Ethics of Releasing Non-Malicious Linux Malware? 600
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
Re:I think you've already decided... (Score:5, Funny)
Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.
Ethics (Score:2, Funny)
I can't hear you! (Score:1, Funny)
{fingers in ears} La la la la la la la la la la la la la.......
Re:I think you've already decided... (Score:4, Funny)
Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.
I tested your theory by saying "Johannes Buchner" in a stiff jawed English accent - a James Bond sort of accent. And low and behold, my scientific study has come to this conclusion:
Johannes Buchner is in fact an evil genius and he will release this code on to the World bringing havoc to all Linux run internet servers in effect, destroying the internet unless he is paid One HUNdred biiiillllioooon Euroes!
Re:Malware? (Score:4, Funny)
Two typos in (what was supposed to be) 19 characters. I wish all malware writers were that sloppy.
Re:Ah, No. (Score:3, Funny)
The millions of exploits for Windows prove that there are people ready to capitalize on any flaw.
Confirmed. Linux users are now anti-capitalists
Just in time for Chrome OS (Score:3, Funny)
Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.
Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!
Re:Dear Slashdot (Score:4, Funny)
Yeah but if you punch me in the face, expect me to use Akidio on you and throw you into the nearest wall and use your attack against you. Ordinary people will get punched in the face, but we martial arts students will know what to do if someone is trying to punch us in the face. Grab your wrist, spin around, and throw you into a wall. I studied several forms of martial arts, and I could do a simple block, or just grab your fist and crush it with my hand thus breaking your bones in your hand, or dodge and do a hammer fist on your chest and crack some ribs.
Did I mention I am a pirate ninja? :)
Re:If you have to ask, your ethical compass is b0r (Score:5, Funny)
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Of course, why actually sleep with her when you can just brag about her offer on slashdot!
Re:If you have to ask, your ethical compass is b0r (Score:5, Funny)
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
Re:Dear Slashdot (Score:5, Funny)
How cool is that?! [Re:Release it.] (Score:2, Funny)
Post it to the internet with a headline of "Nude Pictures of Brittany Spears!! (Linux only)." Oh, and give it a payload that allows you to pwn the computers it gets downloaded. And then you'll have a Linux botnet!! How cool is that!!
And, next time somebody posts on /. "imagine a beowulf cluster of those" -- well, you'll actually have a beowulf cluster of those.
Oh, and I almost forgot:
3. ???
4. profit!!
Re:Security through obscurity (Score:3, Funny)
Once they develop a conversable chatterbot that targets linux basement dwellers. The bot will say she uses a particular type of webcam software and really wants to show them something.
loose execution of unverified downloads... (Score:1, Funny)
The exploit relies on "loose execution of unverified downloads"...
Is this the joke about the virus that spreads itself by telling the user "send this email to all your friends then format your hard drive" ?
Once you have code executed on a machine that doesn't have good security, you manage to get local root exploit and then do some "really nasty thing" to persist a reboot?
Please?
Really nasty as in escaping offline IDS?
Publish your kiddie exploit, I'm laughing out loud...
: )
Re:You've failed to understand the real world (Score:2, Funny)
Damit! I knew there was a reason it took so long to get to the login screen on my sliderule!
Arrogance... Nothing New. (Score:3, Funny)
We further learned that user id's could not be set to more than 10 characters. So I raised my hand and asked what happened if all the user accounts got disabled. They said that IBM would have to back door their way in to unlock a system administrator account, and from that account, others could be reset. (This would be BAD and time consuming, so it was good practice to keep a few SYSADMIN accounts around just in case) I asked if they had ever heard of a denial of service attack. Of course they said. So I asked the obvious question, "What if someone wrote a script to log on to every 10 digit user account 3 times with a blank password?" The reply was "Why would anyone do THAT?"
I pointed out that while I couldn't "hack" their system by their definitions, I could sure as heck turn it into a boat anchor, and do it remotely if it was hooked to the Internet... "Yes, but you can't HACK it was the reply..."
Re:If you have to ask, your ethical compass is b0r (Score:3, Funny)
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
No, no, no. Ethics cannot be based on money because money is only a means to an end not an end in itself. We must fall back on the ethical basis nature gives us as anything else is artificial.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
The difference between Linux and Windows (Score:2, Funny)
Better release it correctly... (Score:4, Funny)
Re:Newly retrodden ground (Score:2, Funny)
Re:I think you've already decided... (Score:5, Funny)
Why make billions, when you can make... millions?
Yes! Exactly! Today the universe, tomorrow the world!
Terminology (Score:2, Funny)
Re:I think you've already decided... (Score:2, Funny)
Re:I can't hear you! (Score:3, Funny)
10 print "I can't hear you! ";
20 a$="la "
30 k=k+1
40 print tab(k mod (80 - len(a$)-1)) a$
50 for i = 1 to 1000 : next i : rem delay loop for XT class machine
60 goto 20 : rem No, but how about GWBASIC?
Linux Malware (Score:3, Funny)
Copy and paste: sudo rm -rf
Enter your password
Come back when you have malware that can remotely infect a target machine without user interaction.
Open Source it (Score:5, Funny)
Re:I think you've already decided... (Score:3, Funny)
Your security process must continuously evolve to meat...
We'll be having none of your sissy vegetable security processes here, my lad.
Re:I think you've already decided... (Score:4, Funny)
Okay, you give me a million euro's and i'll give you a million dollars...
release it! (Score:3, Funny)
This is an important milestone in the Linux to the Desktop campaign.
Without a "healthy malware ecosystem", Linux isn't mature enough to be called a desktop operation system.
Think about the AV industry!
Re:I think you've already decided... (Score:3, Funny)
Re:I think you've already decided... (Score:3, Funny)
Woosh