Linux Malware raises security concerns

[ROCO*AFZ*]

http://www.pcworld.com/businesscenter/article/198686/linux_trojan_raises_malware_concerns.html

lol that malware was up for a year and no one thought to check it. Good thing it wasn't business related. It seems by the description that it allowed root access.

If any of you gamers downloaded unreal you may want to check it.

... hmm ... in reading the comments it's an ircd... not the game.

[firefly2442]

That's why it's important that the package management systems like Debian's APT or RedHat's YUM all are digitally signed. Plus the fact that they're peer-reviewed/checked. It's unfortunate but I'm sure it will increase as Linux slowly gains more popularity.

[Buehgler_AS]

It seems from the description that it was just a remote shell hole with the same permissions as the running application. I would hope that anyone with enough savvy/need to run an IRC daemon would know not run that type of service as root, so I would think compromises would be minor. It is too bad this was not noticed/checked for so long, but I think the shift toward APT or YUM and the in-built security they provide (as firefly pointed out) makes the risk of compromise on a reasonably administered Linux system much lower than many alternatives.

[ROCO*AFZ*]

They make it sound though like some users shut off the crc check as they think linux is totally safe... (kinda like them vista/7 users killing the UAC)

As firefly mentioned... with popularity comes being noticed in the malware/viral world.

Good reminder for those admins to go and turn on the checks...

[Gache]

They make it sound though like some users shut off the crc check as they think linux is totally safe... (kinda like them vista/7 users killing the UAC)

As firefly mentioned... with popularity comes being noticed in the malware/viral world.

Good reminder for those admins to go and turn on the checks...

Turn on what checks? We're talking about a source file here... one which hasn't come from a repo but is just manually downloaded from a mirror. Checksumming is something you'd have to do manually - web browser, wget or whatever download manager isn't going to do that for you. Even now the file is PGP'd people will still have to check it manually.

I don't see any mention of the compromised version being picked up by distro repositories - which of course highlights the superiority of the repository model over 'download random files off the internet'. If you get source or binary from a signed repo, your package manager checks it automatically... and NO-ONE turns that off.

Failing to check the MD5 or SHA1 of a source file downloaded manually is of course monumentally stupid (if, sadly, probably common). But it's not analogous to UAC.

UAC is a system that prompts users when a program requests admin privileges. Because a huge proportion of Windows apps assume admin privileges are available, people can end up with lots of these prompts in the course of ordinary use - and of course many of them go dial down UAC, turn it off altogether, or just run as an admin to start with.

In the Linux ecosystem, apps assume the opposite: that admin privileges are not available by default. So prompts to allow admin privileges only appear for genuine administrative tasks. Moreover, you can't 'turn off' these prompts - you can only avoid them by making yourself the root user, which is extremely rare and, by design, is beyond most people's ability.

While this *nix model (meaning it's in Unix, Linux, BSD etc) is superior to the Windows implementation, UAC in Vista was a good idea. In Win7... not so much. One of the biggest complaints about Vista was the frequency of UAC prompts. Rather than making a big effort to reach out to developers to update their apps, Microsoft looked for other ways to reduce the number of prompts. One idea was making their own built-in programs 'trusted' by UAC. Problem is, these built-in programs (eg Windows Explorer) are popular targets for code injection - effectively granting anyone who wants it a free pass from UAC. The separation of userspace and system-space or admin-space (fundamentally important to security) is destroyed.

That's just one example - there are many others. But the underlying theme is that while Microsoft has made great strides towards security with Vista and Win7, they are fighting a kernel and OS which has been built to be insecure by default. Unix, Linux and BSD-based systems don't have that problem.

[Gache]

Oh, and as for the idea that 'popularity == vulnerability'... Web servers are some of the most exposed computers in the world. Linux & BSD servers have owned more than 75% of that market for a long time - yet they're still regarded as more secure than Microsoft's server OSs.

The fundamental rules of security don't change just because they're being applied to the desktop. An exploit that's restricted to userspace is always going to be less dangerous than one that isn't.

- Gache

Edited June 16, 2010 by Gache

[ROCO*AFZ*]

Apparently it was also in the Gentoo distro packages

http://packages.gentoo.org/package/net-irc/unrealircd\

More information on this...

http://techie-buzz.com/foss/linux-unreal-irc-servers-contained-trojans-since-2009.html

My mistake in wording. It's the MD5 has that no one checks.

My analogy to UAC is from more of a user perspective. Users in windows as you stated ignored the UAC. Didn't want to be bothered.

Users in Linux are not checking the MD5... don't want to be bothered.