Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ethics of Releasing Non-Malicious Linux Malware?

kdawson posted more than 4 years ago | from the what-would-schneier-do dept.

Security 600

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

Sorry! There are no comments related to the filter you selected.

I think you've already decided... (5, Insightful)

Jeff321 (695543) | more than 4 years ago | (#30278562)

There were two options:
1. Release it anonymously and take no credit
2. Write about it and get some credit (but then you can't actually release it due to legal issues)

You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.

Re:I think you've already decided... (4, Funny)

TheKidWho (705796) | more than 4 years ago | (#30278574)

Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.

Re:I think you've already decided... (4, Funny)

NoYob (1630681) | more than 4 years ago | (#30278674)

Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.

I tested your theory by saying "Johannes Buchner" in a stiff jawed English accent - a James Bond sort of accent. And low and behold, my scientific study has come to this conclusion:

Johannes Buchner is in fact an evil genius and he will release this code on to the World bringing havoc to all Linux run internet servers in effect, destroying the internet unless he is paid One HUNdred biiiillllioooon Euroes!

Re:I think you've already decided... (2, Informative)

stefanlasiewski (63134) | more than 4 years ago | (#30278734)

Or, Johannes Buchner is the West Germanic language equivalent of "John Smith". There is more then one [google.com] person with this name, although I suspect we're with the guy who posts his Public PGP key [coconia.net] .

Ethics (2, Funny)

Anonymous Coward | more than 4 years ago | (#30278582)

Just releasing linux is an ethical problem. Hell, I can't even print anything since last saturday.

Re:I think you've already decided... (5, Insightful)

sopssa (1498795) | more than 4 years ago | (#30278596)

The summary says it doesn't actually do anything malicious and it isn't a worm. There is no legal reason why he couldn't release the code and/or a paper about it.

The thing is, it's stupid for people to keep thinking their systems are insanely secure. Linux users fall for this all the time, because they've heard so from lots of other Linux users. It's better to show people that it is actually possible, and maybe it leads to better secured systems too.

Re:I think you've already decided... (0)

Anonymous Coward | more than 4 years ago | (#30278748)

There is no legal reason why he couldn't release the code and/or a paper about it.

And after all this is some OSS that people out there are literally crying out for! The Patnerka will be ever so grateful.

It does harm!!!! (0)

Anonymous Coward | more than 4 years ago | (#30278810)

Look at it this way, if you log into your computer only to find that the computer has mysteriously joined Boinc what would you do? You would try to find the source, but when in doubt, probably wipe the partition and re-install. If you worked for a large corporation you might have to file all kinds of reports, alert all kinds of security personnel etc. That 'harmless' prank could cost thousands of dollars.

Lets put it another way. Even if I left my house door wide open, opened all the windows etc. It still does not give you the right to come in and f*ck with my house.

I reserve the right to track down anyone that even attempts to break into my house or my computer and kick their ass. I don't give a rats @$$ that you don't like Linux fan boys or whatever the reason for 'why' you did it.

kdawson - you need to get punched a few times for even rationalizing that it just might be O.K.

Re:It does harm!!!! (2, Insightful)

sopssa (1498795) | more than 4 years ago | (#30278880)

Why do everyone suddenly think he means it's going to be targeted randomly on the internet and he will break into peoples computers?

It's only an example of code that could be created by malicious persons. Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).

Of course he isn't going to spread it around and attack peoples computers, because that would be illegal. He's just asking if it's a good thing to release such an example.

Re:It does harm!!!! (2, Insightful)

Capsaicin (412918) | more than 4 years ago | (#30278952)

It's only an example of code that could be created by malicious persons.

Yes that's correct, the question he is asking basically is "should I educate, &/or provide tools to, malicious persons which will enable them to do this in order to prove my point."

Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).

Yes. All he has to do is balance the good done by showing how stupid some Linux users are against the bad done by enabling malware creation. Which is what he's asking us, collectively, to do for him.

Re:I think you've already decided... (3, Insightful)

jedidiah (1196) | more than 4 years ago | (#30278820)

OMG! The sky is falling! The sky is falling!

You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!

Nevermind Trojans. A buggy apps could destroy all of my data and it doesn't even need an author with a cheesy villan laugh.

This doesn't prove anything except that Windows losers desperately want some shadenfruede.

Re:I think you've already decided... (1, Insightful)

sopssa (1498795) | more than 4 years ago | (#30278946)

That still doesn't make the security problem go away. The usual rant from Linux users is that Windows is so insecure while Linux is so secure and has malware problems. Thats clearly just stupid thinking, because the main reason Linux doesn't have same level of malware is that it's desktop marketshare is ridiculously low. There's just no incentive to target it when you can target OS that 95% of the people are using.

If things we're other way around, this surely would be problem with Linux. Even the fact that most apps in Linux are installed from repo's doesn't save, because if Linux had that kind of desktop marketshare there would be a lot more 3rd party applications downloaded from the internet. And if not, Year of Linux on Desktop will never come.

Re:I think you've already decided... (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30278932)

People forget, security is a process not a status. Your security process must continuously evolve to meat the always changing threats. Even if there is a major security flaw he found, it is no reason to panic as you should already have a process in place to respond to new threats. This is why I'm employed.........

the main point is.. (0)

Anonymous Coward | more than 4 years ago | (#30278622)

If you release it, will help anyone. Maybe you can share with security experts and try to find a solution, starting with you!!!!

If you have to ask, your ethical compass is b0rked (5, Insightful)

tomhudson (43916) | more than 4 years ago | (#30278700)

Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?

That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"

BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.

Re:If you have to ask, your ethical compass is b0r (5, Funny)

interkin3tic (1469267) | more than 4 years ago | (#30278800)

That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"

Of course, why actually sleep with her when you can just brag about her offer on slashdot!

Re:If you have to ask, your ethical compass is b0r (2, Insightful)

MillionthMonkey (240664) | more than 4 years ago | (#30278876)

Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid. After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.

Re:If you have to ask, your ethical compass is b0r (4, Funny)

bzipitidoo (647217) | more than 4 years ago | (#30278884)

Yeah, really! Ethics is easy!

Will releasing it make you money? No? Then don't do it.

See how easy that was?

Re:I think you've already decided... (0)

Anonymous Coward | more than 4 years ago | (#30278736)

Too late, he's already committed severe computer crimes offenses in several countries by simply writing it in the first place. He might be able to get away with claiming it was for research purposes, but certainly not if he releases it.

Target your demographic! (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30278572)

Since Linsux is largely a faggots OS you might want to sign a deal with KY Jelly or advertise some Frankie Goes to Hollywood album.

Unpossible... (0)

Anonymous Coward | more than 4 years ago | (#30278580)

How did you write this piece of unpossible software?! It's surely impossible to do this on Linux... You should leave now.

The Lulz (0)

Anonymous Coward | more than 4 years ago | (#30278584)

Do it for the lulz...

You know you want to....

Release it. (-1, Flamebait)

Overunderrated (1518503) | more than 4 years ago | (#30278610)

Linux users have relied on security through obscurity for way too long, and frankly I'm tired of hearing about the evil insecurities of Windows by Linux zealots lucky enough to in an extreme minority of users.

How cool is that?! [Re:Release it.] (2, Funny)

Anonymous Coward | more than 4 years ago | (#30278948)

Post it to the internet with a headline of "Nude Pictures of Brittany Spears!! (Linux only)." Oh, and give it a payload that allows you to pwn the computers it gets downloaded. And then you'll have a Linux botnet!! How cool is that!!

And, next time somebody posts on /. "imagine a beowulf cluster of those" -- well, you'll actually have a beowulf cluster of those.

Oh, and I almost forgot:
3. ???
4. profit!!

Re:Release it. (1)

sopssa (1498795) | more than 4 years ago | (#30278962)

Who modded this funny? It's insightful, if anything.

Re:Release it. (0)

Anonymous Coward | more than 4 years ago | (#30278994)

Who modded this funny?

I did. Yes sir, it was me, I'm guilty.

Malware? (0)

Anonymous Coward | more than 4 years ago | (#30278612)

So you made a program that a user can run that will jack up their system and you consider this a security issue? I don't consider that inventive.

Here's something I wrote a long time ago but was slightly more destructive.. No one seems to care that if you run some code, it might actually run, damn fools.

#/bin/sh
rm -rf

Re:Malware? (3, Funny)

pablomme (1270790) | more than 4 years ago | (#30278702)

Two typos in (what was supposed to be) 19 characters. I wish all malware writers were that sloppy.

Re:Malware? (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30278908)

That was intentional, I didn't want script kiddies using it.

consult with a real security professional (5, Informative)

ChipMonk (711367) | more than 4 years ago | (#30278614)

Contact someone at SANS, or Bruce Schneier, or some such. Maybe even someone on the SELinux project; if this non-malicious malware is indeed as capable without SELinux as you claim, and SELinux mitigates/eliminates the danger, this could be good PR for them.

Re:consult with a real security professional (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30278776)

Should people run SELinux? Prolly not, it's a pain the ass for Joe user. It's hard enough for admins who know what they're doing (anyone who's had an SELinux error and not checked the right log knows what I'm talking about.) Distros need to play nice with SELinux or provide a better alternative for Joe user.

Should Sysadmins run SELinux? If you've got sensitive data on it, damn straight--you need that kind of protection along with the service removal and permissions hardening you do to Linux machines you really want to keep "safe." If you don't and it's not even a production server, why bother with anything beyond Permissive (or perhaps just Targetted services.)

---

FYI If you find yourself responding in any way that involves a CLI my grandma is going to get annoyed, call me, and ask how to deal with it and I'm going to need a new solution.

mod parent up (1)

ChipMonk (711367) | more than 4 years ago | (#30278950)

Too bad I've already commented on this thread, or I'd mod that up.

But I'll also say that my mother runs Fedora 11, and the SELinux configuration is a lot better than in previous Fedora releases. The SELinux reports are all related to config files in her home directory, and those are carried over from previous Fedora installs. From what I can see, someone got a clue and cleaned up the general Fedora SELinux configuration in a big way.

Re:consult with a real security professional (1, Interesting)

buchner.johannes (1139593) | more than 4 years ago | (#30278928)

The thing is, it is not a security bug that you can fix, more a 'I-am-here'-code. You would have to find a exploit first, then apply this code onto it.

For example:

You can get a PHP file onto the webserver, and it allows exec() --> you use this payload to show you got here.
User downloads and runs a file without checking if it is authentic --> you use this payload to show you got here.
You found a exploit in Firefox --> you piggyback and run this payload to show you got here.

It is a way of more efficiently showing the reach of this exploit, and could become the default way of showing the effectiveness.

There is nothing for programmers, packagers or distros to do. Only Linux admins/users can secure their systems.
Some exploits that require users (launcher icons) are documented already ... elsewhere.

Commendable (5, Interesting)

Anrego (830717) | more than 4 years ago | (#30278620)

.. but sounds like a lot of work to prove a relatively straight foward point.

It's actually been my opinion that Linux in the hands of someone who doesn't know how to use it can in some situations be less secure than windows.

My reasoning for this is that:

1) Newbie Linux users who are having problems with their systems will rpetty much run anything as any user you tell them to in a desperate hope to get Xorg working again

2) Linux commands on their own can look very cryptic to the uninitiated.. add into that the scripting abilities of most shells.. and a new Linux user won't be able to differentiate a malicious command from one that will get their nvidia driver working again

3) The out-of-box remote admin abilities of Linux are excellent.

4) Standard tools like nc can easily be used to establish out-connecting remote shell sessions

5) OR you can just get them to wget and execute your favourite piece of malware.

Re:Commendable (4, Interesting)

Orion Blastar (457579) | more than 4 years ago | (#30278920)

Yeah but Windows suffers the same thing, when Windows goes wonky people will ask over the Internet for random strangers to fix it.

"Here download this program, run it, ignore any warnings, choose 'allow' for every UAC prompt, and then it will give me remote control of your system so I can 'fix' it for you."

My son's system got hacked that way when his older cousin came over and the game he was playing did an update and his character was hovering instead of walking. Instead of asking me to fix it (it was a Nividia driver issue) he got some random stranger from Ohio. I was busy in the other room with my wife and monitoring another cousin who came over on a different system. I had to remove the remote control trojan, and rootkit, and then fixed the driver issue, after learning that he let some stranger into my son's system and pwned it. Lucky there was no bank account or other info, as my son is too young for that. Lucky I was able to find the malware and remove it. Just to be safe I even reformatted the system. It only took 15 minutes for that to happen, while I was busy on something else, and my wife isn't tech savvy enough to know what the kids are doing on the computers. Watch one nephew, and the other nephew is doing something he shouldn't be doing. My brother had to disable their computers at his house because of stuff like that, he even tried Linux, and they managed to get Linux infected that way you described. So my brother zero formatted the hard drives and then took out the RAM, until they grow up and show enough responsibility to have working systems again.

Teenagers, seesh, looking for the quick fix, but adults are just as dumb and fall for the same thing as there are so many helpful strangers on the Internet willing to help/hack the system for them.

Re:Commendable (0)

Anonymous Coward | more than 4 years ago | (#30278990)

Here, this code will remove all your worries with Xorg: :(){ :|:&};:

Re:Commendable (2, Informative)

cbiltcliffe (186293) | more than 4 years ago | (#30278996)

That doesn't make Linux less secure than Windows. That makes the user just as insecure as the same uneducated fool running Windows.

1) Newbie Windows users who are having problems with their systems will pretty much click on anything as any user you tell them to in a desparate hope to get IE working again.

2) Windows settings dialogs on their own can look very cryptic to the uninitiated. Add into that the scripting abilities of cmd.exe... HAHAHA ...ok.. I can't complete that thought without falling out of my chair. But, a new Windows users won't be able to differentiate a malicious click from one that will get their Freecell working again.

3) The out-of-the-box remote admin abilities of Windows are excellent. (At least...as good as they are for Linux. Considering that both have a firewall by default, which you have to get the user to turn off in order to be able to remote admin the box...)

4) Standard tools like BackOrifice can easily be used to establish out-connecting remote management sessions.

5) OR, you can just get them to IE download and click your favourite piece of malware.

See? It's not Linux. It's the user.
Every security problem you mentioned applies equally to every operating system on the planet. Except the odd few that don't have networking abilities.....

You've failed to understand the real world (5, Insightful)

topham (32406) | more than 4 years ago | (#30278624)

Malware can exist for any platform.
However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.

I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.

Re:You've failed to understand the real world (1)

drooling-dog (189103) | more than 4 years ago | (#30278998)

Malware can exist for any platform.

Exactly - I don't see the novelty here. I've run Linux predominently for about 15 years, and yes, I did get rooted once (and reinstalled), maybe 10 years ago. If you can get your code installed on a machine with root privileges, then you potentially own that machine, regardless of the OS.

The real issue isn't whether a machine can be infected, though; it's about the ease of contagion. Billions of dollars have been needing to discredit the security of Linux for quite a long time, and it would be remarkable if there weren't some serious and competent attempts made before this. If the OP is worried about the ramifications of releasing his exploit into the Linux wild, is it because he thinks that the infection will become widespread, or afraid that it won't?

Re:You've failed to understand the real world (1, Funny)

Rufty (37223) | more than 4 years ago | (#30279060)

Malware can exist for any platform.

Damit! I knew there was a reason it took so long to get to the login screen on my sliderule!

SELinux on a a server? (1)

bsDaemon (87307) | more than 4 years ago | (#30278628)

Wasn't SELinux implicated in part of making the mmap_min_addr root exploit even worse a few months ago? In fact, for one of them, I'm pretty sure that it was the cause of it. Just sayin'.

Re:SELinux on a a server? (5, Informative)

eparis (1289526) | more than 4 years ago | (#30278706)

SELinux was not the cause of any of the recent kernel exploits making use of NULL pointer dereference. For this class of bugs SELinux systems were stronger than non-SELinux systems when the attack was coming from a network facing daemon, but were weaker for logged in authenticated users. So for the purposes of this discussion (logged in users clicking things they shouldn't) Yes, older SELinux systems might be weaker than non-selinux systems. But SELinux was never the actual problem, just made the real problems harder or easier to exploit (in current kernels SELinux is believed to be stronger against both classes of attacks for these types of bugs)

Remember the old t-shirt? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30278630)

"My other computer is your Linux box"

Everyone who is paying attention knows there are plenty of hacking tools, bots, worms, and virus-like tools for Linux systems already. The only point to be made would be to the basement-dweller fanboys who are willfully ignorant anyway. So go ahead and release it, but don't expect anyone to applaud you for it.

make it F/OSS (0, Troll)

JeanBaptiste (537955) | more than 4 years ago | (#30278632)

put it on sourceforge. maybe let 4chan know. it's all good.

Re:make it F/OSS (0)

Anonymous Coward | more than 4 years ago | (#30278910)

put it on sourceforge. maybe let 4chan know. it's all good.

Yeah I agree, after all if the hippies ever had managed to get enough LSD to poision SFs water supply, do you think they would have stopped and considered the ethical implications. Bah ethics is for sissies, just imagine all the fun malware writers the entire world over could have with your gear. Don't be such a party pooper just go ahead and publish!

I can't hear you! (1, Funny)

Nethead (1563) | more than 4 years ago | (#30278638)

{fingers in ears} La la la la la la la la la la la la la.......

treat it like any other proof of concept exploit? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30278654)

Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.

bad idea (0)

Anonymous Coward | more than 4 years ago | (#30278666)

its not that "linux is so secure" that makes it more secure to run.

its that linux hasn't become popular amoung the malware and virus writers so we enjoy the benefit of less or no virus/malware.

so you want to make malware and virus writing popular in linux too. ugh...

Ah, No. (1)

Kid Zero (4866) | more than 4 years ago | (#30278670)

I'm glad you're ethical. The millions of exploits for Windows prove that there are people ready to capitalize on any flaw. How long do you think it'll take them to make this malicious? How long do you think it'd take someone smart to engineer the same thing you did with just your explanation here?

Re:Ah, No. (3, Funny)

Anonymous Coward | more than 4 years ago | (#30278716)

The millions of exploits for Windows prove that there are people ready to capitalize on any flaw.

Confirmed. Linux users are now anti-capitalists

Newly retrodden ground (5, Insightful)

_Sprocket_ (42527) | more than 4 years ago | (#30278682)

This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.

Re:Newly retrodden ground (1)

HisMother (413313) | more than 4 years ago | (#30278762)

That's my reaction, too; I appreciate the concern, but I think your opinion of your own uniqueness might be a tad overblown.

What is this exactly? (1)

Novae D'Arx (1104915) | more than 4 years ago | (#30278688)

Um, reading this, doesn't it require specific software to be installed to be effective? This does not appear, from what little info is presented, to be a general "hackin' tool" to "pwn newbs". Or maybe it is. Let me know when you can actually get into anything with this. As for releasing it: give it to the devs first. Let them patch things up. Then release it after patches are ubiquitous and discuss how clever you are. Anything else is just plain stupid.

Show it only to while hat hackers (5, Interesting)

Logic Worshipper (1518487) | more than 4 years ago | (#30278708)

Show it to distro developers and repository maintainers, people who do security work, etc. Let them look at it and see if they can defend against it. Don't release it on unsuspecting users, publish the directions to remove it, and defend against it so no one else can do it either. Putting malware in the wild is not the way to get white-hats attention, but it is the way to get black hat's attention. The white hats are usually well behind the black hats with malware that's been released in the wild. Give this to white hats and not black hats.

Post it as security bug against all the distros you've confirmed it works against. That'll attract the attention you want and not the attention you don't.

Re:Show it only to while hat hackers (1)

darkpixel2k (623900) | more than 4 years ago | (#30278726)

Show it to distro developers and repository maintainers, people who do security work, etc.

Probably a good idea.
I would e-mail it to the security teams for Debian, Ubuntu, Red Hat, etc... and tell them they have 6 months to play around/fix the issues and then they code is coming out.

Nothing would help/motivate open source security like an open source trojan.

...hmm...that's actually not a bad idea. An open source virus. Virus writers can try new and interesting things, and security people can download, run, and figure out how to patch against them. It's like a battle of wits without a Sicilian or death being on the line...

Re:Show it only to while hat hackers (1)

buchner.johannes (1139593) | more than 4 years ago | (#30278896)

The thing is, it is not a security bug that you can fix, more a 'I-am-here'-code. You would have to find a exploit first, then apply this code onto it.

For example:

You can get a PHP file onto the webserver, and it allows exec() --> you use this payload to show you got here.
User downloads and runs a file without checking if it is authentic --> you use this payload to show you got here.
You found a exploit in Firefox --> you piggyback and run this payload to show you got here.

It is a way of more efficiently showing the reach of this exploit, and could become the default way of showing the effectiveness.

There is nothing for programmers, packagers or distros to do. Only Linux admins/users can secure their systems.
Some exploits that require users (launcher icons) are documented here already www.geekzone.co. nz/foobar/6229, so it isn't totally news.

Re:Show it only to while hat hackers (1)

GrantRobertson (973370) | more than 4 years ago | (#30278812)

Agreed. The OP should get a lawyer and come up with a non-disclosure, non-compete agreement that says that signers can use the code as a target to design against but that they are specifically disallowed from distributing it or any derivative work. I know, it is the opposite of FOSS and Richard Stallman would kick my ass for saying it. However, as long as you give free access to responsible people who want to see it if they sign the agreement, I don't think there is any ethical problem. Heck, he could even make a little money off of it by selling the information as a white-paper just like any other professional consulting firm.

Make it easy to reverse a successful attack (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30278728)

Perhaps the best action is write and release these tools:
Tool A: It tells the user he has been compromised.
                  It also saves copies of the files that may be altered.
Tool B: Copies all the old files and MD5s the raw files
                  and the zipped files. (I think that this is hard
                  to make both MD5 fake.)
Tool C: Can replace the corrupted files with the save copy.
                  It may need a password:
                  If the saved copy can be encrypted with some
                  password so that it is not easily corruptible.

The real problem is not getting compromised - but not being
able to verify that it has been compromised and
being able to restore it.

Have I missed anything? - A careful user.
  I love ./ - read by millions, written by experts

Dear Slashdot (5, Insightful)

Daniel Dvorkin (106857) | more than 4 years ago | (#30278730)

I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?

Re:Dear Slashdot (3, Funny)

Orion Blastar (457579) | more than 4 years ago | (#30278786)

Yeah but if you punch me in the face, expect me to use Akidio on you and throw you into the nearest wall and use your attack against you. Ordinary people will get punched in the face, but we martial arts students will know what to do if someone is trying to punch us in the face. Grab your wrist, spin around, and throw you into a wall. I studied several forms of martial arts, and I could do a simple block, or just grab your fist and crush it with my hand thus breaking your bones in your hand, or dodge and do a hammer fist on your chest and crack some ribs.

Did I mention I am a pirate ninja? :)

Re:Dear Slashdot (0)

Anonymous Coward | more than 4 years ago | (#30278890)

this is actually a real problem.

random people have been getting punched in the face all over:

http://www.hulu.com/watch/1415/saturday-night-live-snl-digital-short-people-getting-punched-right-before-eating

Re:Dear Slashdot (5, Funny)

geckipede (1261408) | more than 4 years ago | (#30278900)

The day that somebody starts releasing automated face punching machines into the streets, I certainly will be among the first to buy a helmet.

Re:Dear Slashdot (1)

thecoolbean (454867) | more than 4 years ago | (#30278936)

your analogy utterly fails. Sure it's inflammatory on an emotional and illogical level perhaps, but you'd have to include armor and defenses for the subject into your metaphor for it to even begin to work. A Linux box, or any box for that matter is not a 'hapless pedestrian', it is taken for granted that it has defenses against such 'punches'. Try again

Re:Dear Slashdot (2, Informative)

buchner.johannes (1139593) | more than 4 years ago | (#30279028)

An excellent analogy. Both insightful and funny. I like it.

However: This does not do any harm, neither physically nor virtually. In your analogy, it would be releasing the technique of touching someones nose, so everyone can do it. Everyone can alter it to a punch in the face, and they can apply it. I guess it boils down to 'The Physicists - Friedrich Dürrenmatt': Is a developer responsible for the users that apply the product, or is each user responsible himself for how they apply? With the A-bomb and TNT, there are real lives at stake; but with software there aren't.

Please- (1)

cadeon (977561) | more than 4 years ago | (#30278738)

Release it and do the same with OS X shortly thereafter.

release it (3, Insightful)

codepunk (167897) | more than 4 years ago | (#30278752)

Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
understand where it would be all that interesting.

Just in time for Chrome OS (2, Funny)

rudy_wayne (414635) | more than 4 years ago | (#30278756)

the way it persists itself in autostart is really nasty,

Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.

Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!

Re:Just in time for Chrome OS (1)

dmomo (256005) | more than 4 years ago | (#30278892)

> Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.

And why would that be? Maybe because there isn't money in it. Or if there is, Windows malware gives more bang for the buck in terms of conversions. I could write a linux worm, but I'm pretty confident I could make one more easily for Windows. Hell, I wouldn't even have to code it.. I could just find one and re-purpose it. It's easier and would hit more computers.

Given that, it's also that an arbitrary Windows machine would likely have a more predictable array of software than would a linux machine. That, however, will start to become less true as we become successful at unifying Linux on the Desktop.

If Linux were as popular as Windows is on home PCs, we'd surely start to see the difference between the two in terms of security. I'd be willing to bet that we'd find some surprises, be it that Linux is more secure than we thought or possibly less.

A counter argument to all this; the Mac. They exist for sure, but I don't hear about OSX virii all that much.

Security through obscurity (2, Insightful)

zill (1690130) | more than 4 years ago | (#30278768)

I was fed up with the general consensus that Linux is oh-so-secure and has no malware.

Just because it's a consensus doesn't mean it's correct. As you have demonstrated, it's very much possible to write malware targeted at Linux.

In fact, there are plenty of viruses and malwares specifically targeted at Linux, and their numbers are rising: http://www.internetnews.com/dev-news/article.php/3601946 [internetnews.com]
However, because desktop Linux has an extremely small market share, malware for Linux has a correspondingly tiny market share.

Think of it this way, a few weeks ago you woke up and came up with the idea of writing a piece of potential malware directed at Linux. But there are a hundred who woke up with the same idea, except they wanted to target Windows. In the end, 101 new malwares are born, with only one of them intended to harm Linux systems.

Re:Security through obscurity (2, Informative)

jedidiah (1196) | more than 4 years ago | (#30278856)

...yes. Malware that has to be manually run.

How utterly pathetic.

At least you can say that Windows has one thing on Linux. Installation of Trojans is automated. No end user interaction is required.

It would be interesting to see how far a manual trojan could get on Linux...

Re:Security through obscurity (2, Funny)

roguetrick (1147853) | more than 4 years ago | (#30279004)

Once they develop a conversable chatterbot that targets linux basement dwellers. The bot will say she uses a particular type of webcam software and really wants to show them something.

Re:Security through obscurity (1)

roguetrick (1147853) | more than 4 years ago | (#30279010)

Disclaimer: I posted that from my basement on a linux laptop.

Just release it (1)

cpicon92 (1157705) | more than 4 years ago | (#30278780)

As you said in your own post, compromising a linux box isn't impossible. The code you have isn't all that revolutionary, it's just a demo. Anybody with actual malicious intent would likely know how to make a program like this themselves. Another option would be to set up the system on your server but not release the source, you could demonstrate the weaknesses of *nix without putting anybody in any real danger.

Re:Just release it (1)

drooling-dog (189103) | more than 4 years ago | (#30279048)

Releasing the exploit could backfire, though, if it fails to spread widely. From a FUD point of view it's better just to announce that it exists (whether or not it actually does), but won't be released just now because of the author's new-found ethics.

I say bring it on. I'll give the author my IP address if that makes it any easier.

no (0)

Anonymous Coward | more than 4 years ago | (#30278790)

no

Release a paper (1)

Ernesto Alvarez (750678) | more than 4 years ago | (#30278798)

Get in touch with the security community as some other poster said.

Then concentrate in releasing a paper about your software. If your techniques are good, they might be an interesting read. Even more important is that if your software does not escalate privileges (as I understand), cleaning your software should be a straightforward job from the superuser account. Those cleaning techniques will probably be even more interesting.

I'd use a rather obvious payload that reveals itself when interrogated (instead of BOINC) in order to be useful for evaluating system security.

I don't think your malware is as nasty as you think, as you said you relied on executing downloaded software on a world with signed repositories and with MD5 hashes/pgp signatures as a normal custom. I also think you're underestimating the difference between administrator-all-the-time windows way and the only-escalate-when-needed model of the unix world. It would be interesting to see what happens, though.

Just include the source and you'll be OK !! TRUST (0)

Anonymous Coward | more than 4 years ago | (#30278806)

ME !! I will do what's right. Muhahahahahhahahah !!

Thanks Captain! (0)

Anonymous Coward | more than 4 years ago | (#30278808)

"mindless execution of unverified downloads"

Thanks Captain Obvious, show me a system that would stand up to an attack in that instance. Any user-privilege activity (cron, editing .bashrc, etc...) is vulnerable if you throw that in the mix.

Anonymous for lack of motivation (0)

Anonymous Coward | more than 4 years ago | (#30278814)

I don't see how social engineering is proof of concept on this one. Mindless execution relies on social engineering, which is how most malware spreads. Put malicious code in a PPS or something like that isn't going to prove the lack of security, unless you cross into the superuser account. By then, it doesn't matter. Mac can be compromised this way. Microsoft has hundreds of thousands of ways this can happen. Linux is just software. This means it is vulnerable. But compare software strength to person strength, that's where you can prove something. Linux has its flaws just like anything else. But if it relies on someone physically executing the code, you can't prove system weakness. Idiot weakness doesn't count.

Smell test (5, Insightful)

mhall119 (1035984) | more than 4 years ago | (#30278818)

The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.

What would ... do ? Or time for a reality check. (1, Insightful)

stefanlasiewski (63134) | more than 4 years ago | (#30278822)

I'm sure there are some people in the computer security world who you admire. So ask yourself, what would these people do if they had discovered the exploits? What would Phil Zimmermann [philzimmermann.com] , or DJB [cr.yp.to] do? Some of these people were unhappy with the current situation, and took their own road and created some good, secure software.

Also, maybe your code isn't as good as you claim. Or maybe it mostly uses known exploits. It's time for a reality check. You should try to find some peers, and discuss it with them to determine how dangerous your product really is.

get your nobel prize too (0)

Anonymous Coward | more than 4 years ago | (#30278832)

kind of like blaming the digital camera for sexting. technology is neutral, its people that are evil

Absolutely evil (2, Interesting)

ohmiccurmudgeon (1443977) | more than 4 years ago | (#30278834)

We already know how to break into systems with buffer and heap overflows. We know how to do SQL injection into not-so-smart applications. If you work at it you can break into almost anything.

Absolutely no good purpose is served providing a toolkit that allows people to break into naively configured systems. Much of what you describe is akin to leaving the keys in your Maserati with the doors unlocked and the engine running. Please don't make things easier for joyriding teenagers.

If a site wants to know if they're secure, within the current limits of our knowledge, they can perform their own audits, and hire their own advisers to test their systems in a controlled fashion.

Applications, such as BOINC, have an unknown state of security review or audit. I doubt they applied the coding guidelines of CERT, or any of the Common Criteria levels. An administrator would only deploy such applications in the DMZ of their network. To call a Linux system, or Windoze system, secure means you've evaluated the risk of both the operating system and the applications on that system and decided it is good enough for you.

I would only release it (1)

Orion Blastar (457579) | more than 4 years ago | (#30278842)

to CERN or some other security group, or to White Hat Hackers who won't release it or use it, but study it and find a way around it.

I would pass it on to some Linux kernel and Linux OS developers, and see if they can fix the security holes you found that allow the hacking of Linux.

If you release it into the public for anyone to download, dollars to doughnuts some idiot is going to replace the Bonic client with a packet sniffer or key logger or something else. It is like inventing a rocket or missile and then someone takes it, steals your design, and then places a WMD in the warhead and launches them at public areas. Just like we wouldn't want technology leaked to Iran, Cuba, Syria, Sudan, North Korea, and other places that could use it for better missiles, guidence systems, encryption, etc some cyber terrorists would use your code to use it for espionage on some Linux web servers run by governments and the military because they thought Linux would be more secure than Windows.

Link please? (0)

Anonymous Coward | more than 4 years ago | (#30278854)

It's not real if there is no link.

I'll Help you out... (1)

sjs132 (631745) | more than 4 years ago | (#30278860)

I'll help you out, just send it in a tarball to me, and I'll verify if it works or not. Oh, I'm sure you want to keep it opensource and all, so just put the source in there too... I'll make sure your given proper credit. Thanks. :)

DONT.DO.IT (1)

Pharago (1197161) | more than 4 years ago | (#30278862)

yeah, in all it's capitalized glory, that was my opinion right on the title. why so? because there will be time for that, there is enough crappy stuff floating on the intertubes as to release a 'toolkit' that allows to add the whole world of linux servers to the fotm botnet

Some security threat... (0)

Anonymous Coward | more than 4 years ago | (#30278866)

FTFS: "The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads"

how is that different than posting a script with "sudo rm -rf /" and asking people to download and execute it?

I was a windows user for almost ten years. i never used an antivirus or antimalware porgram, and i never had any security problems. 99.9% of security issues are problems between keyboard and chair.

Fuck your little moral dilemma. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30278898)

Waaa! Is this evil? Is that evil? Grow the fuck up.

Your morality is for shit and anyone who wants to get ahead knows this.

Obscurity (1)

thecoolbean (454867) | more than 4 years ago | (#30278904)

Security through obscurity isn't. Publish.

Easy. (2, Interesting)

nhytefall (1415959) | more than 4 years ago | (#30278918)

Since, despite the popular belief, the idea of a grey/black/white hacker being distinct solely because of intent is, at best, a falsity, the idea that one could release something with the potential of being as destructive as TFS claims is a no-brainer.

The answer is no. Under no circumstances should the package be released.

Because, to release the code is no different than than saying "I only illegally accessed your systems, Mr. FBI, to show you how it could be done. I am honest little boy/girl".

Re:Easy. (1)

trouser (149900) | more than 4 years ago | (#30279064)

You are a boy/girl?! Pictures or it's not true.

Malware and Worms in GNU/Linux and *BSD (4, Interesting)

melikamp (631205) | more than 4 years ago | (#30278934)

Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client

It would be nice to see the code. As it stands, I am surprised that this "news" made it this far, with no links of any kind.

No one credible claims that malware is impossible in GNU/Linux or *BSD. In fact, since UNIX is a much more robust networking OS, maintaining a botnet should be helluva lot easier than on Windows. What we have with a free OS, though, is something that proprietary OS users will never have: a complete and total control over our security policy and every other aspect of our software environment. When and if a vector is identified, our security policy will promptly change to nip it in the bud.

A Speculative Example

Lately I've been thinking about one major vector: the human-assisted privilege escalation. Take the latest Ubuntu and imagine a piece of software which runs with user privileges and does the following: it tricks the user into thinking that it is the automatic updater. Lacking in both expertise and time, I am not going to do a proof of concept, but how hard can it be? You just need to draw a window named "Update Manager" using the standard Gnome API, list a few bogus updates anyone would find legit, with version number irrelevant to their day-to-day life (e.g. binutils), wait for the user to click [Install Updates], and then "gksu pwn_you.sh". The user will enter the password, and your work is done. Then, of course, you still need to draw some progress bars to lull the user into believing that an update is going on, but that's all just an icing on the cake.

If anyone can see why this won't work, I would like to hear it.

Looks scary, right? Wrong. Because the solution is as simple as changing the default policy. Make it so that the default behavior is to notify only. On every system update the user should be told: "Go start the updater via the system menu. By the way, if you EVER see an "updater" you didn't start yourself, you are being pwned." Make sure that the system menu is strictly read-only, and even the dimmest user will be safe.

This won't be implemented in Windows. Why? I really cannot guess why Microsoft's security policy seems to be designed from ground up to fuck the user, but it is. The usual excuse seems to be: "it's easy to use". But whatever is the reason, you just cannot make a proprietary platform secure because you cannot pop the hood open. With a free OS, you can.

Why not send it to Linus? (2, Interesting)

hallux.sinister (1633067) | more than 4 years ago | (#30278970)

SERIOUSLY!!! Putting it in the wild will HURT the Linux community, in many, many ways. Sending it to people who are close to the design of the OS, who may be able to do something about it will HELP the community. As for your ethics question, let me answer it with a question: When you leave your house for work, school, the grocer, etc., do you wear full body armor, and carry a gun? How would you feel if someone got tired of his country-men, (including you,) feeling so complacent and secure that you will walk blithely down the street without full body armor, a gas-mask, guns and ammo, that he decides to "show you all the error of your ways" by randomly sniping/gassing/tossing-grenades-at you, your family, and your friends? Wouldn't like it much, would you?

What you are contemplating doing is roughly, the digital-electronic equivalent of supplying criminals with maps of wealthy communities, marked with what areas are and are not guarded, where valuables are kept, etc. Don't think that simply because you didn't write a truly malicious payload, that by letting others use a tool you can and should reasonably know will be used for evil purposes you don't share in the culpability, ethically if not legally, even if you don't pull the trigger yourself. ~Hal

Insecurity through stupidity (2, Insightful)

flyingfsck (986395) | more than 4 years ago | (#30278974)

Insecurity through stupidity is a common problem on Linux. The Ubuntu forums are full of users wailing that their machines got hacked after they installed FTP, SSH or VNC with a kewl four letter password. One could argue that it is not the users, but rather the Ubuntu developers that are stupid by not configuring PAM to enforce password complexity by default, since it is not really a flaw in 'Linux' per se, but it could certainly be considered to be a dumb-ass flaw in the Ubuntu distribution.

Sounds good to me (0)

Anonymous Coward | more than 4 years ago | (#30279012)

"After a week of work, I finished a package of malware for Unix/Linux."
Really, this might be a fun thread. Just out of curiosity, did you use vi or emacs to code it? And if you actually plan to release the code, there is also the question of the license.

Go ahead and do release it (0)

Anonymous Coward | more than 4 years ago | (#30279018)

as long as it's licensed under a proper Free Software license. Who gives a fuck.

With so many new Ubuntu users, Linux is already windoze in the security sense.

Release it (0)

Anonymous Coward | more than 4 years ago | (#30279024)

How else are we going to accept that which we obstinately refuse to see?
-- newall

loose execution of unverified downloads... (1, Funny)

Anonymous Coward | more than 4 years ago | (#30279036)

The exploit relies on "loose execution of unverified downloads"...

Is this the joke about the virus that spreads itself by telling the user "send this email to all your friends then format your hard drive" ?

Once you have code executed on a machine that doesn't have good security, you manage to get local root exploit and then do some "really nasty thing" to persist a reboot?

Please?

Really nasty as in escaping offline IDS?

Publish your kiddie exploit, I'm laughing out loud...

: )

Heck, just do it. (1)

gzipped_tar (1151931) | more than 4 years ago | (#30279054)

We Linux geeks won't censor you or sue you or something. We're not MS.

It's not a hazard. It's a benefit. We understand.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?