Ethics of Releasing Non-Malicious Linux Malware? 600
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
consult with a real security professional (Score:5, Informative)
Re:SELinux on a a server? (Score:5, Informative)
Re:I think you've already decided... (Score:3, Informative)
Or, Johannes Buchner is the West Germanic language equivalent of "John Smith". There is more then one [google.com] person with this name, although I suspect we're with the guy who posts his Public PGP key [coconia.net].
Re:Security through obscurity (Score:3, Informative)
...yes. Malware that has to be manually run.
How utterly pathetic.
At least you can say that Windows has one thing on Linux. Installation of Trojans is automated. No end user interaction is required.
It would be interesting to see how far a manual trojan could get on Linux...
Re:Commendable (Score:3, Informative)
That doesn't make Linux less secure than Windows. That makes the user just as insecure as the same uneducated fool running Windows.
1) Newbie Windows users who are having problems with their systems will pretty much click on anything as any user you tell them to in a desparate hope to get IE working again.
2) Windows settings dialogs on their own can look very cryptic to the uninitiated. Add into that the scripting abilities of cmd.exe... HAHAHA ...ok.. I can't complete that thought without falling out of my chair. But, a new Windows users won't be able to differentiate a malicious click from one that will get their Freecell working again.
3) The out-of-the-box remote admin abilities of Windows are excellent. (At least...as good as they are for Linux. Considering that both have a firewall by default, which you have to get the user to turn off in order to be able to remote admin the box...)
4) Standard tools like BackOrifice can easily be used to establish out-connecting remote management sessions.
5) OR, you can just get them to IE download and click your favourite piece of malware.
See? It's not Linux. It's the user.
Every security problem you mentioned applies equally to every operating system on the planet. Except the odd few that don't have networking abilities.....
Re:Dear Slashdot (Score:3, Informative)
An excellent analogy. Both insightful and funny. I like it.
However: This does not do any harm, neither physically nor virtually. In your analogy, it would be releasing the technique of touching someones nose, so everyone can do it. Everyone can alter it to a punch in the face, and they can apply it. I guess it boils down to 'The Physicists - Friedrich Dürrenmatt': Is a developer responsible for the users that apply the product, or is each user responsible himself for how they apply? With the A-bomb and TNT, there are real lives at stake; but with software there aren't.
Tricking people into doing stupid things. (Score:3, Informative)
>mindless execution of unverified downloads
There is no cure for stupid on any platform.
People will install purple gorillas and cd-drive-cupholders. This is not new.
But beyond user stupidity, there are reasons why propagation of badware on Linux and Unix sucks, and I suggest that people read Tom's excellent rant here: http://slashdot.org/comments.pl?sid=3291&cid=1395315 [slashdot.org]
This situation may not last (c.f., sudo silliness on fedora), but unless you can do a miracle of social engineering, treachery, and underhandedness and get your badware included in the main repositories as source (which repo maintainers and end users use to build packages), you're not going to get very far in the *nix world.
--
BMO
Consult with an attorney about the CFAA too. (Score:5, Informative)
You might also really want to talk to a lawyer who knows the Computer Fraud and Abuse Act. [cornell.edu] At a minimum, you may need to worry about 18 USC 1030(a)(5). Pay attention to the definition of "damage" and "loss" in 18 USC 1030(e)(8),(11).
Re:consult with a real security professional (Score:0, Informative)
Only problem is there are several free-roaming exploits that require SELinux to run in order to get access to ring0. SELinux generally causes more problems than it solves.
Re:It does harm!!!! (Score:3, Informative)
Re:I think you've already decided... (Score:3, Informative)
3) Make sure your father is the head of the NSA and can keep you out of jail. (http://en.wikipedia.org/wiki/Morris_Worm)
Actually, his father was Chief Scientist at NCSC, not quite the same thing.
It can also be argued that Morris (the son, that is) honestly screwed up.
Re:I think you've already decided... (Score:4, Informative)
(sigh) That's a fallacy that needs to die. Yes, drive-by exploits are more common in the dark corners of the internet (warez, porn, etc. sites). But you're also quite likely to find regular websites that have been hacked to serve up exploits and infections. Not to mention the constant problems where ad networks serve up malicious content.
You can no longer assume that just because you don't go visit the dark corners of the internet that you're safe.
The last infection that I tracked down by reviewing our squid transparent proxy logs came from a hobby site. I don't remember if it was sewing, cooking, or some other benign type hobby. But it was nothing that would get you fired if someone saw you browsing it. The site's pages had been all altered to serve up a Javascript exploit which would infect the machine.
Re:SELinux on a a server? (Score:4, Informative)
Sorta like how you define what a user is allowed to touch on the file system by assigning group membership and file permissions.
If the SELinux policies are very tight and the service is well behaved and you can easily define the allowed actions, things work well. It just gets trickier when daemons are not well defined and tend to talk to random ports and touch random files. Just like coming up with a reasonable set of permissions and group membership for a user that allows them to get their job done without constantly pestering you, it can be a bit of an art form to define SELinux policies.
(There's probably more to it then describing it as file permissions on steroids, but it gets the general idea across. The system is only as secure as the labeling and policies.)
Re:It does harm!!!! (Score:4, Informative)
It doesn't matter what you do now, some asshat is going to read the description of the "linux malware" reproduce it without bragging about what a l33t script kiddie he is and your going to take the burn for it. As for it being a linux malware
I can understand that
I'm not sure that having the user specifically install a software package that specifically runs downloaded programs is the same class of malware as windose user are typically plagued by anyways. This is more social engineering than a linux security hole and more of a boinc security problem than a linux problem
So basically your saying is Linux is oh-so-secure that you have to trick users into installing your malware.
you may be able to install into .bashrc but it's not going to work in cron without privilege escalation or a security hole; usually only widosers mindlessly type in privelged account passwords to install software to run in limited accounts. In fact I'm calling BS on this, you don't have this malware, you just have a plausible idea for it that you've not bothered to implement.