Linux Trojan Raises Malware Concerns (PCWorld) [LWN.net]

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 14, 2010 19:55 UTC (Mon) by cesarb (subscriber, #6266) [Link]

They did not, but they will do now: http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

It also seems they did send the hashes for the uncorrupted files in the original announcement for that version.

I also remember reading somewhere (probably linked from a comment on the slashdot story, http://it.slashdot.org/story/10/06/13/0046256/Backdoor-Fo...) that Gentoo did have the _wrong_ hashes in its package manager (that is, the hashes for the corrupted files). It was a link to Gentoo's bug database IIRC.

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 14, 2010 19:57 UTC (Mon) by cesarb (subscriber, #6266) [Link]

Found it: http://bugs.gentoo.org/show_bug.cgi?id=323691

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 14, 2010 22:20 UTC (Mon) by malcolmt (guest, #65441) [Link]

The announcement you pointed to contains hashes for the tarballs, not signatures. So you're trusting that the announcement message hasn't been tampered with before you read those hashes. They haven't signed the hashes in any fashion that can be verified via a web of trust. Still room for improvement there.

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 15, 2010 2:16 UTC (Tue) by njs (guest, #40338) [Link]

In practice, I'm not sure whether it's harder to suborn whatever copies of the release announcement are out there on the net, or the release manager's pgp key.

Either way, it's going to be harder to suborn the tarballs PLUS some something else than just the tarballs alone, so there's significant added security.

Hashes AND signatures is even better, of course :-).

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 15, 2010 2:25 UTC (Tue) by Kit (guest, #55925) [Link]

Even if you only replace the tarballs, you'll likely get at least a few systems before anyone even checks the hashes/signatures.

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 17, 2010 6:09 UTC (Thu) by madhatter (subscriber, #4665) [Link]

Not to be picky, but signatures *are* hashes. When you verify that a GPG signature is correct, you're confirming that the hash of the file matches the hash embedded in the signature. If, in addition, you have validated the identity of the key out-of-band, you're also confirming that the hash is digitally signed by the private counterpart of a known public key. But that latter is a separate operation, and it's perfectly possible to use gpg to verify the hash (integrity) without having a known public key to verify the authenticity.

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 15, 2010 14:38 UTC (Tue) by kirkengaard (subscriber, #15022) [Link]

And lack of hashes and signatures for them should prevent anyone smart enough from bothering with this IRC client. You'd think the distributions would be smart enough for that....

Linux Trojan Raises Malware Concerns (PCWorld)

Posted Jun 15, 2010 14:47 UTC (Tue) by foom (subscriber, #14868) [Link]

It's a server, not a client.

And there's nothing particularly unusual about software not being distributed with hashes or signatures. It's actually relatively unusual *to* have them.

once again someone completely misundertands "security by obscurity"

Posted Jun 14, 2010 23:59 UTC (Mon) by pflugstad (subscriber, #224) [Link]

Once again, some security writer (and I use that term loosely, since any decent writer would have researched the term before using it) on a mainstream website took the phrase "security-by-obscurity" and assumed it meant Linux was secure because it was obscure. And he even links to an article that really has very little to do with "security-by-obscurity".

A few weeks ago another security article on Computer World quoted some "Gartner security analyst" who said the same thing. The author there was was just as clue free to let that go by (quick, someone scream conspiracy their :-)).

I'd post a rebuttal on the PCWorld website, but their comment registration is obnoxious.

once again someone completely misundertands "security by obscurity"

Posted Jun 15, 2010 9:44 UTC (Tue) by NAR (subscriber, #1313) [Link]

Actually in a sense it's more secure due to its obscurity. Bad guys might not bother to search for buffer overflows in e.g. the Linux flash plugin, because it has negligible market share compared to the Windows version.

But you're right, I haven't even realised so far that the word "obscure" has at least two different meanings, so the "security by obscurity" might also mean two different things. The joys of a human language :-)

Relatively few vulnerable systems is no security!

Posted Jun 15, 2010 15:24 UTC (Tue) by vonbrand (subscriber, #4458) [Link]

That there are "relatively few" vulnerable systems hasn't stopped miscreants before. E.g., the Sapphire/Slammer worm targeted Internet-exposed MS SQL Server systems, which are far in between by nature.

Relatively few vulnerable systems is no security!

Posted Jun 17, 2010 0:00 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

vonbrand wrote:

the Sapphire/Slammer worm targeted Internet-exposed MS SQL Server systems, which are far in between by nature.

It's a common misconception (fed by some really bad contemporaneous reporting) that Slammer's primary target was MS-SQL Server. In fact, the primary target was Microsoft Desktop Engine (MSDE), an embedded small version of SQL Server included in many Microsoft and third-party products as back-end utility storage, including, ironically, security-related software. All instances of MSDE had/have a fully exposed listener process, and the package was in very widespread use on MS-Windows systems, both desktop and server, in 2003.

I notice that the article you cite about Sapphire/Slammer does mention that both MS-SQL Server and MSDE were the worm's targets, but many people seem to have no idea what MSDE is, and ignore references to it.

Rick Moen
rick@linuxmafia.com