Linux malware: an incident and some solutions
Posted Dec 24, 2009 12:49 UTC (Thu) by rickmoen
Parent article: Linux malware: an incident and some solutions
It's unfortunate that nearly all articles about Unix malware start by thrashing the same
stupid straw man about "Linux users like to think that they are not vulnerable". Any operating
system that permits the user to destroy his/her own system's security is "vulnerable" in that
trivial and rather meaningless sense of the word, and Unix furnishes the rope to hang yourself,
spare blocks and tackles, and a few rope factories and foundries in case you want to make more.
So, when has it ever not been the case that "they too should be careful"?
The .deb was "on gnome-look.org" in the technical sense that it was made available by its
third-party author at some URL of the form http://gnome-look.org/CONTENT/content-
files/[something].deb, but even a cursory look at the site should have revealed to any member of
the public that the site maintainers do effectively zero quality control, that it's an automated
"portal" where "Everyone can upload and download artwork, applications, documents and other
So, it should have been obvious that the downloaded file was from nobody in particular, for
starters -- but then there's the fact that it's a .deb, which requires root/sudo to install, and
inherently supports preinst/postinst scripts, run as root.
None of which in the least differs from Koen Vervloesem's point that "An incident like the
WaterFall malware can only be avoided when users are trained not to trust third-party software
blindly", which is well taken, but there's only so much that can be done to dissuade novice
sysadmins from destroying their systems. If they're willing to install as the root user software
from unknown parties on the Internet just so they can have "the newest screen savers, themes,
and other software to spice up their desktop", the best you can do is gently point them to the
CERT document on recovery from root compromise and say "Gosh, it hurts when you shoot at
your own foot, doesn't it?"
Even with "more software than the official repositories have", if it's not alleged screensavers,
it'll be alleged Internet poker games, alleged video codecs for porn, alleged "birthday cards", etc.
-- or various and sundry add-on Web apps.
The only way out is to keep reminding users they're responsible for whom they trust and
what processes they run, teach them not to aim that gun at their feet, and teach them how to
recognise that type of foot wound and how it got there.
to post comments)