Ethics of Releasing Non-Malicious Linux Malware? 600
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
Commendable (Score:5, Interesting)
.. but sounds like a lot of work to prove a relatively straight foward point.
It's actually been my opinion that Linux in the hands of someone who doesn't know how to use it can in some situations be less secure than windows.
My reasoning for this is that:
1) Newbie Linux users who are having problems with their systems will rpetty much run anything as any user you tell them to in a desperate hope to get Xorg working again
2) Linux commands on their own can look very cryptic to the uninitiated.. add into that the scripting abilities of most shells.. and a new Linux user won't be able to differentiate a malicious command from one that will get their nvidia driver working again
3) The out-of-box remote admin abilities of Linux are excellent.
4) Standard tools like nc can easily be used to establish out-connecting remote shell sessions
5) OR you can just get them to wget and execute your favourite piece of malware.
Show it only to while hat hackers (Score:5, Interesting)
Show it to distro developers and repository maintainers, people who do security work, etc. Let them look at it and see if they can defend against it. Don't release it on unsuspecting users, publish the directions to remove it, and defend against it so no one else can do it either. Putting malware in the wild is not the way to get white-hats attention, but it is the way to get black hat's attention. The white hats are usually well behind the black hats with malware that's been released in the wild. Give this to white hats and not black hats.
Post it as security bug against all the distros you've confirmed it works against. That'll attract the attention you want and not the attention you don't.
Make it easy to reverse a successful attack (Score:1, Interesting)
Perhaps the best action is write and release these tools:
Tool A: It tells the user he has been compromised.
It also saves copies of the files that may be altered.
Tool B: Copies all the old files and MD5s the raw files
and the zipped files. (I think that this is hard
to make both MD5 fake.)
Tool C: Can replace the corrupted files with the save copy.
It may need a password:
If the saved copy can be encrypted with some
password so that it is not easily corruptible.
The real problem is not getting compromised - but not being
able to verify that it has been compromised and
being able to restore it.
Have I missed anything? - A careful user. ./ - read by millions, written by experts
I love
Absolutely evil (Score:2, Interesting)
We already know how to break into systems with buffer and heap overflows. We know how to do SQL injection into not-so-smart applications. If you work at it you can break into almost anything.
Absolutely no good purpose is served providing a toolkit that allows people to break into naively configured systems. Much of what you describe is akin to leaving the keys in your Maserati with the doors unlocked and the engine running. Please don't make things easier for joyriding teenagers.
If a site wants to know if they're secure, within the current limits of our knowledge, they can perform their own audits, and hire their own advisers to test their systems in a controlled fashion.
Applications, such as BOINC, have an unknown state of security review or audit. I doubt they applied the coding guidelines of CERT, or any of the Common Criteria levels. An administrator would only deploy such applications in the DMZ of their network. To call a Linux system, or Windoze system, secure means you've evaluated the risk of both the operating system and the applications on that system and decided it is good enough for you.
Easy. (Score:2, Interesting)
The answer is no. Under no circumstances should the package be released.
Because, to release the code is no different than than saying "I only illegally accessed your systems, Mr. FBI, to show you how it could be done. I am honest little boy/girl".
Re:Commendable (Score:5, Interesting)
Yeah but Windows suffers the same thing, when Windows goes wonky people will ask over the Internet for random strangers to fix it.
"Here download this program, run it, ignore any warnings, choose 'allow' for every UAC prompt, and then it will give me remote control of your system so I can 'fix' it for you."
My son's system got hacked that way when his older cousin came over and the game he was playing did an update and his character was hovering instead of walking. Instead of asking me to fix it (it was a Nividia driver issue) he got some random stranger from Ohio. I was busy in the other room with my wife and monitoring another cousin who came over on a different system. I had to remove the remote control trojan, and rootkit, and then fixed the driver issue, after learning that he let some stranger into my son's system and pwned it. Lucky there was no bank account or other info, as my son is too young for that. Lucky I was able to find the malware and remove it. Just to be safe I even reformatted the system. It only took 15 minutes for that to happen, while I was busy on something else, and my wife isn't tech savvy enough to know what the kids are doing on the computers. Watch one nephew, and the other nephew is doing something he shouldn't be doing. My brother had to disable their computers at his house because of stuff like that, he even tried Linux, and they managed to get Linux infected that way you described. So my brother zero formatted the hard drives and then took out the RAM, until they grow up and show enough responsibility to have working systems again.
Teenagers, seesh, looking for the quick fix, but adults are just as dumb and fall for the same thing as there are so many helpful strangers on the Internet willing to help/hack the system for them.
Re:consult with a real security professional (Score:2, Interesting)
The thing is, it is not a security bug that you can fix, more a 'I-am-here'-code. You would have to find a exploit first, then apply this code onto it.
For example:
You can get a PHP file onto the webserver, and it allows exec() --> you use this payload to show you got here.
User downloads and runs a file without checking if it is authentic --> you use this payload to show you got here.
You found a exploit in Firefox --> you piggyback and run this payload to show you got here.
It is a way of more efficiently showing the reach of this exploit, and could become the default way of showing the effectiveness.
There is nothing for programmers, packagers or distros to do. Only Linux admins/users can secure their systems. ... elsewhere.
Some exploits that require users (launcher icons) are documented already
Malware and Worms in GNU/Linux and *BSD (Score:5, Interesting)
Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client
It would be nice to see the code. As it stands, I am surprised that this "news" made it this far, with no links of any kind.
No one credible claims that malware is impossible in GNU/Linux or *BSD. In fact, since UNIX is a much more robust networking OS, maintaining a botnet should be helluva lot easier than on Windows. What we have with a free OS, though, is something that proprietary OS users will never have: a complete and total control over our security policy and every other aspect of our software environment. When and if a vector is identified, our security policy will promptly change to nip it in the bud.
A Speculative Example
Lately I've been thinking about one major vector: the human-assisted privilege escalation. Take the latest Ubuntu and imagine a piece of software which runs with user privileges and does the following: it tricks the user into thinking that it is the automatic updater. Lacking in both expertise and time, I am not going to do a proof of concept, but how hard can it be? You just need to draw a window named "Update Manager" using the standard Gnome API, list a few bogus updates anyone would find legit, with version number irrelevant to their day-to-day life (e.g. binutils), wait for the user to click [Install Updates], and then "gksu pwn_you.sh". The user will enter the password, and your work is done. Then, of course, you still need to draw some progress bars to lull the user into believing that an update is going on, but that's all just an icing on the cake.
If anyone can see why this won't work, I would like to hear it.
Looks scary, right? Wrong. Because the solution is as simple as changing the default policy. Make it so that the default behavior is to notify only. On every system update the user should be told: "Go start the updater via the system menu. By the way, if you EVER see an "updater" you didn't start yourself, you are being pwned." Make sure that the system menu is strictly read-only, and even the dimmest user will be safe.
This won't be implemented in Windows. Why? I really cannot guess why Microsoft's security policy seems to be designed from ground up to fuck the user, but it is. The usual excuse seems to be: "it's easy to use". But whatever is the reason, you just cannot make a proprietary platform secure because you cannot pop the hood open. With a free OS, you can.
Why not send it to Linus? (Score:2, Interesting)
What you are contemplating doing is roughly, the digital-electronic equivalent of supplying criminals with maps of wealthy communities, marked with what areas are and are not guarded, where valuables are kept, etc. Don't think that simply because you didn't write a truly malicious payload, that by letting others use a tool you can and should reasonably know will be used for evil purposes you don't share in the culpability, ethically if not legally, even if you don't pull the trigger yourself. ~Hal
Re:Malware? (Score:3, Interesting)
Then comment your code to that effect.
Re:How cool is that?! [Re:Release it.] (Score:4, Interesting)
Re:Commendable (Score:3, Interesting)
My sister uses Ubuntu, and I'm her tech support. Sometimes, I need distro-specific advice (I use Fedora.) and ask on ubuntuforums.org. I've glanced at some of the forum rules, both there and at the Fedora fourm I use for my own system and they both specifically forbids suggesting certain commands as "solutions" to problems, even as a joke, because they're so destructive.
Re:It does harm!!!! (Score:3, Interesting)
It could do more damage :
Boinc is build on voluntary use , meaning a group of people who voluntarily join , making their tiny cpu cycles contribute to a greater goal.
This malware would force someone to join , which is a bit like forcing someone to do charity work : it's commendable , but only if you really want to do it , otherwise it's abuse .
If you had boinc mysteriously appear on your pc , i'm sure you will remove it , and many who would have met boinc in better circumstances , would now never install it anymore.
Re:I think you've already decided... (Score:3, Interesting)
Relaease it as open source, then it can be improved o make it the leanest, fastest and most efficient hacking toolkit, while simultaneously all security and kernel devs can try to patch the exploited holes, but in the end, I assume that to be owned the user must install the malware first, and that comes down to the human operator. There are still no patches to fix careless administration.
Re:I think you've already decided... (Score:3, Interesting)
It isn't really that difficult unless you are actually using one of the millions of bits of really bad, Windows-only software that are the reason many businesses use Windows in the first place.
I've got a client that has one app the requires Administrator rights to even run, another than requires a logged-in session on the server (or whatever workstation is running as the server) 24/7 to allow access, and a third that will only save user data to Program Files folder. And these are considered to be some of the best apps available in this industry, at least for less than $250k.
What exactly would you do to secure those sort of apps into a "sensible implementation" that allows me to limit write access to the home folder?
Don't let a server call home! (Score:2, Interesting)
Why should a (web)server be allowed to issue any request ? It should be configured to answer queries only, no ? iptables is great and easy to set up for that task. Even for software update, one may push the package needed to the target server in place of the usual pull from the target; so no exceptions are needed on the firewall.
For desktops it's a little bit more complicated... but using a home partition mounted with noexec should suffice. Installing a new software is not a casual issue but a real event and should be taken care of by someone knowing what he's doing. That's why root was invented, isn't it ?
Probably exploited in the wild already (Score:2, Interesting)
My linux systems get a lot of attacks every day. SSH, FTP and HTTP attacks are the most common.
On HTTP attacks most ones try to get a page /phpmyadmin or some other (most of the time php-) application which seem to have severe security issues. There are many insecure web applications out there that are not patched or pretty much broken by design.
I bet the security hole you're exploiting is already used in the wild. If that's so, who cares if another kid takes your code and turns it into real malware?
I personally believe it's more benefit to release your code as "penetration test" and help some admins to check their servers of potential security holes than to do nothing in fear of a few kids.
If you support linux, why you want to release it? (Score:2, Interesting)
Release it to trusted parties with kernel trees (Score:2, Interesting)
Mail it to Linus, Alan Cox and the maintainers of subsystems which it abuses. Include clear notes of how it works, and what can be done to protect the systems. If you can't trust these people with it, then you should not trust Linux with your data at all. Even better, since you understand the tricks it uses, if you can write some patches, and submit them, together with your proof of exploit.
On a personal note - I also want to say thank you for doing this work. I use Linux both on servers, and as my normal desktop, and I'm immensely pleased that people are looking at making it safer: thank you.
Release it. This is old hat. (Score:2, Interesting)
I'm sorry, but running userland "daemons" is child's play. This has been around for EONs. Please don't think you have something new here.
You problem here is that, you idea will only affect the *USER* environment, not the machine. Anything you run or install into the user environment will be bound by the standard user accounts everyone should be running as, without privileges (such as root/super user)
This separate the privileges from the user and the system quite well and delineates it.
Lets compare Windows and *NIX (in general):
Windows, I can send you and e-mail and you standard user just looks at my e-mail and via ActiveX can leverage a 10 year old exploit to install a service as a *SYSTEM ACCOUNT*. This means my process then has full access to the system... Possibly being able to wipe out the machine period, or use it for a launching pad to send out e-mails to other accounts on the system or other account in any address book or just grab your passwords (probably being abcd1234 or password or or what have you (Think Sarah Palin's Yahoo account... wooo really good password there)) for your Bank account. Its very much *THAT* simple, no stupidity involved.
Now, if for some reason ActiveX is disabled, I can just tell you how important the Microsoft update is and it needs to be run... and how you *MUST* forward it to your friends so they can be safe... Sheeple are gullible and will never be safe from this stupidity.
Now speaking of stupidity, its really the only way Linux/*NIX/*BSDs will be compromised... even then most likely only the *user's* data will be flogged. Not the whole system. Now, let us just say *I* download and run your program/update/shell/python script/perl script/etc... Sure it downloads and installs the BOINC daemon and runs in the background... to be honest who cares. Any program you run or have running to capture data from the user will only affect the *USER* not the whole system. Separation of privileges is pure and simple why the *NIX systems will not seriously fall prey to these kinds of things. And to be honest, unless you install a persistent AT job for the BOINC daemon to start or at the very least a cronjob that runs every minute... a reboot will kill your pitiful attempt.
Non-malicious Malware?? (Score:1, Interesting)
Doesn't that just make it 'ware'?