be!


    • Do not attribute to malice what can be explained by stupidity.

      Who ever wrote this article is just plain silly!
      • I would normally agree but in this case the level of stupidity is too great to credit. It is more likely that they did it off their own bat rather than actually being paid by the Beast, but no security expert would really rate this trojan as a threat unless they were biased.

        plus, M$ has a track record of this sort of thing.


    • The idea that a machine running Apache is "vunerable" to a trojan that depends on a superuser saving and running an email attachment of unkown origin

      Indeed. Ironic, isn't it, that this is essentially what the majority of Outlook users do when funky stuff appears in their e-mail boxes.

      Interesting how the author of this warning is attributing the same level of intelligence to Apache sysadmins as one attributes to a donut-eating secretary who festoons her machine with screen-mates and horsehead screensavers.

      I noticed also that the first pop-up ad which hit me after I opened the article at vnunet.com was for Microsoft's Enterprise Server software. And Vnunet's logo has the same font and feel as the top of a page at microsoft.com.

      This feels like a M$ publicity stunt. It's time to shut the bastards down somehow.

  • by bgarcia ( 33222 ) on Saturday September 08, 2001 @06:56AM (#2266706) Homepage Journal
    Harry: Just a few more lines to be debugged, and it'll be finished!

    Cindy: Oh Harry, You're so smart! It really turns me on!

    Harry: Oh wow!

    Cindy: As soon as you finish that, I'll think up something to allow us to Celebrate!

    Harry: Oh, WOW!!!

    <horse braying>

    Singers: "TROJAN MAN!!!"

    Trojan Man: Looks like you two are planning to... exchange private keys?

    Harry & Cindy: Well... Uh... I don't...

    Trojan Man: Try new Linux Trojans! The Condom for the virus conscious!

    Harry & Cindy: Thanks Trojan Man!

    Trojan Man: My job is done here!

    <horse braying>

    Trojan Man: Yes, we'll find a philly for you some day...

    Hey, geeks can dream, can't they?

  • 1) You have to be reading your email as root (unless of course you're stupid enough to have some other user write access to /bin files)
    2) You have to download, chmod +x and run a binary program from an email, presumably one that doesn't come from someone you know
    3) You have to be stupid enough not to notice that /bin/ls was changed seconds after executing said binary


    Can anyone say "stupid man's trojan"?
    • That's a really dumb `ls` replacement if it doesn't notice when it's being run on itself and give false information back about its last modified time. (Like just look in the same directory and give the same date/time as 'cp' or some such)
  • We all saw hundreds/thousands of attempted Code Red attacks. We got hundreds of sircam emails. Has anyone seen a single instance of this trojan arrive in their email?

    As has been repeatedly pointed out, it would take a complete idiot to save an unknown binary file, chmod it, and run it as root. But you would have to *get* the binary before you could do that. Most of the talk about Linux virii and trojans is very hypothetical. Independent of all the theoretical reasons why they don't occur widely on Linux there is the empirical fact that there has never been anything affecting the same percentage of Linux systems that Cod Red or Sircam did for MS products.

    This case seems no different. All the hype is little more than a scam by an anti-virus software company.

  • The typical newbie does run as root all the time and claims that although 30 years of accumulated sysadmin wisdom says never run as root it's different because he knows the risk he's taking and it's acceptable. Said typical newbie also tends to give all his friends accounts on his system (Oh! I've got a multi-user system! I'll give all my friends accounts!) Said typical newbie usually changes his thinking after the first few times his system is compromised and used to store and forward gigabytes of live goat porn.

    Comparing a few newbies potentially being stupid enough to run an executable recieved in E-Mail as root to Code Red is quite a stretch.

  • Impact on Linux (Score:4, Insightful)

    by Registered Coward v2 ( 447531 ) on Saturday September 08, 2001 @10:13AM (#2267094)
    To me , the real issue here is whether this trojan will have much of an impact on Linux boxes, but its impact on people's perceptions of Linux.

    If the popular media picks up a story that "LINUX USERS FACE DEADLY TROJAN (film at 11)", it will help create a perception of vulnerability, and its a small step to go to "and since Linux is freely distributed, who knows what can lurk in that copy you download..." While techies familar with Linux will have a reasonable grasp of the true threat and how to overcome it, what about the deciosn makers who are deciding what to implement at their companies? The ones that set budgets and decide what IT will implement (and IT may not have much of a say in the decision) will remmebr "Linux - oh yeh, that's the system that got hit with that DEADLY TROJAN."
  • Perhaps I'm stupid for not buying Qualys virus checker but this whole thing sounds bizare. What is the subject of the email? What does the email say?

    I have tried many of the linux email programs at one time or another--pine, elm, mutt, postilion, balsa, tk-rat, kmail, evolution and sundry others to numerous to recount. And lets face it people, for proper email viruses you need an advanced Microsoft email client. Outlook is a good example.

    First there is the problem of automatic or almost automatic execution. Linux email clients have not yet achieved the same optomistic attitude towards code in email attachments as Outlook. However, anyone who has used Linux is already familiar with this and I do not need to elaborate.

    Then, because Linux lacks any sort of standards (http://microsoft.com for more information), there is no easy way to send emails out to everyone on the persons list. The easiest thing would be to use perl. But even this is poses problems and the Qualys guys don't mention anything about perl or how it sends the emails out.

    Personally, I really doubt Qualys knows what it's talking about. Look at how many times [google.com] Qualys has been talked about in the context of linux. Compare that to a reputable Linux endeavor. [google.com] :P By the well know usenet-troll formula, Qualys is on it's last leg.

    And also... Any security company should know that the only way to clean an infected computer is to reinstall. Installing more close source software on top of the close source virus seems like a silly thing to me.

    (Not that I think Qualys would deliberately do something wrong but they don't seem competent enough to analyse this virus thouroughly or program a bug free fix).

  • Non-issue (Score:2, Insightful)

    by praedor ( 218403 )

    This is no more an issue than the is the "threat" of linux-based viruses. C'mon. Only a complete IDIOT would would "infect" his system with this sort of virus/trojan.

    Linux COULD be affected by a virus IF root ran a virus-infected app or if one of the linux office suites develops a hole-laden macro system ala Word - IF that macro was run as root.

    This is no threat or problem to any linux system except those few morons who do everything as root and would actually download and run an unknown application off the net as root.

    This is a sham. This is FUD. This is either an M$-supported FUD or an attempt by some bozo to get web hits and, as another poster mentioned, harvest email address. Hello spam!

  • by Oestergaard ( 3005 ) on Saturday September 08, 2001 @10:58AM (#2267230) Homepage
    Notice how ordinary communication paths are re-named to "infection vectors" to make them sound technical and dangerous - way to go Hemos ;)

    Anyway, it will be fun to see if the crap media picks this one up "uh no! a worm on Linux, we always knew it would happen! we haven't seen it yet, but someone mentioned it may get worse than CodeRed!"

    But I'm really happy /. warned me - otherwise I might just have saved the program, marked it as executable, su'ed to root, and run it on my main web/ftp servers or the firewalls. Year, right...
  • Wait a second... (Score:2, Interesting)

    Hmm, at least they provide binaries for a scanner and cleaner that you can download [qualys.com]. Just run those as root, and... Oh! Wait a minute! :)

    (In all fairness to them, they do provide source alongside the pre-compiled binaries, so the security-conscious can audit the code and recompile.)

    This reminds me a lot of a rant [linuxmafia.com] or two [linuxmafia.com] by Rick Moen [linuxmafia.com] of SVLUG [svlug.org] fame. The main problem is sysadmin inexperience. Granted, you can still trash your own files (and lose all your user data), but the system will be safe. So just run untrusted executables as a different, non-privileged user, if you must run them at all.

  • How dumb are you? I guess if you are a newbie you may fall to this (if your that dumb you probably should not be using computers in the first place). But most experienced Linux users are not going to download an attachment to an email and then run it as root without knowing what it does. I know I wouldn't.

    This is different than just say opening your mail program and going to the inbox and reading a mail that wipes your hard drive like the "I Love You" Windows virus did.

    Or better yet the code red which atacket web servers by causing a buffer overrun.

    Yeah thats that same thing. And I'm Joe isuzu

  • "I don't think it's that bad, since the infection can be easily detected"

    Uh, if I remember correctly, all you had to do to find out if you had the Code Red worm was look for a text file in the root of your machine. That, and there was an executable for people too brainless to do so. How was Code Red not "easily detectable"?

  • Slashdot's group consensus seems to be that this trojan has no chance of spreading.

    I politely disagree.

    With the spread of easy-to-install Linux systems, people with relatively little technical knowledge have installed Linux. These people are the ones most likely to fall for the trojan.

    The only question... how could they get a list of newbies?
    • With the spread of easy-to-install Linux systems, people with relatively little technical knowledge have installed Linux. These people are the ones most likely to fall for the trojan.

      It is easy for a newbie to install Linux. Using a Linux box as your email client requires about 20x times more savvy.

      Not to mention this virus requires active participation to spread, while Code Red did not.

      This is not a threat.
  • probably mark every reply down as "redundant". don't even know why i bothered to read it.

Any sufficiently advanced technology is indistinguishable from a rigged demo.