Evans Data on Linux security

Posted Aug 5, 2004 20:48 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

Not diverse enough it seems. File-infector I've seen in the wild by myself [link], buffer-overflowing virus was detected [link].

Links were to a copy of the ELF_GMON.A ELF-infector virus and to the Ramen worm. Let's talk about that:

ELF_GMON.A is a generic ELF infector basically indistinguishable from any other ELF infector — Staog, Bliss, Vit, RST (Remote Shell Trojan), Gildo, OSF, Kagob, Satyr, Rike (Rike.1627), Winter (Lotek), Diesel, Nuxbee, Winux (PEElf, Pelf), Svat, Obsidian.E, Simile (Etap), Jac, Pavid (Alfa.dr), Telf, Ynit, Blitz, Zipworm (distinctive only in that it likes to infect ELF files in Zip archives), and Penguin — and thus a-priori unlikely to "appear in the wild" under its own power given the relative shortage of admins willing to run untrustworthy binaries with root authority. (Few people have many ELF binaries sitting around in ~/bin/ and such, writable by regular users, and even those people can shoot only their own files in the foot.)

The reason ELF_GMON.A can be credibly claimed to have been observed "in the wild" nonetheless is that it's a standard inclusion in the Suckit rootkit, as it activates a backdoor for the intruder on UDP port 3049.

So, in short — as is the case generally for Linux malware — if ELF_GMON.A is active on your system, and especially if it has been able to write to privileged binaries, you have much, much, bigger problems than the virus itself: You have a root-owning intruder who entered through other means entirely. The presence of ELF_GMON.A in such cases (which comprise 100% of the credible "in the wild" claims, as far as I can tell) is an after-effect of his having rooted your system, rather than being the means of attack.

That brings us to Ramen, about which my notes are as follows:

Slapper (Cinik, Unlock)
Worm.
First seen: Sept. 13, 2002.
Details: Automated attack against a very specific and rare combination of Apache w/OpenSSL 0.9.6d / 0.9.7beta1 or earlier. Overflow in question was fixed July 2, 2002.

We see once again the recurring refrain with Linux malware: If your system was successfully rooted by Ramen, it's because you had a much, much bigger and fundamental problem: You were running a network service on the public Internet and failed to heed warnings about a notorious OpenSSL vulnerability for two months or longer — usually much longer.

The problem, then, would not have been Ramen on such a system, but rather grossly incompetent system administration — not, mind you, on a desktop system, but rather on a system whose owner decided to offer e-commerce-type network services to the entire public Internet — that left the system wide open to an extremely well known vulnerability. Lesson: If you can't be bothered to read your distribution's security-alert mailing list, at least use yum, apt-get, up2date, etc. to leverage the diligence of those who do.

All of the other worms targeting Linux to date (cheese, l10n, Adore, lpdw0rm, Slapper, Mighty, Adm, SSHD22, Millen, and Sorso) have been exactly like that: automated attack tools aimed at incompetent administrators who neither bothered to notice and fix notorious, long-patched vulnerabilities nor used maintenance regimes to repair them semi-automatically (apt-get, etc.). I'm preparing a rundown of those, to make that point, and to outline what more credible threats potentially apply (in theory, unsafe mailcap files; more commonly, theft of security tokens): Meanwhile, I've posted some notes on various worms and viruses.

Rick Moen
rick@linuxmafia.com