Korean Mozilla Binaries Infected 592
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
Virus data (Score:5, Informative)
Here's Symantec's take on the virus:
http://securityresponse.symantec.com/avcenter/ven
Re:Virus data - It's old! RTFM (Score:4, Informative)
"Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.
Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"
Re:Virus data - It's old! RTFM (Score:5, Interesting)
mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".
Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.
Now who could that benefit, I wonder...
See, Windows is more secure (Score:4, Funny)
MWHAHAHAHAHA!!!!!!!!!
The larger number of exploits in Firefox is just the tip of the ice berg!
Open Source, you are going DOWN!
And I for one, welcome our new DRM laden overlords.
Oh, wait, they're not NEW overlords, they've been the overlords for a few decades now.
Well, I welcome them anyway.
Re:Virus data (Score:5, Insightful)
I think too many Linux admins don't believe there's such a thing as a Linux virus. Usually the easiest way to recognize the infection is if a large number of common programs in
Re:Virus data (Score:5, Insightful)
You mean besides the fact that the binaries were removed as soon as they found out?
Re:Virus data (Score:3, Insightful)
Of course saying the reverse here will quickly get you troll/flamebait/overated down to -1.
If Microsoft did it, it would be Microsoft. (Score:5, Insightful)
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
Mozilla.co.kr (Score:5, Interesting)
Re:Mozilla.co.kr (Score:3, Funny)
Re:If Microsoft did it, it would be Microsoft. (Score:3, Insightful)
I guess this proves that Mozilla needs to take more care in selecting who is allowed to act as major redistributors. Maybe start releasing code hashes for every version of Mozilla offically released so that all can be verified before install?
Re:If Microsoft did it, it would be Microsoft. (Score:3, Informative)
The question of what constitutes a normal distribution channel in this case is a good one, however.
Re:If Microsoft did it, it would be Microsoft. (Score:3, Insightful)
Obviously it is not reasonable, but people here are not always reasonable, and they get mod'd -5 Reasonable, automatically, when MS is involved.
Well, since this thread and line of argument was started by "poor Microsoft! Can't get a fair shake on Slashdot! Look how bad Mozilla is!" whining, I think this statement is a tad disingenuous.
It's amazing to me, considering all the complaining pro-MS types do around her
Re:Virus data (Score:5, Insightful)
Let's compare apples to apples here. If MS was offering infected binaries form one of THEIR sites, yes, we'd be jumping down their throat. On the other hand, if MS decided to let Download.com distribute versions of a "freeware" application (like Messenger), and the binaries on Download.com were infected, most of us would just be avoiding Download.com like the plague. Sure, some people would still blame Microsoft, just as some people are going to blame Mozilla here.
Now, having said all of that, I'll bring up the question of accountability. Since Mozilla is being distributed by public mirrors, it's probably a REALLY good idea to have some sort of guidelines that need to be met by the administrators to make sure this doesn't happen on a "Mozilla-certified" mirror. Maybe this is already in place.
Re:Virus data (Score:3, Informative)
Re:Virus data (Score:3, Interesting)
What always amuses me is that most mirror sites also mirror the checksum files as well.
Re:Virus data (Score:3, Interesting)
Good point. I don't care about the checksum on the mirror so much as I care about the checksum on the master.
I can see something like the yum xml files where a downloader could automatically determine the source and verify the checksum.
Mozilla should at least block the mirrors from do
Apples to Apples? (Score:5, Insightful)
To get infected on Windows you... have to turn the system on. As far as I can tell.
Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.
If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.
As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...
Re:Virus data (Score:3, Informative)
Uploaded by *whom*?
The files weren't on the Mozilla site, they were on a third-party site that Mozilla neither owns nor controls.
Re:Virus data (Score:5, Insightful)
A third party, a mozilla fan site in korea, distributed infected binaries.
If you find an infected version of Winzip on an internet site, would you blame Winzip.com ?
So let me get this straight... (Score:5, Funny)
Re:So let me get this straight... (Score:5, Funny)
Re:So let me get this straight... (Score:4, Interesting)
Compare to Linux in which most exploits are a result of actual security problems in either the kernel or the supporting applications, and you have less widespread attacks that affect fewer systems.
Difference in market shares, my friend. If you want to exploit a Linux system you're probably an attacker targetting a specific network and installation for a very specific purpose (making this attack something of an oddball). If you're looking to exploit a Windows system, however, you're more likely just a general Internet thug trying to install spam bots and backdoors on home machines. The latter causes more problem since the target is a much, much larger pool of users, so the latter gets more heavily reported even though the targetted attacks usually cause more on-average damage.
Re:So let me get this straight... (Score:5, Insightful)
That's a falacy. Linux is just as vunerable to trojaned installers as any other OS. You install mozilla as root, right? Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.
OS security does help against worms and other methods of infection, but dealling with trojans is a 90% user function. This improved security, along with market share (as you point out) is what makes Linux "safer". To get a virus on Linux, you essentially have to do something wrong yourself. Which is no consolation to the gran and grandpa users, "Download Weather Bar (linux version) popups" are only a few years away...
Re:So let me get this straight... (Score:4, Informative)
Since official debian packages are signed, it's easy to trust the repository and the contributers due to the magic of the PGP web of trust and the Debian developer vetting process. It's not like you're installing software from some random people you don't know, and it's certainly not like the mirror you use could be compromised as long as the signature is valid.
You install mozilla as root, right?
Is somebody forcing you? I never install as root if the package didn't come from a trusted location. If I want to test a nightly, even the binary tarballs from mozilla.org go in my user directory, and aren't installed system wide.
It's the dumb user that's vulnerable, not the OS. That's equally as true for Windows as it is for Linux.
Re:So let me get this straight... (Score:3, Informative)
Yes, virus scanners exist for *nix.
However, what you seem to have forgotten to mention is that the primary use of these scanners is to scan emails for Windows viruses, not Linux viruses. And while it does look like these scanners have the ability to scan your filesystem for infected binaries, that's probably meant more to scan filesystems mounted by Windows boxes via SMB ... for Windows viruses.
Sure, their virus signature databases probably do have some Linux viruses in there,
Everything is vulnerable. (Score:3, Informative)
Quite postmodern (Score:2)
I guess anything that can be built can be broken, regardless of how unbreakable it is.
You don't understand "vulnerable". (Score:5, Insightful)
Getting that virus onto someone else's box is very difficult.
Getting that virus to spread from that box is even more difficult.
Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.
The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.
Because you cannot ... (Score:5, Informative)
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
You see? All but one had "number of sites" between 0 and 2.
They
Do
Not
Spread
Linux's security model is far more effective than Microsoft's one for Windows.
Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.
6 stories down on the front page (Score:2, Funny)
BWAHAHAHAHAHAHA.
Re:6 stories down on the front page (Score:2)
Re:6 stories down on the front page (Score:4, Informative)
Re:6 stories down on the front page (Score:3, Insightful)
Re:6 stories down on the front page (Score:3, Interesting)
Re:6 stories down on the front page (Score:4, Insightful)
How is this different?
Re:6 stories down on the front page (Score:5, Informative)
Funny? Yes. True? No - you see its not exactly a mozilla problem.
Whilst searching for more information about this, I stumbled across this page [mozillazine.org]last time these servers were hacked in June).
Choice quote:
So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")
Its someone who's taken the mozilla source and made their own binaries. A problem yes, a serious problem even, but not to the scale that Kaspersky Labs would have us believe.
Who would have thought it? A security company overhyping an issue!
I'm not sure why they bother. Do they really think stories like this are going to make linux users go and buy their security 'solution'?
Re:6 stories down on the front page (Score:4, Interesting)
If you want to include all or part of a Mozilla trademark in a domain name, you have to receive written permission from Mozilla. People naturally associate domain names with organizations whose names sound similar. Almost any use of a Mozilla trademark in a domain name is likely to confuse consumers, thus running afoul of the overarching requirement that any use of a Mozilla trademark be non-confusing. If you would like to build a Mozilla, Firefox Internet browser or Thunderbird e-mail client promotional site for your region, we encourage you to join an existing official localization project.
source [mozilla.org]
So Mozilla does state a policy regarding exactly what has occurred here. The problem is, U.S. trademark laws don't have any teeth in Korea. In fact, there is a U.S. government-run site that goes into great detail about how companies that have registered trademarks in the U.S. should not try to do business in Korea (or enforce their trademarks, of course) until they have registered their trademark in Korea, as well:
Basic intellectual property laws exist in Korea. However, protection of intellectual property and the laws governing enforcement of these protections are not necessarily extra-territorial. What is understood and practiced in the United States is not always practiced in Korea. U.S. companies wishing to sell their products or services in Korea should first and foremost find out if they have to register their intellectual property rights (copyright, trademark or patents) in Korea...One of the most frequent IPR problems facing U.S. businesses in Korea is trademark protection.
source [buyusa.gov]
Now, the last piece relates to trademark use by localization teams. The site distributing the binaries was in fact run by a Korean Firefox localization team, however, Mozilla has yet to refuse their right to use the trademarks, as per Mozilla Foundation policy, which allows use by localization teams in general, and rejects only in specific instances:
It is very important that Community Releases of Firefox and Thunderbird maintain (or even exceed!) the quality level people have come to associate with Mozilla Firefox and Mozilla Thunderbird. We need to ensure this, but we don't want to get in people's way. So, we are taking an optimistic approach. Official L10n teams can start using the "Firefox Community Edition" and "Thunderbird Community Edition" trademarks from day one, but the Mozilla Foundation may require teams to stop doing so in the future if they are redistributing software with low quality and efforts to remedy the situation have not succeeded. Doing things this way allows us to give as much freedom to people as possible, while maintaining our trademarks as a mark of quality (which we are required to do in order to keep them).
source [mozilla.org]
I'll readily admit that I have no idea whether Mozilla has attempted to reject their right to use the Mozilla trademark, but given the warning found on U.S. government sites regarding trademark enforcement, I'd say it would be prodigal use of the foundation's limited resources. Further, there is nothing to indicate that there is in fact any "affiliation" whatsoever, as nowhere does Mozilla Foundation acknowledge the presence of the Korean site (although its URL does appear on a Mozilla-run wiki - who knows who put it there).
In any case, this reflects poorly only on the part of the Korean Localization Team, as Mozilla Foundation likely lacks the resources to succesfully pursue a trademark infringement case abroad in Korea, and we have already established that the site is not an official Mozilla site (unlike, for example, http://www.mozilla-europe.org/ [mozilla-europe.org] or
Ha. (Score:5, Funny)
Oh, wait.
Re:Ha. (Score:3, Informative)
HOW YOU RIKE ME NOW HANS BRIX?
Korean Mozilla Binaries Infected (Score:5, Funny)
And so it begins... (Score:4, Insightful)
Um... (Score:5, Insightful)
Re:Um... (Score:5, Insightful)
Re:Um... (Score:2)
Write access ?
Re:Um... (Score:2)
However, this seems to be a good case against any installers that are executable. root still has to run some programs to install things & those can be infected, but every-little-bit helps. Also a good case for getting updates through your distro so they can do quality control.
Re:And so it begins... (Score:3, Insightful)
Re:And so it begins... (Score:5, Insightful)
Re:And so it begins... (Score:2)
And as we all know nobody installs Linux software as root.
Re:And so it begins... (Score:2)
Smart enough doesn't matter... (Score:3, Interesting)
First time real-world linux virus spread? (Score:2, Interesting)
Re:First time real-world linux virus spread? (Score:4, Insightful)
It is a 3 years old thing and it never spread, why should it now?
It has been found somewhere on some server in some package.
OK, then?
Distros build their version of softwares from source, they check the sources, their users get their software from their distro.
End of the story.
Moral of the story:
-don't download binaries from other sources than your distro.
-don't install binaries from other sources than your distro as root.
Survey says... (Score:2, Funny)
Black day for Unix Firefox users (Score:5, Informative)
source? (Score:4, Informative)
They could have easily replaced the app signatures to match the infected binaries.
Re:source? (Score:2)
The other important point is that the Korean site was not officially affiliated with the Mozilla organization (unlike US, China, Europe, Japan, etc.). Because of this the the Mozilla foundation had no control and couldn't impos
Let the thrashing begin! (Score:4, Insightful)
Whatever.
Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.
Re:Let the thrashing begin! (Score:2)
Re:Let the thrashing begin! (Score:2)
This is a reflection of the people managing the Korean servers, not of Mozilla. It is not Mozilla's server or under their control. All these references to yesterday's security report on Mozilla are irrelevent, as they simply do not apply.
You
Re:Let the thrashing begin! (Score:3, Informative)
(Also, I wouldn't be surpised if they have pgp sigs somewhere for the Linux tarballs, but that takes work to verify.)
Every OS needs protection (Score:2, Insightful)
Poor Koreans... Again... (Score:4, Funny)
Permissions? (Score:4, Insightful)
And that is "insightful"? (Score:3, Insightful)
"equal standards"? You're comparing ActiveX to an infected binary on some Korean site.
Again, this was not a flaw in FireFox. It was some Kore
No, it is not. (Score:3, Insightful)
Duh! Of course it isn't. The software is the code.
The distribution system is how people get the code.
Infecting /bin? (Score:5, Insightful)
Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk
Re:Infecting /bin? (Score:3, Informative)
In either case, the hash would have shown valid. I was under the impression hashes (MD5, SHA-1) were mostly just for making sure nothing was corrupt in the transfer.
Digital signatures are for ensuring validity, though they wouldn't prot
Re:Infecting /bin? (Score:4, Insightful)
Last I checked all the major repository systems (rpm, apt, etc) require you to do so. Yup.
if you install software as root from a compromised source and don't check the md5sums
Checking the md5sums will do you absolutely no good unless you get the md5sum from a completely independant source -- which isn't true in most cases. In this case there was no independant source -- the Korean site compiles it and distributes it themselves and is not affiliated with the Mozilla foundation.
along with other precautions you put yourself at risk
My, that's nebulous. What precautions?
You could compile from source... and then you're safe as long as someone didn't trojan the CVS server (either intentionally or maliciously). Or are you going to evaluate every line of code prior to compiling it as well? Make sure to double check your compiler and libraries -- if they have a trojan injector then you'll have one hell of a time figuring that out.
No, it's not anything new. But it should be a wakeup call to a lot of people who think they're "safe" for running non-mainstream software. We're not -- we're just a smaller target. It's just a twist on "security through obscurity", and that's been proven to be inadequate countless times.
In Korea.... (Score:2, Funny)
Re:In Korea.... (Score:2)
OK, if you know *anything* about Linux (Score:3, Interesting)
You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.
This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
Normal installation runs binaries as root (Score:5, Informative)
Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.
Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process [mozilla.org].
Checksums do not exists for nothing. (Score:3, Insightful)
Unfortunately this part can't be fully automatised, because you would rely on the untrusted package to find the originator sources which can be facked, obviously..
If the installation on Linux was standardised maybe just asking the user where is the originator website of the software.
But Linux's distribution can't even standardised on a common pac
file permission... (Score:2, Insightful)
Linux.RST.B was not effective virus in 2002 (Score:3, Informative)
Oy... (Score:3, Insightful)
Come on...this isn't rocket surgery. Use some common sense.
Alan Cox was right (Score:5, Insightful)
I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).
We already have to trust the developers. We shouldn't have to trust every FTP server too.
Re:Alan Cox was right (Score:3, Informative)
Re:Alan Cox was right (Score:5, Informative)
Download the key (RPM-GPG-KEY-fedora for example)
rpm --import RPM-GPG-KEY-fedora
And voila. This works for third party developer's keys.
As for your other comments they are just misinformed, you should read the article maybe. Or not and justmake stuff up, that works too.
no surprise (Score:5, Informative)
http://www.mozillazine.org/talkback.html?article=
I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.
burnin
www.mozilla.or.kr is not an official Mozilla site (Score:3, Insightful)
People have complained in the past about the Mozilla organisation being heavy handed about trademarks, and trademarks (eg the Linux one) have been getting a bad rap in general. But here's the other side of the coin - the actions of an organisation that identify themselves as "Mozilla", even though they're _not_ the Mozilla foundation, are tarnishing the reputation of the genuine article.
It's about freaking time... (Score:5, Funny)
Err, wait...
This was not an official site! (Score:3, Interesting)
www.internetnews.com/security/article.php/3512081
Come on! Don't blame Mozilla.org for something that's not under their control. This goes double for the Windows idiots that point and say that "oo! FF is just as vulnerable!" and forgetting all about that this is just like going to "Shady Joe's Windows Upgrades" instead of microsoft.com for SP2.
--
BMO
Mozilla not showing originating URL of download (Score:3, Interesting)
Notice that when you use MSIE on Windows, it shows you the true URL of the site you are downloading from. In the download box, it will show you the URL it's downloading from, and you can see Mozilla's choice of mirrors around the world.
With Firefox, however, you don't get to see this by default. It just shows the basename of the file you are downloading, not the full URL containing the hostname and directory path. By right-clicking on the progress bar in the Downloads popup window, and choosing Properties, you can then view the true URL, but many users don't know about this.
If the user has turned on the "Ask me where to save every file" option, the popup file-chooser window also unfortunately does not show the true URL. It would be an ideal place to show it in this window, as there seems to be plenty of room there.
Right now, I have to download the file multiple times, open the Properties to make sure I'm getting a different mirror, and then diff the files to make sure they're the same, before I can consider them trustworthy enough to install.
By itself, this is just a nitpick, but it turns into a nasty bug when combined with other things:
1) The user not being able to easily see the true originating URL of a file, before making the download decision
2) Mozilla's decision to use a huge variety of seemingly random sites as mirrors, some more questionable than others
3) Mozilla's decision to not have any way whatsoever of verifying the integrity of the download, such as a cryptographic signature
Put all three together, and it's virus time!
Microsoft: Smug Mode.
With the large numbers of mirrors Mozilla uses, spread throughout the world, the odds of someone sneaking malware in there (either by ignorance, hacking, or a good old-fashioned bribe) is quite high.
The solution probably lies in a plugin. If there's not already a plugin to let the user plainly see the true URL and verify where files are coming from, it should be made (I wish I knew how). The plugin should also have some cryptographic method of verifying a downloaded file, and Mozilla should sign all releases with a strong key. It's just basic common sense, and I'm shocked Mozilla hasn't done this already.
Re:This proves ... (Score:2, Insightful)
...that Firefox needs to be fixed? (Score:2, Interesting)
As I recall, Firefox (which is not the same as Mozilla, yes, I know) won't work quite right unless it is run as root once. Isn't that a security hole waiting to be exploited by something like this? Even a user who normally doesn't normally run as root can be hit with this situation.
Re:Antivirus? (Score:2)
Well, technically Linux has antivirus products - just most of them are for scanning Windows executables that are going through your Linux mail system. If you're running the SELinux extensions it'd probably stop the thing anyway though.
Re:Antivirus? (Score:2)
Now your
And there are antivirus programs for Linux.
Re:Secure.. (Score:5, Informative)
No, no, no... Windows is as secure. (Score:3, Informative)
Re:No, no, no... Windows is as secure. (Score:5, Funny)
Re:No, no, no... Windows is as secure. (Score:3, Interesting)
-su:
Same thing here. As soon as I quit the cat process still running from that binary, I can alter the binary.
Although unlinking and then replacing the binary would work.
Re:Secure.. (Score:3, Insightful)
But you'll have installed it as root, and the installer was infected, and you're still screwed.
Re:Secure.. (Score:3, Funny)
Re:Secure.. (Score:3, Insightful)
It is. The fact that the only way for it to be effective is to pre-infect the original distribution. Which means someone miscopulated the canine. Still cant get around human fallibility in that regard.
Linux is still much more secure in its raw state than almost any closed-source product even after post-install configuration. Anyone with a modicum of experience with a fresh *nix installation will likely spot this before it does any real damage.
Suppose it was o
Re:Not going to go over well... (Score:2)
Tinfoil shoes? (Score:5, Insightful)
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
Re:More evidence that Mozilla is NOT secure by des (Score:3, Insightful)
Re:Some stuff (Score:3, Insightful)
Besides, Microsoft is constantly broadcasting the message that Linux sucks, and they are paying billions a year to have that message repeated wherever they can. Do you expect Linux supporters to just respond once and then shut up?
Microsoft has bought the airwaves, print publications, billboards, and face time to get their message across. Leave the rest of us a little space on discussion groups for expressing our v