Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Looking At The New Linux Trojan

Hemos posted more than 13 years ago | from the peering-under-the-hood dept.

Linux 263

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

Sorry! There are no comments related to the filter you selected.

Dude!!! (-1, Offtopic)

syzygysucker (464402) | more than 13 years ago | (#2266507)

Dude! I got the first post!!!!

que? (-1, Offtopic)

brujito (301318) | more than 13 years ago | (#2266508)

que?

Re:Dude!!! (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2266522)

linux still sucks!

I can still kick your ass!

Re:Dude!!! (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2266527)

Dude! I caught the clap off of your mom!

Technical detail: (4, Informative)

AMuse (121806) | more than 13 years ago | (#2266510)

It installs a backdoor which listens for incoming connections on UDP port 5503 or higher, and allows remote attackers to connect to, and take control of, an infected system.

Unless it also reconfigures my firewall to allow incoming traffic to port 5503 and higher and fiddles with my hosts.allow file, I'm not particularly concerned. Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about.

Partial isinformation (5, Informative)

sigwinch (115375) | more than 13 years ago | (#2266558)

Unless it also ... fiddles with my hosts.allow file, I'm not particularly concerned.


Whoa, cowboy! /etc/hosts.allow only affects friendly programs that bother to parse it (e.g., inetd, or programs that use tcpwrappers). An unfriendly program is free to ignore it.

However, your advice to use kernel firewalling is sound. 'Defense in depth' is the only way to go.

Re:Technical detail: (2, Interesting)

Josuah (26407) | more than 13 years ago | (#2266627)

A lot of computers are set up with loose UDP. All those computers, which are quite a few, would let incoming traffic go to 5503 if a local program opened the port.

Re:Technical detail: (1)

pjgunst (452345) | more than 13 years ago | (#2266662)

Any properly administrated linux box has a decent iptables / ipchains script. If not, it's about time to read the docs.
From what I've read in the article, tripwire should be able to detect an infection. Not so much to worry about, I guess.
... and of course nmap to scan for open 5503 ports (damn, it's now illegal to do so here at our university).

How hard can it be? Trojan writers will have to come up with something a little more intelligent to bring down the majority of the linux servers out there.

This will be interesting.. (2, Insightful)

PopeAlien (164869) | more than 13 years ago | (#2266512)

This could be interesting- It'll be interesting to see if just because there are more linux/apache servers out there, that means this thing will spread more and do more damage than Code Red. Or perhaps the linux machines will be better maintained than the NT machines.. We'll see.

Re:This will be interesting.. (0)

wysoft (301924) | more than 13 years ago | (#2266530)

Or perhaps the linux machines will be better maintained than the NT machines..

I wouldn't bet on it. I think more kids are running stock RedHat boxes at home than NT/IIS.

Re:This will be interesting.. (1)

mengmeng (11008) | more than 13 years ago | (#2266571)

No, it won't be very interesting, unless if a whole lot of Linux users decide to run random binary attachments all of a sudden. This trojan is not propagated in the same way as Code Red at _all_. Code Red was a worm, this is a trojan. It doesn't self-propagate at all.

Re:This will be interesting.. (1)

mr_walrus (410770) | more than 13 years ago | (#2266580)

not only do the linux users have to be braindead
enough to run binary attachments, presumably
they would have to be reading their mail
as "root" to infect appropriate files.

i certainly dont read my email as root.

Re:This will be interesting.. (0)

kiwipeso (467618) | more than 13 years ago | (#2266647)

I'm the only user of my Mac OS X box, I read my mail as root. However, seeing as I can't get my cable modem to talk to OS X, I'm only running OS 9.

Re:This will be interesting.. (2)

sfe_software (220870) | more than 13 years ago | (#2266600)

I agree. Even the article tried to hint that this could be as bad as Code Red, but that's simply bogus...

Code Red required no action on the part of the user/administrator other than having an unpatched system. This requires someone to be careless.

This is further mitigated by the fact that, likely, the majority of infected machines won't be infected with full root access, rather it would be some random unpriveleged user who infected the machine.

And even further, compare a typical Linux administrator to a typical NT administrator. 'nuff said. We patch our boxes, read security bulletins, run firewalls, and don't run random attachments.

Re:This will be interesting.. (1)

tsa (15680) | more than 13 years ago | (#2266614)

Don't be so naive... I know quite a few Linux users who don't care much about security and have their boxes directly connected to the internet. I don't know anyone who reads all his/her e-mail as root, though.

Re:This will be interesting.. (0)

seann (307009) | more than 13 years ago | (#2266655)

how do they read root@localhost ?

Re:This will be interesting.. (2, Interesting)

bigbadwlf (304883) | more than 13 years ago | (#2266638)

No kidding!
The article even mentioned (more than once) Apache and how many servers on the net run it.
So what? Unless I missed a paragraph, Apache has nothing to do with it!

I'm just waiting... (2)

cperciva (102828) | more than 13 years ago | (#2266513)

I'm just waiting for the first linux worms which install a trojaned copy of gcc (see "trusting trust").

Is it really that bad? (1)

dytin (517293) | more than 13 years ago | (#2266516)

The Trojan contains self-replicating virus-like capabilities and has similarities to the Windows-based Back Orifice tool, putting Linux boxes at risk of remote control.

Ok, does anyone remember Back Orfice as being a major threat to the Windows operating system world? The only people that have the potential to be infected by this new virus are those that are dumb enough to run the program. If you get an email from someone, and there is an attached program to it, most people wouldn't run it. I don't think that this virus has any potential to be a threat because Linux users are generally smart enough to not run every program that they get sent to them.

Re:Is it really that bad? (1)

matrix0040 (516176) | more than 13 years ago | (#2266524)

I don't think that this virus has any potential to be a threat because Linux users are generally smart enough to not run every program that they get sent to them.

Well if you're aiming at getting linux to the desktops then you're clearly aiming to get a good userbase of such "dumb" people. Those who come from a M$ background might be used to running email attachments (probably even cribbing on why can't it run automatically) So such trojans can cause a havoc and scare away such users.

Re:Is it really that bad? (1)

dytin (517293) | more than 13 years ago | (#2266547)

Windows has hundreds, if not thousands of different trojans and email viruses that have been written for it. Not every one of them gets to be as widespread as the 'I Love You' virus or Code Red, but nonetheless they exist. The fact that there exists a poorly written email virus/trojan for the Linux operating system is not a true threat and really shouldn't deter anyone from using Linux. No matter what operating system you use, the threat of malicious code will exist.

It's an email virus! (2, Redundant)

Proud Geek (260376) | more than 13 years ago | (#2266517)

Come on, the impact will be minimal or not at all. Although theoretically you COULD run this email attachment if you receive it, how many Linux users are stupid enough to do that? Technically Linux is just as susceptible to these things as M$ Windows, but we have one big advantage: the majority of Linux users are not morons around computers.

Re:It's an email virus! (0)

Anonymous Coward | more than 13 years ago | (#2266536)

but we have one big advantage: the majority of Linux users are not morons around computers.


Yeah, cause it's too complicated for morons to use. There's something to be proud of.

Re:It's an email virus! (0, Flamebait)

emc (19333) | more than 13 years ago | (#2266548)

I find your arguement rather enlightening.

You are claiming that just because someone runs a particular OS, they are either of higher or lower intellectual potential.

Have you not ever heard of "Best tool for the job"?

Granted, I think we can all admit that a Viper GTS-R is an incredible car, but using it to pick up groceries is rather... dumb.

...the funny thing is that I know many people who admin NT and/or Linux... the funny part is that the NT people know EXACTLY why they run NT. The majority of the Linux admins do it either because Linux == Free Beer or because "they think it's cool to run a server".

I think if you take a realistic look around, you will actually be surprised...

...and OpenBSD is my tool of choice.

Re:It's an email virus! (1)

dytin (517293) | more than 13 years ago | (#2266555)

I think what he is saying is that while there may be many Windows users that are smart enough to know what they are doing, there are many dumb windows users as well. This large population of dumb users allows for the virus to propogate very quickly. Whereas, although there may be some dumb Linux users, most are rather smart. Thus in the Linux world, there is not an adequate environment for virises such as this one to spread.

Re:It's an email virus! (0)

Anonymous Coward | more than 13 years ago | (#2266559)

LOL. From what I see, you're actually praising Windows. If dumb people can use it, it must be easy to use. Conversely, dumb people can't typically use Linux.

Gotta love it. Even when you try and bash MS, you praise them. Who is dumb again?

Re:It's an email virus! (2, Insightful)

dytin (517293) | more than 13 years ago | (#2266568)

A dumb person may play chutes and ladders for fun, while a smarter person might play chess. Just because you have to be smart in order to play chess does not make chess bad.

The same is true in operating systems. Just because it is easy doesn't make it good.

Re:It's an email virus! (1)

GreyPoopon (411036) | more than 13 years ago | (#2266567)

You are claiming that just because someone runs a particular OS, they are either of higher or lower intellectual potential.

The parent article was probably poorly worded, but I don't think that was what the author meant. I think the message to be conveyed was that the vast majority of less capable computer users have chosen to use the Windows platform, at least partly because they don't know any other choices exist.

The majority of the Linux admins do it either because Linux == Free Beer or because "they think it's cool to run a server"

Actually, I don't consider those who run a Linux server just because they think it's cool to be an admin. I used to run a Linux server just for tinkering and I surely didn't consider myself an admin.

So, if you lay aside that group, you'll probably be suprised to see that a large portion of the real Linux admins out there run that OS for three reasons: 1. They don't want to have to frequently reboot an NT server, 2. They can run a whole bunch of Linux servers from a single distribution copy, and 3. They can get more reasonable performance using Linux on older or cheaper hardware.

Re:It's an email virus! (0, Flamebait)

emc (19333) | more than 13 years ago | (#2266611)

Well, I was thinking particularly of several people I know of, who work for still-in-business "dot com" types of businesses.

#define HUMOR
In my years of experience in Sili Valley, you get to know the stereotypes of who runs what. Linux zealots are typically younger, with less experience; Solaris fans are older; AIX freaks are semi-fascist; and HPUX admins are just lazy. BSD folks are my favorites... BSD sysadmins have girlfriends, linux admins have spare parts & "geek code". BSD folks hang out, drink beer, and have a good time. Linux geeks have "install parties"
#undefine HUMOR

Face it, Exchange is a very well designed and packaged tool. Linux has NOTHING that can compare. On the other hand, Apache on NT sucks... but in reality, that's Apache's fault, for not being multithreaded. It's all about the benj^H^H^Hest tool for the job...

I think that you're probably pretty close with #2 and #3... Cheap beer, if not Free beer.

Re:It's an email virus! (0)

seann (307009) | more than 13 years ago | (#2266634)

I think you have just done about the worst generalization I have ever heard, and I now belive that the IQ of anyone who reads will be lowered by 2%.

Re:It's an email virus! (0)

Anonymous Coward | more than 13 years ago | (#2266652)

You are claiming that just because someone runs a particular OS, they are either of higher or lower intellectual potential.

But... I think Code Red proved his point pretty damn well.

Re:It's an email virus! (1)

Lars T. (470328) | more than 13 years ago | (#2266656)

Yeah, sure, so what do you call those people who say that there can't be any Viruses for Linux? Target group.

Doesn't seem like a big deal (1)

dephiance (158337) | more than 13 years ago | (#2266518)

This really doesn't seem like a big deal. The virus does not hide very well; it modifies executable files, creates a file in /tmp, only runs as the user that executed the virus. Although it has potential to spread easily; how many *nix users run arbitrary code (attached executables in e-mail)?

Ulterior Motives at vnunet? (1, Interesting)

Anonymous Coward | more than 13 years ago | (#2266523)

Hmmm...I went to read the story there, and when the page loads *bammo*; there's an pop-up ad for M$ server obscuring the page ... and since I'm not running gator (or equivalent), I'm pretty sure that's from the site itself....
Needless to say; not trusting the source, I skipped that particular article.
Has anyone else had that happen with that site and that story?

Not that bad? (-1, Troll)

The Ultimate Badass (450974) | more than 13 years ago | (#2266526)

It's a linux virus, in case you hadn't picked that up. Of course it's bad. What's more, it could be used to infect other unixes. This makes every download untrustworthy.

I'm sure I don't need to point out that when code red struck windows machines, it was the end of the line for MS, according to slashdot, but now that a linux worm is making the rounds, it's "not that bad". If this site were any more biased, we'd have to read it with our heads tilted.

Re:Not that bad? (0)

Anonymous Coward | more than 13 years ago | (#2266532)

As opposed to reading /. with head firmly placed in colon; as the parent poster obviously does

Re:Not that bad? (1)

newt (3978) | more than 13 years ago | (#2266534)

It isn't a worm, it's a trojan. It can't spread without the active participation of the, uh, victim.

Personally I don't quite understand what the big deal is.

Re:Not that bad? (1)

mengmeng (11008) | more than 13 years ago | (#2266565)

Excuse me? Code Red automatically infected any servers which were vulnerable to its particular exploit that it randomly connected to. This trojan must be run by the user. It has no automatic way of propagating itself to other systems. So how is this like Code Red again?

Re:Not that bad? (0)

Anonymous Coward | more than 13 years ago | (#2266576)

Am I the only one here that realizes that this "threat" is completely bogus? Any body with any intermediate programming skills can code a program like this. First of all it's not a worm. It doesn't self-replicate onto OTHER servers. Second.. Unless you run as root all the time there really is no danger. The virus does NOT exploit some back door. It can do NO MORE DAMAGE than what an unpriviliged user can do. It can not affect major web-servers because no sane administrator sits on a web server reading his mail and running random attachments as root. Things that pose real threats are WORMS that spread using an exploit throught the net. That's the real danger. Trojans are just an annoyance...

Re:Not that bad? (1)

WolfDeusEx (310788) | more than 13 years ago | (#2266650)

That fact is that code red is worse than this worm. I will tell you why. Code Red (and CR2) spread its self with no user intervention. This worm needs a user to run the infected program. Also if I do run an infected binary, it will not infect /bin or anywhere else because I don't run as root.

Another reason this worm is not that bad is because it will not be creating the same type of bandwidth usage that code red and sircam did. Basically this worm/virus does shit unless you are that stupid to run a binary attachment that you get from someone you don't know.

What file did they find did this trojan infect? (5, Interesting)

BrookHarty (9119) | more than 13 years ago | (#2266529)

It says initially surfacing in the /bin directory, ok what file? What distro? What rpm? What .tgz do I have to watch out for? Little more info please. I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.

Re:What file did they find did this trojan infect? (0)

Anonymous Coward | more than 13 years ago | (#2266588)

offtopic my ass.

Re:What file did they find did this trojan infect? (1)

Yakman (22964) | more than 13 years ago | (#2266605)

I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

Oh yeah? What about a (for example) debian admin who does "apt-get update" or whatever and theoretically has a trojan "ls" installed as an update.

Re:What file did they find did this trojan infect? (0)

Anonymous Coward | more than 13 years ago | (#2266610)

Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it.

I guess that's why they call it a trojan, and not a worm.

Sheesh, bad journalism.

Sheesh.

Re:What file did they find did this trojan infect? (0)

Anonymous Coward | more than 13 years ago | (#2266623)

how is this offtopic?

a similar story in history (5, Funny)

Tregod (441880) | more than 13 years ago | (#2266531)

"...a guard at the top of the castle gates spots something in the distance, just beyond the walls. What could it be? Its...a giant wooden penguin! Imediatly, guards from different corridors of the castle rush to percieve what appeared to be a gift from the gods. All at once, they hoisted the behemoth bird onto a make shift wagon and hauled it within the castle. After much celebration and talk of good tidings, the kingdom lay it's head to rest. Later on that night, the wooden bird's bottom opened, releasing thousands upon thousands of Bill Gates' shock troops, sent to terrorize the castle and townspeople."

Re:a similar story in history (3, Funny)

sinster (518986) | more than 13 years ago | (#2266579)

Of course. Being paranoid bastards, the open source inspired defenders of the castle take one look at the wooden penguin and burn it to the ground, crying, "I'm not taking that until I read the EULA!", "Where're the blueprints?", and "Bah! I hate precompiled statues."

Re:a similar story in history (0)

seann (307009) | more than 13 years ago | (#2266639)

precompiled statues?

has anyone done a survey on lego kids, opposed to action figure kids?

maybe the kids who played with lego belive firmly in open source and the kids who like GI JOE prefer windows :>

I just wanted to point out (1, Redundant)

loraksus (171574) | more than 13 years ago | (#2266537)

That Code red "easily detected and patched"?
The real problem is stupid sysadmins, how many servers (or computers in general) out there are susceptible to exploits that are years old..

Damn, some skript kiddie tried to hack my box but had the netbus server running on his box. It was kinda amusing for a while there..

Not a big deal.. but then... (1)

matrix0040 (516176) | more than 13 years ago | (#2266538)

Since the virus runs as the user who executed it, the chances of it causing havoc on a web server (like code red did) are minimal. Even on a normal linux box, the admin will be smart enough not to run an email attachment (it's not as simple as double clicking to run it) and if some "dumb" user runs it then it's no big deal. The systems isn't comprimised.

But this could be a big issue when linux is used in offices (where the "dumb" people work) not everyone is a *nix guru.

Re:Not a big deal.. but then... (2)

GreyPoopon (411036) | more than 13 years ago | (#2266572)

Since the virus runs as the user who executed it, the chances of it causing havoc on a web server (like code red did) are minimal. Even on a normal linux box, the admin will be smart enough not to run an email attachment (it's not as simple as double clicking to run it) and if some "dumb" user runs it then it's no big deal.


I was going to post something to the same effect. Thanks for beating me to it. :) Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?

Re:Not a big deal.. but then... (2)

ninjaz (1202) | more than 13 years ago | (#2266642)

Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?
It's the setuid bit, not the sticky bit you need to worry about. Sticky bit on a regular file was a way of old to keep such executables in VM instead of having them flushed. (On directories, it means only the owner of a file in the directory or root can rename and delete the file, even if other users have write permission on the directory.)

Quoth chmod(1):

STICKY FILES
On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files.

And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.

That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)

Also, firewalls that only allow connections to be initiated to needed services can be of assistance. Apparently such a firewall would help in this case, but an attacker can set up a remotely intiated proxy or kill off the real daemon that's supposed to be running and replace it with a 'custom' version.

Re:Not a big deal.. but then... (2)

sydb (176695) | more than 13 years ago | (#2266671)

And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.


However, last time I looked, the user requires root privileges to make the file setuid root. And you can't copy setuid root files from one place to another as a non-priveleged user whilst retaining the setuid bit.


So no, this bit is not a concern when combined with trojans, given reasonably normal security practices.

Cute kittens (3, Insightful)

Graymalkin (13732) | more than 13 years ago | (#2266541)

The problem with saying "oh yeah this is easy to detect/fix" is that you're not looking from the standpoint of non-linux geeks. I've never really had a problem with trojans or virii on any of my Windows machines because I know how not to pick them up. They're headaches because most people don't know how to avoid them. The same goes with all the people who picked up a copy of RedHat and run around as root because they don't know any better. Linux is only as secure and efficient as the people using it. Weenie.

Hah (1)

James Foster (226728) | more than 13 years ago | (#2266542)

"but it certainly isn't good"

Ya think?!?

This explains a lot... (5, Funny)

ASCIIMan (47627) | more than 13 years ago | (#2266554)

Now we know why slashdot has been down so much the last couple days.

The Worst Thing Of All (2, Funny)

katana (122232) | more than 13 years ago | (#2266557)


At this time, the Remote Shell Trojan source code is not known to be available.

This...thing violates the GPL and everything Open Source stands for! They could sell it commercially, and not even contribute back to the code base! That's just so, so, so non-Stallman that it makes my middle finger itch!

Does it self-compile? (1)

Corbin Dallas (165835) | more than 13 years ago | (#2266560)

I thought not. So what platform is this for? x86?

So this thing infects Linux running on a specific platform, and only when the victim decides to run a strange, unknown binary attached to an email.

Next.

bout frigging time (0, Insightful)

Anonymous Coward | more than 13 years ago | (#2266561)

maybe this will finally silence the L1NU> RULZ \/\/1nd0w5 5uX shills that have plagued /. for so long. Eat that, bizznatch!!

Don't worry, this is no Linux Code Red (5, Informative)

Xenna (37238) | more than 13 years ago | (#2266562)

For starters to get infected with this animal requires activity on the part of a user on the Linux box.

Code Red required no user activity at all. A typical orphaned Linux box standing around in a corner would not be at risk, the same machine running IIS would have been a sitting duck for CR. There are a lot of orphaned servers out there with standard Redhat or IIS installs. These are the real danger. Any remote-root security holes on these popuplations are cause for real concern.

I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

Regards,
Xenna

Re:Don't worry, this is no Linux Code Red (0, Troll)

WildBeast (189336) | more than 13 years ago | (#2266584)

Which proves my point. Linux for Servers, Windows for Desktops. It's the perfect combination, that's what I do anyway.

err... (0)

Anonymous Coward | more than 13 years ago | (#2266616)

Try KDE 2.2

What's with this Windows/Desktop shit?

Re:Don't worry, this is no Linux Code Red (1)

giantsquidmarks (179758) | more than 13 years ago | (#2266592)

This "virus" is just an exploit. A successful virus most often takes advantage of a chain of exploits.

The next remote hole that pops up can be combined with this technique to produce an interesting effect.

1. cause remote hole
2. infect with "worm/backdoor/trojan/whatever"
3. rinse repeat

Re:Don't worry, this is no Linux Code Red (1, Insightful)

Anonymous Coward | more than 13 years ago | (#2266628)

I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.


Am I the only one that thinks the phases "Windows" and "no risk" should not be refering to each other?


We trust our severs with linux, but not our email. We'd rather use a product known to get hit by the Virus-of-the Week(TM)!

Re:Don't worry, this is no Linux Code Red (1)

Xenna (37238) | more than 13 years ago | (#2266651)

Am I the only one that thinks the phases "Windows" and "no risk" should not be refering to each other?

A Linux trojan is no risk to a Windows system, pretty obvious, isn't it...

We trust our severs with linux, but not our email. We'd rather use a product known to get hit by the Virus-of-the Week(TM)!

Security is never the only motivation in deploying a product or OS. We can easily replace NT servers within our organisation without starting a user-revolt. For the desktop, this is not a realistic option. BTW: the Linux mailserver does an excellent job of filtering out Outlook viruses. Not that we use Outlook, we use Netscape Messenger, but I'm not sure how long we can keep that up. This is the real world ;-)

Regards,
Xenna

This is nowhere near the level of Code Red (1)

ceuxy2 (176934) | more than 13 years ago | (#2266564)

Maybe I'm missing the point, but Code Red was a MAJOR problem as it was able to use a remote IIS exploit to gain the permissions it needed. Thus it was able to make full use of computational speed to replicate (no user interaction required).
This trojan needs users to individually execute it, AND those users need privileged permissions for it to have a major effect. This will not result in the massive waves of infection that we saw with Code Red.
Hell, all linux needs now is to make friendly software that installs this easily ;-)

Re:This is nowhere near the level of Code Red (1)

WildBeast (189336) | more than 13 years ago | (#2266581)

It wasn't exactly an IIS exploit, it was the Index Server plugin for IIS exploit.

Show us the actual thing (1)

gsliepen (303583) | more than 13 years ago | (#2266573)

Why should I believe this Qualys firm? They do not say where they found this code. They do not even mention that someone else found this trojan. It seems a little unlikely to me that the first appearance of a trojan would be at a security firm, unless it originated there.


Most important though, they do not show an actual binary which allows me to verify their claims. The only thing they give me is a detection program, I would check THAT for trojan code if I were you! Actually the detection and cleaner program come in source code, and appear to be what they claim to be after a quick glance.

I dont get this ... (1)

kuiken (115647) | more than 13 years ago | (#2266574)

"The Trojan is most dangerous if it is executed by a privileged user as it inherits the credentials of that user, effectively allowing it to take full control. "

"Qualys also warned that the size and scope of the Trojan could be massive. Over 58 per cent of websites worldwide currently use Apache servers for which Linux is the most popular platform"

Any sysadmin opening a bin on an production webserver deserves all he gets.
Plus the fact that most FW/routers will block the incoming udp connection makes even an infected box "safe"

Uh.. Code Red was autonomous.. This isn't. (0)

Anonymous Coward | more than 13 years ago | (#2266575)

This is spread via email. It requires someone to actually execute it. Given how difficult it usually is to even view attachments with our email software, this idiotic program WILL NOT wreak havoc in the same manner as Code Red.

Duh! Hello? Anyone home? Code Red attacked vulnerable servers remotely, without human intervention. The "trojan" this article is talking about is NOT AN AUTONOMOUS WORM.

Cripes. Why do I even bother?

Trojan 101 (2)

gnovos (447128) | more than 13 years ago | (#2266577)

void main() {

doTrojan();
doMainApp();

}

There, I just wrote myself a new "Linux Trojan". The thing is, a "New Trojan" is actually nothing new at all. Basically, all you need is a bit of code that seems userful to the user, a bit of code that the user never gets to see, and a user to run it. I can write a perl script that will happy crank out "New" trojans by the trillions. Disk space is the pure limit to the number of perfectly unique "Linux Trojans" I can make.

I know a lot of people will use FUD like this to point out that Linux has it's flaws too, but that is complete garbage. A trojan is not a threat to a competent user on a machine with even the barest levels of user authentication and security. It is only a threat to the naive or the foolish.

Re:Trojan 101 (1)

enneff (135842) | more than 13 years ago | (#2266595)

Or, check out my more advanced trojan:

int main() {

return doStuff();

}

Can't even see it ;)

Re:Trojan 101 (1)

WildBeast (189336) | more than 13 years ago | (#2266613)

You're right, but when a trojan comes out for Windows you'll be the first to say how insecure Windows is.

Re:Trojan 101 (2)

gnovos (447128) | more than 13 years ago | (#2266622)

Nice point. Now tell me if you can see this difference: Running a "trojan" as a non-root user on a Linux machine vs. running a trojan as any user on a windows 9x machine. Which one is going to cause more damage?

Unless the Linux user has done a chmod -R 777 / recently, the windows user is going to be in serious trouble while the Linux user is fine. Why is that? Because Microsoft has some serious mental problems when it comes to security in thier non-NT environments.

A trojan is not news. Horribly gaping flaws in security models may be, but the trojan itself is one out of a hundred trillion million trojans just like it.

Re:Trojan 101 (0)

seann (307009) | more than 13 years ago | (#2266636)

I'm waiting for the headlines on CNN, "It seams linux is now vulnerable to code red"

You have a very good point, user-level security on a UNIX machine eliminates 99% of the problems via running a trojen. Lack of security on a windows desktop creates 99.9% of the problems with trojens.

Fricken condems.

Give me a break... (3, Interesting)

toupsie (88295) | more than 13 years ago | (#2266578)

I have 12 to 24 hits a day from unique IPs that are Code II/III probes (hundreds all combined). To compare this worm/virus/trojan to Code Red is just plain old marketing hype. Linux to me is a server OS (quickly ducks). I use Mac OS X as my desktop OS -- its a personal thing (Darwin + Quartz + Aqua + X > Linux + X). The last thing I would do is open an e-mail attachment on a server that doesn't receive or need e-mail (duh). Code Red didn't need e-mail, it just needed a newbie with Windows NT/2000 w/ an unpatched IIS installed to spread -- which most of my probes come from (at least what nmap tells me).

This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.

Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.

Re:Give me a break... (1)

WildBeast (189336) | more than 13 years ago | (#2266609)

Of course, it makes you wonder why would a newbie go ahead and dish out $1200 to get Windows 2000 Server.

[The Great Anonymous French Calembour] (0)

Anonymous Coward | more than 13 years ago | (#2266587)

trojan: C'est trop gentil.

Tried there tool... (1)

StarTux (230379) | more than 13 years ago | (#2266591)

Just for the hell of it I tried the tool that they proivide to test for it.

Well it would not run, as it said that this exploit does not work with IP addresses with 0 in it, weird.

Plus you need permission to write to the /bin directory, normally only root can do this. And if someone is running as root they may have many more problems than just this trojan.

Just seems a spin to "ready" the Linux market for their anti-virus ware IMHO.

StarTux

Worms dont happen to Mac web servers EVER! (0)

Anonymous Coward | more than 13 years ago | (#2266594)

Worms dont happen to Mac web servers running WebStar.

EVER.

Thats why no reports of ANY exploit has ever been published regarding the secure Mac OS. !

consult bugtraq if you doubt this.

C Language alone is not the sole reason but the types of STRINGs used in ANSI C libraries certainly adds risk.

Worms dont happen to Macs because Mac programmers rarely have buffer overrun problems because mac apps typically NEVER use null terminated strings and intead use "pascal" style strings that have a bounds of 255 and a marker in the front.

Additionally mac programmers tend to know that there is no false sense of security because all code is running at supervisor level so programs, like Webstar, are careful not to do foolish things.

Mac programs and executables NEVER can run merely from a data file named with a suffix such as .exe because macintoshes do not have file suffixes. The mac OS (9,x and older) uses a four byte file type designator that the user never sees and cannot be set carelessly.

A further reason macs are more secure than unix (hundreds of documented exploits) and Win NT (almost as many exploits documented over the years), is because the mac does not have a command line shell and has no path to hijack. No command line and a modern type of interprogram communication prevent the silly weaknesses in other OSs.

Yet another reason the Mac is secure is vecause a mac program (either 68k or PowerPC) needs TWO files to execute and not one file. The second file is called the resource fork and it is genreally an invisible file kept tightly associated with a file. classic internet apps do not create or allow creation of these resource forks as side effects of merely storing data files. Macs are very secure from infiltration by dynamic creation of apps by rouge products on a server

Another reason macs have NEVER been broken into running the WebStar server is because the mighty Mac OS Webstar server, (which typically costs over 400 dollars unfortunately), avoids ever executing cgi code files from directories where they ought not to be. A clever set of directory and folder control prevent the webserver from being hijacked unlike earlier versions of apache.

The US army switched to Webstar webservers on macs when MS NT webservers kept getting hacked.

There are thousands of major webstar servers out there. I think many are colocated at reprahduce.com cages.

And mac NEVER get hacked. EVER. and NEVER have, even with public challenges and reward money.

Sure, there may be some defects that might get discoverred one day, and surely any mac not runnning mac os such as ppcLinux, or the new Mac OS X (freeBSD derivitive) are hackable.

But face it. Macs have NEVER been hacked and that is because of modern and sound design principles.

Myself and other mac programmers I know have NEVER shipped a product containing a single null terminated C string, and do lots of paranoid error checking as well.

Unix is hackable not because of open source, not because of popularity (both of which help) but because of all the things I mentioned here.

Also, parts of the older Mac OS itself is written using pascal strings, in fact the original ROMs were written using only pascal compilers and some assembly, and no C. But string overruns alone are not the ONLY reasons mac servers have never been hacked, (command line, dual fork, no extensions, etc etc).

Wake up and quite being bigoted.

Re:Worms dont happen to Mac web servers EVER! (0)

seann (307009) | more than 13 years ago | (#2266649)

you really wrote an annoying article there mentioning "macs have never been hacked" alot.
You said "macs have never been hacked" way too many times.
I would of not wrote this had you not mentioned it so much that "macs have never been hacked".
Why would somebody use a PC if "macs have never been hacked" and why hasn't somebody made a web server box, that only servers web pages, via a harddrive that can't be hacked, just how "macs have never been hacked".
This would be interesting, saying "macs have never been hacked" will be like saying "macx have never been hacked".

Re:Worms dont happen to Mac web servers EVER! (0)

Anonymous Coward | more than 13 years ago | (#2266657)

Nobody writes trojans for Mac.
You'd never find enough to infect enough for a decent DDoS attack.

Now please vacate the soap box for those who actually have a point.

Blame it on the rain (1)

WildBeast (189336) | more than 13 years ago | (#2266597)

everytime a Trojan comes out, people blame it on dumb users, on unsecure OS's, etc. I don't see anyone blaming the author of the Trojan.

I say, find the author and prosecute him.

Re:Blame it on the rain (1)

Jacek Poplawski (223457) | more than 13 years ago | (#2266620)

> I don't see anyone blaming the author of the Trojan.

Becouse he is not so important.
if system is weak, and users are dumb - there always will be an "author of Trojan" who can make mess in the world for a while.
Trojan can exist becouse system/users, not becouse one author.

Not an Apache worm (2)

cyberdonny (46462) | more than 13 years ago | (#2266599)

Just pointing out the obvious for those of you who might have been fooled by the summary's language:
Contrarily to what the summary hints at through the mention of Code Red, and Apache, this is not an Apache worm. It's a trojan that you actually have to execute yourself in order to be infected. Thus, if you don't blindly execute e-mail attachments, and download programs from untrusted sources, you should be safe. Moreover, the trojan is rather primitive and doesn't try to manipulate the file modification dates to hide its presence. Thus a simple ls -ltrc /bin and ls -ltr /bin should reveal its presence.

Re:Not an Apache worm (1)

forged (206127) | more than 13 years ago | (#2266612)

Plus if you're logging in as root and then run that executable, then you really ought to be shot in the head.

Bottom line: this will never spread like good'old MS-DOS virus days :-)

Sensational bollocks (1)

kimihia (84738) | more than 13 years ago | (#2266602)

Nothing but sensational trash. It is nothing like Code Red. I'm not an expert, but from the shabby detail in the article I can see several reasons:

  • Market share - vulnerable installs of Linux are not widespread enough to reach a critical mass. CR became huge because every second host practically was running a vulnerable install. (So I exaggerate the number - but evangelism aside, there aren't THAT many vulnerable hosts out there.)
  • No scanning attack - it stays on the local system
  • No privilege elevation - its only a user level root shell. Someone could potentially upgrade that via another buggy daemon or a ptraceable kernel, but otherwise you are limited to Jim Bob's shell. Still a concern, but not as bad as r00ting.

They shouldn't compare it to Code Red. CR was a disaster because a company called Microsoft encouraged people to install trash software that shouldn't have passed QA.

They should instead compare it to, say, an Outlook virus because it spreads via email:

The replication process of the Remote Shell Program can only effect binary files within the access privileges of the user who launched the originally infected program.

Have a read of Michael Parenti's Monopoly Media Manipulation [michaelparenti.org] and see how many of the points you can spot in press release.

A lot of sensational bollocks.

Re: Code red WAS? (0)

Lord Bitman (95493) | more than 13 years ago | (#2266635)

I wish people will stop using the past tense when talking about Code Red. There are STILL unpatched servers out there!
Is this only happening in My IP block, or has everyone just decided to ignore it?

As for "Important Binaries" I think you overlooked that it isnt just Important Binaries which are being written to. It's also your current working directory, so if you run the program and then switch to say, a program you were working on, there's another insance.

No this is nothing like Code Red, and yes the site linked to is crap. (notice that they ask for a phone number before letting you download the check? Hmm, I wonder what /that/ could be about)
But It's still nice to see a security message on slashdot every now and then.

These journalists must be desperate for attention. (5, Insightful)

hebble (35128) | more than 13 years ago | (#2266604)

First: why is Apache mentioned AT ALL? It sounds like this thing only "spreads" (if you can even call it that) when someone is brain-dead enough to READ their EMAIL as a user who can WRITE to IMPORTANT BINARIES! That has nothing whatsoever to do with Apache. Is it just to support the idea that there are a lot of Linux servers?

As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant. The email-vector mechanism can't even take advantage of address books, since Unix mail clients are so far from standardized.

slow news day eh ? (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2266607)

slashdot editors suck dick

I don't have much faith in the analysis (3, Informative)

phaze3000 (204500) | more than 13 years ago | (#2266615)

It also installs a backdoor in the infected host, listening on UDP port 5503 or higher. An attacker could connect to this port via TCP

Wait, so it listens on a UDP port, but it can be compromised using TCP? Do the people that analysed this actually bother proof-reading, or do they simply not understand what they write??

Re:I don't have much faith in the analysis (1, Informative)

Lord Bitman (95493) | more than 13 years ago | (#2266625)

it listens on UDP. When it recieves the UDP request which contains the IP address and Port of the attacker, it will open a TCP connection to that IP & port. So it listens on a UDP port and the system gets compromised using TCP.

It's a Virus not a Worm. (3, Insightful)

AftanGustur (7715) | more than 13 years ago | (#2266624)


Why on earth do people think that this code can infect machines remotely over the Internet ? Does it say so anywhere in the article ?? No !!

From the article:
The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system.

It's simply a trojan that you will have to get in mail or on a floppy and execute YOURSELF.

Then it will infect other executables on your system, but in no case will it be able to infect any other systems without human assistance (i.e. executing a binary on that computer).

Whoever thought this is even remotely as scary as Code-Red is in need of some serious medication.

Infection not Likely (1)

Adrian Lopez (2615) | more than 13 years ago | (#2266626)

The following steps would lead to an infection:

[Save As: not_a_tojan_i_swear]
$ chmod 777 not_a_trojan_i_swear
$ su
[password: god]
/home/darwin# ./not_a_trojan_i_swear

If after doing all this your system blows up in smoke it's nobody's fault but your own.

Re:Infection not Likely (1)

Adrian Lopez (2615) | more than 13 years ago | (#2266640)

Please, no jokes about "chmod: not_a_tojan_i_swear: No such file or directory" ok?

WTF? (0)

Anonymous Coward | more than 13 years ago | (#2266630)

There are hundred new Linux trojans every day. Why does Slashdot suddenly report this one in particular? Are they advertising the security firm Qualys?

A new one has been found! (5, Funny)

friscolr (124774) | more than 13 years ago | (#2266631)

Advisory # 44526


FOR IMMEDIATE RELEASE


Overview


The Really Silly Command Virus identified by Blackant Systems has the potential to remove all files from a hard drive. It was recently spotted in the wild a few days ago when a junior sysadmin logged in as root on a production server and executed a shell script he had been emailed from a user known only as script_kiddie@hotmail.com.



Impact


Given a detailed analysis of the source code behind this virus, it is possible that the Really Silly Command Virus may eventually mutate into a self-propagating worm.



Recomendations


Blackant Systems reccomends that every sysadmin who would run shell scripts from untrusted parties be shot.



In order to determine if your email may contain this new virus, please look for the following first few lines in a shell script:



#!/bin/sh
#1337 script by script_kiddie!!!
#props to all my homies!!!!
rm -rf /

#this doenst seem to work yet...
mail $0 $1



If you find a file with similar lines, do not execute it on your server, but remove it immediately. Blackant Systems will be releasing a utility to identify stupid sysadmins shortly.

What counts (4, Funny)

Faux_Pseudo (141152) | more than 13 years ago | (#2266632)

I don't mind if there are trojans nad virii for linux as long as they are GPLed and Open Source.

I'm sorry but i felt it had to be said even if I loose karma

As the good ol' saying goes.... (1)

Blowit (415131) | more than 13 years ago | (#2266646)

the ONLY way to protect yourself from a trojan is to unplug it from the 'Net. Trojans are becoming cross platform as an OS is to Java.

James Middleton needs to brush up on TCP/IP (1)

CunningPike (112982) | more than 13 years ago | (#2266661)

From VNU's second article [vnunet.com] :
> It also installs a backdoor in the infected host,

> listening on UDP port 5503 or higher.
>
> An attacker could connect to this port via TCP and ...
This is impossible. TCP and UDP are independent protocols sitting on IP. You can't talk to a TCP port with UDP (or visa versa).

According to qualys' actual release [qualys.com] , an incoming UDP packet will trigger the compromised machine to initiate an outgoing TCP connection. Similar effect, but different net traffic.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?