LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-09-2010, 08:48 PM   #1
Robert Carnegie
LQ Newbie
 
Registered: Aug 2009
Posts: 19

Rep: Reputation: 0
Malicious Distros?


how do I know - how confident can I be - that a new Linux distro does not contain malicious software?

I suppose some do!

Can I test?

"Security References" in http://www.linuxquestions.org/questi...erences-45261/ kind of covers the field, but I don't understand, say, what to do before/after downloading the ISO / burning the disk. Except for checking the MD5 signature of the ISO, but didn't somebody work out recently how to maybe theoretically fake that?

In particular I'm interested in using Knoppix, Ubuntu, SystemRescueCD, maybe GParted Live.
 
Old 03-09-2010, 08:59 PM   #2
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
MD5 only verifies that the file you downloaded onto your local system is identical to the file that was on the remote system. In other words, it only verifies no data was lost during transfer.

As for the question of a "malicious" distro, I am not 100% sure what you mean. Are you talking about somebody putting up modified versions of established distributions, like a Trojan? Or are you talking about the distribution itself containing malicious code (either intentionally or through some mistake)?

Either of those situations are possible. If we are talking about downloading an ISO for a particular distribution from a third party mirror, then comparing it with the MD5 sum from the distribution's website would at least verify that the third party didn't modify the ISO. But it would do nothing to assure you that some piece of software inside of that distribution isn't compromised.
 
Old 03-09-2010, 09:05 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I'd use SHA1 instead of MD5 if possible, as MD5 is quite broken. Still, checking the integrity of the ISO without verifying the authenticity of what you're using to check is not optimal. So yeah, you'd ideally want to do your check using a digital signature, which all major distros provide AFAICT. As for malicious code, well, to a certain extent you still rely on trust a great deal (as you do in the proprietary/closed-source model), except that here you at least are given the source code to everything so you can inspect it yourself or hire someone else to inspect it. You've basically brought up two different points, one being the integrity/authenticity of the software, and the other being the qualities of the software (and/or its source code).

Last edited by win32sux; 03-09-2010 at 09:18 PM.
 
Old 03-09-2010, 09:23 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,264
Blog Entries: 54

Rep: Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841
Additionally you could list the packages installed and compare them with those from a trusted, official D/L mirror (apart from the fact the problem is that trust has to originate somewhere). This will be easier for some distributions than others as some package management systems are more equal than others, not all provide GnuPG keys next to hashes and not all package management systems allow you to verify package contents. And while it's not something to rely on the "many eyeballs" thing works: compromised official distribution or upstream source mirror servers and software itself is commonly quickly discovered.
 
Old 03-09-2010, 11:16 PM   #5
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
Quote:
new Linux distro does not contain malicious software?
It's impossible to check everything. Say, I know of some cases where a security hole in software was probably planned. There are some public examples of almost similar cases on the net. A backdoors masked as a logic error or they are just straightforward backdoor feature. While still it is possible to check source of all software, it's gonna take months of you. And the new software will be released long before you finish inspecting old sources.
What I trust is a kernel and coreutils. All the very basic programs. I bet they're all double and triple checked already for containing backdoors. While, of course, kernel may contain security issues, but not planned. I can say nothing of other software. Nothing. There's no knowing, really, and there are no tools that can check code for bugs, showing 100% of them.
 
Old 03-19-2010, 10:16 AM   #6
paranoidx
LQ Newbie
 
Registered: Jul 2006
Posts: 24

Rep: Reputation: 2
I think you have to be realistic here and measure things upon practicality.

Quote:
how do I know - how confident can I be - that a new Linux distro does not contain malicious software?
well many of us are long time linux users here and personally I use gentoo where we compile our own bin and modify the source to our likings. But if you use bin distros, well then you automatically are using other people's work, so naturally you entrusted others to do the work for you! note: you can always write your own from scratch if you are that paranoid.

Unlike other OS, most linux users knows there in/out of the OS, so if there is a distro that has any type of 'malicious' software, then it won't be long before it will be named and shamed within the community. I emphasized malicious as there are many network tools built into linux that can easily fit in that category. I would say most breaches are caused by the incompetency of the user to read/configure properly and secure the linux box rather than the unanticipated security holes caused by the packages. So to put it simply, you don't install without first understanding the risk, and all things in life carry a risk. The monitor you sit in front of can easy get shorted by a lightning strike causing you grievous bodily harm. So how do we measure that risk? Was it planned by the monitor manufacturer to accomplish such freak incident?

Quote:
I suppose some do!
That's quite a claim. You know that because .... ??
and here I'm presuming you are talking about known/major distro, not some backyard job your friend's friend has handed to you.

Quote:
Can I test?
you definitely can, start by learning C, and the source code is out there.

as with your other queries, I think Win32sux has covered it so no need to repeat.

Last edited by paranoidx; 03-19-2010 at 10:30 AM.
 
Old 03-23-2010, 02:56 PM   #7
ax25nut
Member
 
Registered: Mar 2010
Location: Fairfield County, Ohio
Distribution: Several flavors of Linux, BSD Unix, even DOS & Win-doze
Posts: 56
Blog Entries: 1

Rep: Reputation: 19
I would guess that your best bet to be sure of getting the pure, unadulterated version of any distro is to order the disk set from their website. I used to get mine from Walnut Creek, whereas I now go to Columbus Microcenter to find something like FreeBSD or Slackware. They don't have the big open/shareware room they once had, as most folks simply download from the net these days. Use the distro's own links to get your distro. Or go to Distrowatch.com and use their links to get what you want. I would worry more about windoze having malicious code than most linux/unix distros, and I've had and tried dozens of each, going back to the early 90's without this sort of problem.
 
Old 03-23-2010, 07:11 PM   #8
GoinEasy9
Member
 
Registered: Feb 2004
Location: Manorville, New York, USA
Distribution: siduction, Fedora 19, openSUSE Tumbleweed
Posts: 379
Blog Entries: 1

Rep: Reputation: 46
Most distros have signed files in their repos. Downloading from any distros home repo will be a pure download, a.k.a. the links from Distrowatch upon their release announcements.
 
Old 03-24-2010, 09:34 AM   #9
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,577

Rep: Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557
Quote:
Originally Posted by Robert Carnegie View Post
how do I know - how confident can I be - that a new Linux distro does not contain malicious software?
And how confident are you that Windows doesn't contain malicious software? How much bloatware and third-party junk comes on a Windows system? How many backdoors for the "Windows Genuine Advantage" crap are shoved in?? And the security holes that are left there?? You know...the ones that are so bad, you need loads of anti-virus, firewall, malware, and adware blocking software to plug up??
Quote:
I suppose some do!
Name one. Because I can't, because there aren't any. You CAN put something malicious out there, but think about it. MS can shovel anything they want out the door, and the source code is invisible. No one can check it or verify it. Linux isn't that way. Even if I wrote something malicious, and released it, millions of coders around the world would see it almost instantly, report it, and remove it.
Quote:
Can I test?
Sure...there are many portscanners and security checkers out there, to run against a system. Nessus being one that jumps to mind. Configure a Linux box, and follow basic hardening procedures (easily found online). Run a scan on it, versus another Windows box, and see what you find.
Quote:
"Security References" in http://www.linuxquestions.org/questi...erences-45261/ kind of covers the field, but I don't understand, say, what to do before/after downloading the ISO / burning the disk. Except for checking the MD5 signature of the ISO, but didn't somebody work out recently how to maybe theoretically fake that?
Yes, but it's difficult, and rather pointless. There are many locations for distros to be downloaded. As soon as someone noticed that an MD5 key is different than what the original distributor released, they'd howl about it, rendering that poisoned distro useless. Anyone who had loaded it would remove it.
Quote:
In particular I'm interested in using Knoppix, Ubuntu, SystemRescueCD, maybe GParted Live.
Enjoy. Any of them are fine, but you're leaving out MANY distros from that list.
 
0 members found this post helpful.
Old 03-25-2010, 11:15 PM   #10
Robert Carnegie
LQ Newbie
 
Registered: Aug 2009
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks for comments. (Found my password...)

Some software that I need to use - actually all the time (disability keyboard substitute) - depends on Windows. On the other hand, Linux lets you "hack" your own computer. For instance I recently had to format a misbehaving memory stick...

I got paranoid because around new year I had some /probably/ coincidental negative experiences around SystemRescueCD,and I thought: "with whom am I dealing?"

One: after changing around some Windows hard disk partitions, plus running clamav from SRCD, the disabled "AutoPlay" feature on Windows removable volumes got un-disabled. A Windows Registry database entry appeared to have come into existence against my will to do this. It can be controlled per-user or per-machine apparently, but documentation only mentions the per-user setting(?), which is ignored if the equivalent per-machine key exists, regardless of what it actually says.

In other words, Windows started auto-running software on disks and sticks after I had specifically told it notto.

Two: I searched for SRCD comments and found somebody spamming forums semi-randomly offering their own download of SRCD.

Three: Windows security software called Malwarebytes said that SRCD's web page is a bad place to go.

There are a few problems with this picture, such as Malwarebytes forum operators separately saying that SRCD is a good thing to use. But I strongly suspect that the spammed-link version of SRCD would be malicious. After all, SRCD comes with instructions to customise your copy... and why else is it there?

MD5 signature...... Knoppix allows FTP of its ISO from various volunteer servers around the world. The MD5 signature of the ISO is available from the same server as the ISO - so how does that help? Won't a hacker just replace both files?

Turning the question around, how does a distro maker assure users that it's healthy to use?
 
Old 03-25-2010, 11:28 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Robert Carnegie View Post
MD5 signature...... Knoppix allows FTP of its ISO from various volunteer servers around the world. The MD5 signature of the ISO is available from the same server as the ISO - so how does that help? Won't a hacker just replace both files?
Which is why it would be ridiculous to rely solely on that method if you're highly concerned.

Quote:
Turning the question around, how does a distro maker assure users that it's healthy to use?
By using digital signatures.

AFAICT, Knoppix provides you with digitally signed hash values (both MD5 and SHA1) for each ISO.

Last edited by win32sux; 03-25-2010 at 11:52 PM.
 
Old 03-26-2010, 02:48 AM   #12
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,899

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by Robert Carnegie View Post
how do I know - how confident can I be - that a new Linux distro does not contain malicious software?
I don't know what you mean by 'new'; do you mean something that you haven't tried before, or something that is new to the world?

if you think that, eg, RHEL, would ruin their reputation by including software that was specifically intended to do something nasty to you, I would suggest that this is an exaggerated concern.

Potentially, it could happen, but I doubt that they would deliberately try to alienate a substantial part of their userbase.

OTOH, if you were to come across an otherwise unknown distro, particularly if it were called something hacker-ish, they may have no rep to protect.

And, malicious software?

Quote:
after changing around some Windows hard disk partitions, plus running clamav from SRCD, the disabled "AutoPlay" feature on Windows removable volumes got un-disabled. A Windows Registry database entry appeared to have come into existence against my will to do this. It can be controlled per-user or per-machine apparently, but documentation only mentions the per-user setting(?), which is ignored if the equivalent per-machine key exists, regardless of what it actually says.
Sounds as if you played around with some hacker-level tools that had unanticipated side-effects. Many distros -maybe, most distros - will include tools that take real expertise to use safely, but this is not malicious. You may have wanted more safety features incorporated and you may have expected more in the way of warning messages.
 
Old 03-26-2010, 02:58 AM   #13
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,899

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by Robert Carnegie View Post
how do I know - how confident can I be - that a new Linux distro does not contain malicious software?
I don't know what you mean by 'new'; do you mean something that you haven't tried before, or something that is new to the world?

if you think that, eg, RHEL, would ruin their reputation by including software that was specifically intended to do something nasty to you, I would suggest that this is an exaggerated concern.

Potentially, it could happen, but I doubt that they would deliberately try to alienate a substantial part of their userbase.

OTOH, if you were to come across an otherwise unknown distro, particularly if it were called something hacker-ish, they may have no rep to protect.

And, malicious software?

Quote:
after changing around some Windows hard disk partitions, plus running clamav from SRCD, the disabled "AutoPlay" feature on Windows removable volumes got un-disabled. A Windows Registry database entry appeared to have come into existence against my will to do this. It can be controlled per-user or per-machine apparently, but documentation only mentions the per-user setting(?), which is ignored if the equivalent per-machine key exists, regardless of what it actually says.
Sounds as if you played around with some hacker-level tools that had unanticipated side-effects. Many distros - maybe, most distros - will include tools that take real expertise to use safely, but this is not malicious. You may have wanted more safety features incorporated and you may have expected more in the way of warning messages.

Quote:
But I strongly suspect that the spammed-link version of SRCD would be malicious.
It would be very easy to take a perfectly legitimate Linux distro, particularly one intended for system-level, but legitimate, hacking and do something nasty with it. So, if there was a legitimate distro called 'System Rescue CD', you could produce a distro and a site called SysResCD, and most people would not realise that they are not dealing with the genuine System Rescue CD and whatever tools that you use to verify that your SysResCD is as the manufacturer intended will only prove that it is as SysResCD intended.
 
Old 03-26-2010, 07:52 PM   #14
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
Don't forget that the distributions popularity and authenticity of the site in which you downloaded it from are the biggest tell-tale sign of all, IMO.

If I downloaded Ubuntu straight from Canonical's website, you are given 100% assurance.
Same with most.
Ones you need to look at for are small ones with no following or lesser still, a custom spin on a current one.

Still, the biggest thing to know is what Linux is based upon, the source code. If it's not released, this should raise an immediate red flag. Another is a license or the lack thereof.

Popularity is the big factor though. Developers won't develop and maintainers won't maintain if there is something like this going on.
 
Old 03-26-2010, 09:58 PM   #15
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by leopard View Post
If I downloaded Ubuntu straight from Canonical's website, you are given 100% assurance.
Same with most.
I can certainly see where you're coming from, but the truth is that nothing can give you 100% assurance. On its own, having downloaded the ISO from one of Canonical's servers says nothing about whether that ISO is really what it's supposed to be. In other words, you don't know whether the ISO on the server has been tampered with by a cracker, or whether you're actually the victim of a MITM attack where nothing you see is real. Seriously, stuff like this is why we have digital signatures in the first place. Canonical provides digitally signed MD5, SHA1, and SHA256 hash values for their downloads, and if you're looking to get anywhere near 100% assurance, that's your best bet right there.

Last edited by win32sux; 03-26-2010 at 10:01 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malicious Scripts justmehere Linux - Security 8 07-09-2009 11:19 AM
Possible to abuse SUID to do something malicious? Tomás Ó hÉilidhe Linux - General 2 12-18-2008 02:39 PM
Is this JavaScript malicious? Doctorzongo Programming 6 07-21-2008 03:42 PM
Malicious Script jspsandhu Linux - General 12 09-29-2005 05:05 PM
Malicious C code protection gdboling Programming 4 09-02-2003 06:14 PM


All times are GMT -5. The time now is 10:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration