elektronisch
2[H]4U
- Joined
- Mar 22, 2004
- Messages
- 2,305
Let me know when it comes through a browser and elevates itself to root where it can actually do system-wide damage.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Linux Infected by Trojan
- Thread starter John_Keck
- Start date
Runningflame570
Limp Gawd
- Joined
- Jan 28, 2008
- Messages
- 493
Every few years there is a story like this which serves to let Windows users go, "See! Linux can be infected too!"
Nevermind that virtually nobody actually uses or used the software in question, or that it was patched several months before the exploit actually came out (which is typical), or that it was the result of a system misconfiguration or idiotic practices such as keeping default passwords.
All while most of the computers of those who are gloating are zombified. Consider me unimpressed. This isn't in Ubuntu's repos (or any other major repositories that I can find for that matter) and so far I have yet to find any commentators who will admit to having heard of Unreal prior to this.
Gloat away. /yawn
Nevermind that virtually nobody actually uses or used the software in question, or that it was patched several months before the exploit actually came out (which is typical), or that it was the result of a system misconfiguration or idiotic practices such as keeping default passwords.
All while most of the computers of those who are gloating are zombified. Consider me unimpressed. This isn't in Ubuntu's repos (or any other major repositories that I can find for that matter) and so far I have yet to find any commentators who will admit to having heard of Unreal prior to this.
Gloat away. /yawn
QFT
LightningCrash
2[H]4U
- Joined
- Dec 29, 2000
- Messages
- 2,470
It doesn't matter if the trojan got onto the machine because of a flaw with linux or with the program. Either way a machine running Linux was infected. If you get a virus on windows due to a pdf file due to adobe having a flaw you still claim that Windows is a POS and gets viruses. This is exactly the same thing. Thus there is nothing wrong claiming that Linux was infected.
But yeah, this really isn't anything special. Most knowledgable people know that ALL OSs can be infected.
But yeah, this really isn't anything special. Most knowledgable people know that ALL OSs can be infected.
You're right, that wouldn't matter. But neither of those happened. What actually happened is that a user would have had to download the infected source code, compile it, and then run it. And only the source download was infected, the precompiled downloads (which most people would use) weren't infected.
Read the article people, his claim is this "Every time I write about Windows security software, I get a predictable flood of responses from Linux advocates who claim that they don’t need any such protection. Today comes a shining example of why they’re wrong."
Linux needs AV is his argument, and he's correct if you're going to execute software from somewhere other than the official repo.
Linux needs AV is his argument, and he's correct if you're going to execute software from somewhere other than the official repo.
scheherazade
n00b
- Joined
- Aug 13, 2005
- Messages
- 25
THANK YOU.
So tired of people watching porn on their windows box, running "SexyGirl123.jpg.exe", and then crying about how "windows sucks because it's so vulnerable to viruses".
And you can't even explain to them how "it's their own fault", because they're too undereducated [about computers] to even understand.
-scheherazade
scheherazade
n00b
- Joined
- Aug 13, 2005
- Messages
- 25
Pretty much the definition of why 99% of exploits target windows (install base).
-scheherazade
p.s. Where is the edit button? Seriously, I'm blind or something...
No edit function in the News Forum. Just the others.
I don't buy it. I doubt he's gotten any responses from Linux users who go out of their way to comment on a Windows security-related story about how they don't need anti-virus protection. Yet he claims he gets a "flood" "every time".
I just don't buy it.
While it would depend on what it is calling a flood, I wouldn't doubt one bit he gets people every time saying that. Stuff like that happens on here, users of Linux and OS X saying how they don't need to worry as those OSs don't get viruses. Some windows security flaw is brought up and you see people instanstly saying that is why you should use <insert non windows os here> as with that OS you wouldn't have that problem and won't have to worry about malware of any type.
Actually I was an avid reader of zdnet until all of its bloggers became completely clueless on everything. AKH and Jason Perlow are prime examples of not being able to show old dogs new tricks. Ed Bott is one of the last good things about that site. Always does his research, tends to have an unbiased opinion, and show actual examples of what hes talking about when countering someones stance. He is also quick to call MS out of shit they get shit wrong
Every article turns into a Windows vs Linux debate and the the Linux guys always troll EVERY single new article about Windows security "vulnerabilities". Their responses are usually off topic and not governed by logic. I didnt even waste my time looking at the comments this time.
Sabrewulf165
2[H]4U
- Joined
- Jun 23, 2004
- Messages
- 2,974
This.
I knew before I even stepped foot in this thread that it would be full of testy Linux fans making every possible excuse.
The point is that running Linux doesn't make you invincible. Calm down, nerds.
longblock454
2[H]4U
- Joined
- Nov 28, 2004
- Messages
- 2,738
You apparently didn't read 99% of the posts, most are bitching about the OP link. No nerds freaking out just yet.
LightningCrash
2[H]4U
- Joined
- Dec 29, 2000
- Messages
- 2,470
Where did you read that in the article? How many were infected from the source code?
Right, because AV will protect you from a previously undetected source code vulnerability. Sure. That would really have helped in this situation.
There's no defense from an attacker that can convince you to run his code. Period.
greenfrogman
Ad Blocker - Banned
- Joined
- Jan 5, 2009
- Messages
- 387
i am an windows user all the way, still an miss leading title
i love to use linux if they would Fix the commands to make more sense (and make it tad harder to brake as does not take me to long to brake basic things like the Apps manager,Linux devs seem to think that every thing works 100% of the time so fail to provide any Self heal or fix when something gets corrupted, Folding@home is an very good example of this)
i love to use linux if they would Fix the commands to make more sense (and make it tad harder to brake as does not take me to long to brake basic things like the Apps manager,Linux devs seem to think that every thing works 100% of the time so fail to provide any Self heal or fix when something gets corrupted, Folding@home is an very good example of this)
yes but... Ubuntu is safer than Microsoft® Windows®
velusip
[H]ard|Gawd
- Joined
- Jan 24, 2005
- Messages
- 1,579
This is a breach on the developer side which trickled into some package repositories mirrored by various distributions. The developers were not signing their releases properly in their own repositories, but that is now corrected. This is a great learning tool for all Linux newbies -- the importance of taking a moment to check MD5 hashes on downloaded packages and comparing them to release notes of the new version. If you're interested, keep reading:
A good explanation of what the exploit does:
http://www.securelist.com/en/blog/2205/Unreal_Backdoored_IRC_Server
unrealircd dev announcement and appology:
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
Back to the article, FEWT mentions this file may have been distributed with Archlinux as well. Since I am an Arch user I took the time to investigate how Arch could have been tangled in all this. First off unrealirc would not have been distributed with Arch on their official disc or download iso. Only core components come on disc. All additional packages are sorted into alternate repositories maintained by "trusted users". unrealirc would have been sorted into the "community" repository which provides ample warning when attempting to enable it to the package installer. A user may add a foreign package to the "community" repository by generating a Package Build file that contains version information, the download origin of the tarball, MD5 hashes of this file, and other build instructions. There is evidence of a period when the offending file's MD5 hash existed in this Arch Package Build file:
2009.04.29 unrealirc build script added to "community" repo with correct hashes:
http://repos.archlinux.org/wsvn/community/unrealircd/trunk/PKGBUILD?rev=1&peg=18710
2010.04.02 unrealirc build script updated with incorrect hashes:
http://repos.archlinux.org/wsvn/community/unrealircd/trunk/PKGBUILD?rev=14334&peg=18710
2010.06.12 unrealirc build script updated with new file location and original hashes:
http://repos.archlinux.org/wsvn/community/unrealircd/trunk/PKGBUILD?rev=18710&peg=18710
Odd discrepancies may have been spotted by Arch users in the history of this package without ever looking at the source code, however a certain trusted user who will go unnamed for now overlooked this:
1. When the offending file was uploaded to the developer source the Arch community repository would have included different hashes from the hosted file. I am unsure of how and when Arch mirrors are updated, but for at least some time the good copy of unrealirc 3.2.8.1 would have been retained on Arch mirrors. This means that for Arch users nothing would have gone wrong even though the developer repository now contains a different hash for version 3.2.8.1.
2. If/When Arch mirrors update themselves from the original developer source the build script would fail as the hashes are incorrect. At this point, an Arch maintainer may provide a quick fix to this problem by updating the MD5 according to the impostor file on the developer repository. This would be bad practice, of course, as the MD5 is associated with a file version and should not change if the version has not. The Arch maintainer should have referred to this particular versions release notes rather than the current repository. (Release notes here: http://sourceforge.net/mailarchive/[email protected] ) This could have occurred on 2010.04.02. Instead, the MD5 for the offending file was added to Arch Package Build file. Over the next two months Arch users would be downloading the offending file from an updated mirror and using the build script with matching MD5.
Someone later spots it and reports it as a bug in Arch community project and is quickly resolved:
http://bugs.archlinux.org/task/19780
So the lack of action from the devs + a bad call on an Arch "trusted user" lead to some bitter words from bitter bloggers. *sigh*
A good explanation of what the exploit does:
http://www.securelist.com/en/blog/2205/Unreal_Backdoored_IRC_Server
unrealircd dev announcement and appology:
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
Back to the article, FEWT mentions this file may have been distributed with Archlinux as well. Since I am an Arch user I took the time to investigate how Arch could have been tangled in all this. First off unrealirc would not have been distributed with Arch on their official disc or download iso. Only core components come on disc. All additional packages are sorted into alternate repositories maintained by "trusted users". unrealirc would have been sorted into the "community" repository which provides ample warning when attempting to enable it to the package installer. A user may add a foreign package to the "community" repository by generating a Package Build file that contains version information, the download origin of the tarball, MD5 hashes of this file, and other build instructions. There is evidence of a period when the offending file's MD5 hash existed in this Arch Package Build file:
2009.04.29 unrealirc build script added to "community" repo with correct hashes:
http://repos.archlinux.org/wsvn/community/unrealircd/trunk/PKGBUILD?rev=1&peg=18710
2010.04.02 unrealirc build script updated with incorrect hashes:
http://repos.archlinux.org/wsvn/community/unrealircd/trunk/PKGBUILD?rev=14334&peg=18710
2010.06.12 unrealirc build script updated with new file location and original hashes:
http://repos.archlinux.org/wsvn/community/unrealircd/trunk/PKGBUILD?rev=18710&peg=18710
Odd discrepancies may have been spotted by Arch users in the history of this package without ever looking at the source code, however a certain trusted user who will go unnamed for now overlooked this:
1. When the offending file was uploaded to the developer source the Arch community repository would have included different hashes from the hosted file. I am unsure of how and when Arch mirrors are updated, but for at least some time the good copy of unrealirc 3.2.8.1 would have been retained on Arch mirrors. This means that for Arch users nothing would have gone wrong even though the developer repository now contains a different hash for version 3.2.8.1.
2. If/When Arch mirrors update themselves from the original developer source the build script would fail as the hashes are incorrect. At this point, an Arch maintainer may provide a quick fix to this problem by updating the MD5 according to the impostor file on the developer repository. This would be bad practice, of course, as the MD5 is associated with a file version and should not change if the version has not. The Arch maintainer should have referred to this particular versions release notes rather than the current repository. (Release notes here: http://sourceforge.net/mailarchive/[email protected] ) This could have occurred on 2010.04.02. Instead, the MD5 for the offending file was added to Arch Package Build file. Over the next two months Arch users would be downloading the offending file from an updated mirror and using the build script with matching MD5.
Someone later spots it and reports it as a bug in Arch community project and is quickly resolved:
http://bugs.archlinux.org/task/19780
So the lack of action from the devs + a bad call on an Arch "trusted user" lead to some bitter words from bitter bloggers.
*sigh*So in essence Linux users hould stop talking shit because MS doesn't push Trojans and virii on users through Microsoft update. Users download and get them through ignorance.
longblock454
2[H]4U
- Joined
- Nov 28, 2004
- Messages
- 2,738
You foolishly forgot about all the Windows exploits that don't require moronic users help. So yes, Linux users can still comfortably talk shit, and back it up, as usual. Nothing new.
This is exactly why you don't use fast-moving, relatively untested distributions for important servers.
LightningCrash
2[H]4U
- Joined
- Dec 29, 2000
- Messages
- 2,470
In b4 some Linux hacker makes a healing script that scans the internet for unrealircd, trojan downloads the newest source, compiles it, does a `make install` and SIGHUPs unrealircd
Like Welchia
Like Welchia
But nobody would use Gentoo so it doesn't matter.
The fanboys are going to come up with some excuse about how this isn't a real threat and means nothing claiming that linux is still 100% secure, has no security holes and cant' get a single virus or piece of unwanted software in any way, shape or form.
LightningCrash
2[H]4U
- Joined
- Dec 29, 2000
- Messages
- 2,470
But nobody would use Gentoo so it doesn't matter.
The fanboys are going to come up with some excuse about how this isn't a real threat and means nothing claiming that linux is still 100% secure, has no security holes and cant' get a single virus or piece of unwanted software in any way, shape or form.
Of course a Linux box can get unwanted software on it. Just pop in an MS install disc.
But nobody would use Gentoo so it doesn't matter.
The fanboys are going to come up with some excuse about how this isn't a real threat and means nothing claiming that linux is still 100% secure, has no security holes and cant' get a single virus or piece of unwanted software in any way, shape or form.
why is it an excuse? IF a user doesn't set a passwd for admin is that hte OS's fault when someone then just walks into it?
As far as the OS is concerned this is a valid system call so harsh as it is that the upstream source (which would have effected windows as well if ppl compiled it from source and not just used the binaries...) it is still a user issue and the program issue.
What about the spat of A/V software that has screwed over windows because it decided key dll's were a threat. Was this the fault of the OS or the program or the user? THIS was the fault of the programmers and in essence such cases are comparable.
and from teh gentoo P.O.V. unrealircd is run as user "nobody" which doesn't have a shell, doesn't have a home... so by default the compromise wouldn't have gotten far. IF a user ran it as himself or root ... well...
Yes that is an excuse. If you are going to make such claims for Linux then you have to do the same for Windows. It doesn't matter if nobody install the virus, if it was flawed in that it didn't do any or any thing else. A virus was coded for linux and managed to get out into the public.
My post there was only to point out how people are trying to come up with any excuse possible to say that this isn't a virus or that it doesn't prove that Linux can get a virus due to <insert reason here>. Above they tried to say that nobody download it so it doesn't count, which has now been shown to be wrong so they will need to come up with some other reason.
No it didn't. A trojan got out, not a virus. It didn't self replicate, it didn't infect a target, it didn't exploit any security holes, etc...
This in no way indicates that Linux is unsecure, just that people are idiots. Which everybody already knew.
no it wasn't. Stop spreading FUD
Sorry, i am use to having to group virus, trojans and worms into the category of virus for the average person and forgot to stop doing that around people that would know the difference. Yes, you are correct trojan not a virus.
And correct it doesn't exactly say that linux is unsecure, however it does mean that it isn't perfect in every aspect. a stupid person is still going to be able to get some piece of malware on there if they really want to.