Hi win32sux,

Actually the purpose I create this forum is discuss what is the possibility to attack Linux machine via viruses. For myself, virus, spyware, worms, malware everything is a peace of softwares (either stand alone or plant into a softwares), lets call it malware for Linux. Sometimes good practice is not sufficient because of Linux only have too limited of softwares, we always need to go several places to find suitable application, pre-compiled application, distro ready application. Lot of contributor is contributing but they are not trusted. Ignore them will give a lot of trouble if we want to enjoy latest softwares without pain.

So, I simply bring up another two common method to attack Linux machines using viruses.

Here I bring out few more method to plant malware into Linux machines.

1. Buffer overflow into some program (Maybe, apache2 since it is public accessible) and force it to execute the malware.
2. Purchase web hosting company hosting services with fake name (normally they'll use cpanel), upload some viruses, put some shell in the cron to execute the viruses (either find setuid, check /var/www/targetwebsite/main.php/php-password, or remove all /var/www/*), or open up netcat session back to internet.



Both way need higher IT skill to attack and it not able to spread through the internet, I wonder any malware in Linux able to spread across the network and internet, or how they spread.

Regards,
Ks

I'd rather pull all my teeth out rather than trying to configure SELinux again. I think Apparmor will be the solution for the desktop. It will already be in Gutsy (next Ubuntu release).

And I'd rather be eaten alive by wild dogs than trying to install Gentoo. I started using linux in 97, but the more n00b the distro the better. I have shed all my curiosity way back when.

No Linux virus has ever successfully spread to a large amount of machines because the vendors update linux to fast for it to spread to alot of machines. So theoretically to get a linux virus you would have to never update your machine

I assume you are talking about programs like the Adobe Flash Player, etc. Right? Well, that isn't really an OS issue, as whether you use GNU/Linux, or Windows XP, or Mac OS X your picture of what the binary-only plugin is coded to do will be just as murky. But we have tools to help us deal with these situations. We have free (as in freedom) security tools available that can be used to study the binary, and to protect the system from threats the binary might pose.

Once again, I don't think this is an OS issue. I think it's an end-user education issue.


Sure, why not? If you know an Apache daemon is vulnerable to a buffer overflow attack then you can attempt to exploit that vulnerability. It's true on any OS which Apache runs on. Keep in mind that the admin for the server might have already taken hardening measures precisely for situations like this, so the attack might be futile regardless.

If you have found some type of exploit which will let you attack other people's accounts on the server that's not a virus issue. It's a general security issue, and the vulnerability can be used for all kinds of malicious action. The part where you say "execute the viruses" should instead read "execute the exploits" for everything else to fall into place.

Actually both scenarios you presented have the potential to spread through the Internet. They are very similar to real-world attacks which take place every day. Keep in mind that when something like this is set to spread automatically, then it's considered a worm. The best example is probably Slapper.

Considering that viruses by definition need humans in order to reproduce themselves, I would argue that culture and education might have more to do with it than any amount of "vendor updates". I'll provide an (admitedly over-simplistic) evil binary illustration:

It is disguised as a malware scanner. When you execute it, it attaches itself to some executable on your box, and then when that executable is executed, the process repeats itself - true virus fashion. So I send you the binary and I tell you something like "Hey, it's win32sux from LQ. I have a malware scanner I wrote which I think you would really like. Use it to scan anything you want to check for malware". What do you do? Hopefully, you will send the binary to ~/.Trash right away. So your education provided the necessary defenses against my attack.

But what if you do take the bait and execute the binary? Unless you actually have some sort of security system which protects you against this type of attack (AppArmor, SELinux, etc.) you WILL get infected (either inside your home folder, or system-wide if you executed it as root). It doesn't matter whether or not you have the latest "vendor updates".

The point being that although vendor updates will indeed *help* keep worms (which rely on the ability to exploit vulnerabilities) at bay, viruses (and any other malware requiring human interaction) are a very different story. Thankfully, we are now starting to see more and more desktop distributions come with security tools out-of-the-box.

The illustration above would work regardless of whether you are up-to-date or not. The determining factor will be the user (if the binary is executed as non-root) or the admin (if the binary is executed as root), not the box. Even if we switch the focus from viruses to worms (where updates are more relevant), we can still say that the "up-to-date box is theoretically invulnerable" thing is a HUGE misconception. Having an up-to-date box is a great start, but it is far from being the magic cure for worms and exploits. It's really just one part of the security scheme.

We should never depend solely on vendor updates to keep our security from being breached. We need to be realistic and always assume the updates won't knock-out every vulnerability - because they won't. And especially because many times the biggest vulnerability is sitting in front of the computer, staring at the screen.

There will always be viruses and worms for linux. They may or may not do damage but there is also lots of things that can be done to help reduce that. The current version of fedora has lots of SELinux policies built in. There is a way to create a linux environment that is virtually unbreakable. ( if fact it will be tested at defcon in 2008 ). the ultimate in linux security. slackware based--SELinux w/ MLS, Grsecurity, gcc ssp, pic, pie, app hardening, libsafe, plus entire source code scrubbed for buffer overflows, Safekern™ (in development). If someone can think of a way to bypass the security please let me know.

If you are running as root except to do adminstrative task, such as adding users and such, then you deserve to get malware

You don't need to be root in order to get malware. You can install software in your home folder without the need for root privileges. The same applies to malware. Even though "running as root only to do administrative tasks" is a very healthy habit, it is NOT an excuse to feel invulnerable or to be overconfident when working as non-root.

For myself, the viruses/worms/malware bnormally targeted on Desktops, the reason is desktop user normally have not enough awareness of IT security, no matter in Linux or Windows.

Let say, I open out an website, write some blog, say I have new technology for user to download (example, openoffice3.0). Then some administrator (Assume inside a company all user account manage by ldap server) attract by the softwares and test install in their computer.

What happend at the end is when we install the openoffice3.0, it start another daemon background and detect the keystroke during administrator login their laptop/desktop. And it will ssh to all computer inside the network with administrator username/password and try to run this command in all pc "rm -rf /" (of course it won't remove everything, but it can effect much)

In Linux, I don't think there is any protection which able to deny ssh + rm -rf / command.

Please don't say it is not possible, I bet you can write it and I bet somebody will attack by this. It's not too hard and it can be done via some effort. In Windows we have some method to protect it, because antivirus test the patern before it execute. Unfortunately this is not true for Linux, Linux need another kind of realtime scan engine. To block unecessary shell command, or etc kind of harmful softwares to execute.

So, is it a virus? We can say it yes, because it cause damage. If you say this is not, then what is the definition of the viruses?

Regards,
Ks

IMHO the problem here began with the user downloading the office suite from some blog instead of from a trusted source. Trust is *extremely* important when it comes to software. It is an illusion to believe that with current technology we can somehow find a way so that people can download anything they want from anywhere without a care in the world. It just doesn't work that way. Not on GNU/Linux, not on Windows, not anywhere.

And trust isn't foolproof either, as mistakes do get made, resulting in security vulnerabilities. Most of the time they are not intentional. Yet sometimes they are, as was the case a few years ago when someone tried to back door the Linux kernel source. The quantity and quality of auditing is also something important to consider when choosing software. Take the Debian GNU/Linux project, for example. It is well-known for (among other things) the security audits the packages in the distro go through.

If you are referring to having a command like that hidden in a program, any decent source code security audit should pick up obvious stuff like that in no time. But you do raise a very valid point. You could give "grandma" a shell script with a "rm -fr ~/" in it and tell her to execute it. The operating system would be intact, but all her personal documents would be gone. I see this brought-up constantly during "Linux virus/malware" discussions. IIRC one way around it is to mount /home noexec. That way you don't need to worry about grandma running any executables in her home folder.

EDIT: I just re-read your post and I had misunderstood this part. You were referring to the attacker using root privilages (gained through a keylogger) to execute a "rm -fr /" and blow everything away. This scenario involves the original root having downloaded a trojanized office suite from some untrusted blog, which raises a lot of doubts about his system administrator qualifications. That said, I believe one way to protect against a "rm -fr /" attack of this type would be through the use of mandatory access control. But I'll let someone familiar with SELinux address this. Also, even though this would seem like a completely unfixable catastrophic event (if the attack was successful), this is where the backup system would come into play.

The ClamAV website lists third-party on-access tools you can try.

A shell script with a "rm -fr /" in it could never be considered a virus, as by doing a "rm -fr /" no infection is taking place. Wikipedia has a decent explanation of computer viruses.

If you didn't run windows as an Admin user, you probably wouldn't have gotten the virus installed in the first place. Most users do however because they want to either avoid the hassle, or because some older software doesn't work otherwise. I'm sure you've witnessed many users being scolded on this site for running as root. A zero day exploit or unknown exploit won't be stopped by your anti-virus program.

Another major difference is that most Linux users install signed open source packages from their distributions. For windows, most software is closed source, and you are installing binary files that no one except the authors know anything about. Shareware is just as bad or even worse. Remember that it was pkzip that invented spy ware.

Whether you run Linux or Windows, you need to be aware of root kits. An anti-virus program in Windows can't help much with this, because it can't see it.

Viruses are not as common as they used to be. Exploiting apps and web services is more common. As well as hacking.

For your ssh example, if you have sshd running, be sure to secure it. Deny root logins. Use "AllowUsers" or "AllowGroups" to restrict who can log in. Consider changing the port number to reduce the number of script kiddie attacks.
If you run the mysql server, be sure to read their manual that they install in /usr/share/doc/mysql-<version>/manual.pdf or /usr/share/doc/packages/samba/manual.pdf. There is a chapter on securing mysql. You need to give the root user a password and a couple of other things before you connect to the network. If you have a web app that uses it, be sure that user inputs are protected against sql injection. These things need to be done in Windows as well. In windows, make sure that you don't share the C:/ drive. That will guarantee an infection.

Well, seems this tools workable even thought I'd never use it before.

Anyway, the viruses/trojan/worm or etc kind of tools is simply a piece of program, just how the piece of software we write it or deliver it.

Assume there is 1 windows perform "format c:" once you execute it. It of course consider an viruses, no matter this is macro, a .bat, vbscript right? If you say don't what you want to explain to general users for this peace of softwares? Probably you will say this a code which will hurt your computer?

So, I feel that in realistic hacking and viruses is more or less work together and really hard to differenciate. I hack it, I plan viruses in (or you can say back door or whatever, but it is no difference). In user point of view, this is viruses and it attacking desktop computer.


So, my opinion is in currently world, no matter in Linux or Windows, any script, code, injection in a program, back door can consider as viruses. The purpose differenciate whether it is a tools, or a viruses(Especially Open Source Toolkit like password cracking tools).

As I mentioned, sometimes in open source world we sacrifice some good security practises because of we want to productivity. It is true at least for myself. Just an example I using Ubuntu 7.04, but I can install kompozer/nvu in official website. I'm forced to install via http://ppa.launchpad.net/tonyyarusso/ubuntu.

This is sad but the fact.

Regards,
Ks

I don't know how to write a virus, but even if I did, this isn't the place to be sharing that type of knowledge - it's against the LQ rules. There's other places on the WWW where you can learn to do stuff like that, but no links or hints will be provided here.

Even though to most end-users the term "virus" can apply to all kinds of malware, this here is a technical forum, so we will try to keep things technical and call them by what they are. Virus, trojan, rootkit, backdoor, etc. - they are all different types of malware, each with it's own characteristics.

Well, NVU stopped being maintained, so it was pulled from the Debian and Ubuntu repositories. Notice how Ubuntu included NVU in Universe up until Edgy (Ubuntu 6.10). My guess is that Ubuntu is waiting for Kompozer (the new, maintained NVU fork) to get accepted into Debian Experimental/Unstable before they allow it into Universe. I'm sure it's bound to happen sooner or later (as long as it complies with all the Debian requirements), as I know it's on many Debian users' wishlists. But yes, you have a valid point. And it gets much worse, really, like we mentioned earlier about binary-only packages (Flash, etc.). At least with NVU/Kompozer you have the source code available to audit.

I feel this is an argumentative statement, this is a security forums and I thought we should face the fact what viruses going to birth later, for all Linux OSes.

Don't discuss the threats, don't you think that we are sit on the problem? Of course we don't show the code, but we talk about the ideal.

I believe, the purpose is clean and open, what is the possible way for the birth of linux viruses, and how kill it before it birth. Don't you think it cool? Don't you think it is open? We should keep it secret?

**This is edited because I found that this post have no any point yet which estimate what virus will birth at future. Base on previous reply, actually until now, in technicaly I can't say any Linux virus I saw before, if we not consider openoffice macro viruses or flash viruses as part of Linux viruses.
all kind of situation Linux OSes have excuses? Like this is adobe problem, that for openoffice problem, later on maybe we say this or that for gnome/kde problem. I don't think the program which attacking linux kernel only we call it Linux viruses**

Again, I believe the meaning of viruses is change a bit, is almost equal malware who bring the harm to your computer. No matter what method.

So, script with 'rm -rf ~/' is a virus, but we have a way to secure it? If I'm not mistaken a script in windows 'format c:\' will detect by antivirus, and I't consider as viruses.

regards,
Ks

This statement implies that we don't have any viruses right now. We most certainly don't have any outbreaks, but to imply that we don't have any viruses at all is far from the truth IMHO. We've seen Linux viruses in the past, why wouldn't we see them today? I believe your systems would be much more secure if you acknowledge the clear and present danger that malware such as viruses represent to *any* generic OS.

I think you may have misunderstood my post. What I'm saying is that even if I knew how to write a virus (which I don't), I wouldn't share instructions on how to do it here. I also won't allow other users to do it. Doing so would violate the LQ Rules. LQ cannot be put in a position where it is being used to teach people how to create malware.

I don't recall giving you "excuses" about anything like this.

No. The method DOES matter. It matters greatly. Just because a program harms your computer doesn't make it a virus. Clueless end-users might not see any difference, but that doesn't mean we should follow suit.

No, it's not. That command doesn't meet any virus criteria at all.

If you want Linux antiviruses to detect scripts which have a "rm -fr /" or similar in them, perhaps you could suggest this to some antivirus developers. Maybe mention it on the ClamAV mailing list or something like that. ClamAV does in fact detect more than just viruses (it detects some exploits, worms, trojans, etc.), but my guess is that they have very good reasons for not including "rm -fr /" in their definition file. BTW, if you want to have a general idea of the type of Linux nasties (including a few viruses) that ClamAV detects, try a quick search of their database.