Forgot your password?
Security Linux

Ethics of Releasing Non-Malicious Linux Malware? 600

Posted by kdawson
from the what-would-schneier-do dept.
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
This discussion has been archived. No new comments can be posted.

Ethics of Releasing Non-Malicious Linux Malware?

Comments Filter:
  • by Jeff321 (695543) * on Monday November 30, 2009 @10:40PM (#30278562)

    There were two options:
    1. Release it anonymously and take no credit
    2. Write about it and get some credit (but then you can't actually release it due to legal issues)

    You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.

    • by TheKidWho (705796) on Monday November 30, 2009 @10:42PM (#30278574)

      Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.

    • Ethics (Score:2, Funny)

      by Anonymous Coward
      Just releasing linux is an ethical problem. Hell, I can't even print anything since last saturday.
    • by sopssa (1498795) * <> on Monday November 30, 2009 @10:45PM (#30278596) Journal

      The summary says it doesn't actually do anything malicious and it isn't a worm. There is no legal reason why he couldn't release the code and/or a paper about it.

      The thing is, it's stupid for people to keep thinking their systems are insanely secure. Linux users fall for this all the time, because they've heard so from lots of other Linux users. It's better to show people that it is actually possible, and maybe it leads to better secured systems too.

      • by jedidiah (1196) on Monday November 30, 2009 @11:14PM (#30278820) Homepage

        OMG! The sky is falling! The sky is falling!

        You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!

        Nevermind Trojans. A buggy apps could destroy all of my data and it doesn't even need an author with a cheesy villan laugh.

        This doesn't prove anything except that Windows losers desperately want some shadenfruede.

        • Re: (Score:3, Insightful)

          by westlake (615356)

          You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!

          Of course you can.

          The simplest and most productive line of attack on any OS will always be to play on the weaknesses of the user and not the tech.

        • by Max Littlemore (1001285) on Tuesday December 01, 2009 @01:29AM (#30279680)

          You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!

          It's not that simple. A lot of ill informed users do little things to get stuff working in Ubuntu based on reading it somewhere on a blog or a forum. I've seen suggestions for network configs that leave a lot to be desired - basically creating anonymous login ftp to the users home directory with write access. And these things are tempting if you want, for example, your phone to connect to your PC over wifi and you don't generally consider security.

          A little script or carefully constructed script or package that calls gksudo to get permission to hide the real gksudo behind an alias and captures the password could be attractive if it provides a "simple way to sync your smart phone with the ubuntu desktop - even supporting the iphone". We haven't seen one in the wild yet, AFAIK, but that would be pretty successful. I even think that the model for distributing the iPhone thing that went around would work pretty well given some of the advice out there especially if you read the "fix" and don't read the comment buried halfway down the page with a warning in it.

          That's the trouble with the Linux ostrich based security model. It's just like the Windows security model. It relies completely on users having the understanding to set their systems up and maintain them securely and unfortunately the temptation to do quick and dirty tricks is very high in the desktop linux world.

          In fairness, a default install of Ubuntu is more secure than Windows XP and Vista (not sure about win7) but the volume of quick and dirty fixes and the signal to noise on Ubuntu is such that they are really about even. As always, a classic PEBCAK.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        People forget, security is a process not a status. Your security process must continuously evolve to meat the always changing threats. Even if there is a major security flaw he found, it is no reason to panic as you should already have a process in place to respond to new threats. This is why I'm employed.........

        • Re: (Score:3, Funny)

          by unitron (5733)

          Your security process must continuously evolve to meat...

          We'll be having none of your sissy vegetable security processes here, my lad.

      • by silentcoder (1241496) on Tuesday December 01, 2009 @03:29AM (#30280222) Homepage

        There is one crucial difference that really does make linux MUCH more secure, and oddly, it's the one thing nobody mentions when discussing it.

        Linux users (hardly ever) download and install software from the internet. We download and install packages from repositories.

        A huge amount of Linux security comes from the fact that we've taken the task of identifying malware from the real thing, and given it to trained professionals rather than Joe Sixpack. The average user simply cannot tell the difference between a useful piece of freeware and a bugridden-malware-spreading piece of add-ware.

        The people who populate distribution repositories generally can. Then we add other layers on top - like using digital signatures so the client machine can be sure the package you asked it to fetch is in fact the package that got downloaded (thus protecting against somebody replacing a package with a malware program in the same filename on a mirror site) etc. etc.

        That grounds up linux is probably a more secure design than windows I don't doubt, I also know that it's far from being anything like as secure a design as we imagine- especially as it moves into the desktop realm. But - and this is a big but, since the easiest way to install anything on linux remains using your distro's provided tools to install from your distro's repositories (for the ubuntu crowd... I mean "using synaptic") - the risk of malware infection is kept remarkably low - not because linux is so secure, but because infecting the repo's will be very hard indeed and the software in those repos are checked by people who are *trained* in computers.

        • Re: (Score:3, Insightful)

          by gbjbaanb (229885)

          Whilst that's true, you're forgetting the large amount of 'howto configure xyz' blogs, forums and other sites providing information. Many users don't know how or why the steps they're given work, they just know to follow them blindly. As a result, you can get someone to open their system to you if you were malicious.

          So whilst its still not as easy to pwn a linux box, it is still very possible. As the number of users ignorant in system administration increases, this is the attack vector that will become more

          • by silentcoder (1241496) on Tuesday December 01, 2009 @06:25AM (#30281234) Homepage

            I agree - this is going to become a problem. It never used to be, howtos were reliable documentation because we were a small community and the people reading them would have at least a basic understanding of what you're doing - howtos were there to get details.

            Nowadays... this is going to become an issue. The answer is probably to use the same approach we took with repo's. Make the proper distro forums clearly and prominently available to the user so he finds them first, rather than googling. Lead them to the sources of information that the good guys control, and hope to answer them there with sufficient frequency that there is no point in looking at random blogposts.

            I doubt that's a comprehensive answer, but it would at least mitigate things. The other is to ensure that the social aspect of FOSS comes with the disk I guess, when you hand out that ubuntu disk - make sure you hand out details on your local LUG. Get the newbs involved in the community around them, make sure that the person they ask first is somebody they can (probably) trust.

            It's all things we can mitigate but I agree, it won't remove the problem, it can - at best- keep the potential targets few enough to reduce the attractiveness of this vector (and I don't think we're nearly good enough at this stage to even do that, I just think we could become so).
            Basically - the problem you point out is a social one, social problems require social solutions - and those are never 100%.

    • Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?

      That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"

      BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.

      • by interkin3tic (1469267) on Monday November 30, 2009 @11:13PM (#30278800)

        That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"

        Of course, why actually sleep with her when you can just brag about her offer on slashdot!

      • Re: (Score:3, Insightful)

        Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid. After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.
      • Yeah, really! Ethics is easy!

        Will releasing it make you money? No? Then don't do it.

        See how easy that was?

        • Re: (Score:3, Funny)

          by PachmanP (881352)

          Yeah, really! Ethics is easy!

          Will releasing it make you money? No? Then don't do it.

          See how easy that was?

          No, no, no. Ethics cannot be based on money because money is only a means to an end not an end in itself. We must fall back on the ethical basis nature gives us as anything else is artificial.

          Will it get you laid?
          Will it enhance the ability of your children to get laid?

          If yes, then you are morally obligated to do it.

    • Re: (Score:3, Interesting)

      by Mista2 (1093071)

      Relaease it as open source, then it can be improved o make it the leanest, fastest and most efficient hacking toolkit, while simultaneously all security and kernel devs can try to patch the exploited holes, but in the end, I assume that to be owned the user must install the malware first, and that comes down to the human operator. There are still no patches to fix careless administration.

  • by ChipMonk (711367) on Monday November 30, 2009 @10:46PM (#30278614) Journal
    Contact someone at SANS, or Bruce Schneier, or some such. Maybe even someone on the SELinux project; if this non-malicious malware is indeed as capable without SELinux as you claim, and SELinux mitigates/eliminates the danger, this could be good PR for them.
    • by Anonymous Coward on Monday November 30, 2009 @11:10PM (#30278776)

      Should people run SELinux? Prolly not, it's a pain the ass for Joe user. It's hard enough for admins who know what they're doing (anyone who's had an SELinux error and not checked the right log knows what I'm talking about.) Distros need to play nice with SELinux or provide a better alternative for Joe user.

      Should Sysadmins run SELinux? If you've got sensitive data on it, damn straight--you need that kind of protection along with the service removal and permissions hardening you do to Linux machines you really want to keep "safe." If you don't and it's not even a production server, why bother with anything beyond Permissive (or perhaps just Targetted services.)


      FYI If you find yourself responding in any way that involves a CLI my grandma is going to get annoyed, call me, and ask how to deal with it and I'm going to need a new solution.

    • Re: (Score:2, Interesting)

      The thing is, it is not a security bug that you can fix, more a 'I-am-here'-code. You would have to find a exploit first, then apply this code onto it.

      For example:

      You can get a PHP file onto the webserver, and it allows exec() --> you use this payload to show you got here.
      User downloads and runs a file without checking if it is authentic --> you use this payload to show you got here.
      You found a exploit in Firefox --> you piggyback and run this payload to show you got here.

      It is a way of more effici

    • by dissy (172727) on Tuesday December 01, 2009 @12:12AM (#30279204)

      Or heck, this is *Linux* we are talking about here.

      Release it, and they will patch.

      Give it to Theo Raadt of OpenBSD fame. In a week all of the attack vectors will be well defined, and source code fixes being pushed downstream.
      For BSD admittedly, but once the vectors are well defined, the Linux guys are more than able to 'translate' and make the same fixes.

      That can only be a good thing.

      It isn't like you need to worry about the company suing you for pointing out a security problem in their product when you tell them!

      Besides, no matter how well behaved malware system you write, no matter what possible evils your imagination has come up with that it could be twisted into, the script kiddies out there already have much much better tools than that.

      Just release it, sitting on it only gives the black hats more time to use the same exact security flaws for evil.

    • by Valdrax (32670) on Tuesday December 01, 2009 @12:41AM (#30279382)

      You might also really want to talk to a lawyer who knows the Computer Fraud and Abuse Act. [] At a minimum, you may need to worry about 18 USC 1030(a)(5). Pay attention to the definition of "damage" and "loss" in 18 USC 1030(e)(8),(11).

  • Commendable (Score:5, Interesting)

    by Anrego (830717) * on Monday November 30, 2009 @10:47PM (#30278620)

    .. but sounds like a lot of work to prove a relatively straight foward point.

    It's actually been my opinion that Linux in the hands of someone who doesn't know how to use it can in some situations be less secure than windows.

    My reasoning for this is that:

    1) Newbie Linux users who are having problems with their systems will rpetty much run anything as any user you tell them to in a desperate hope to get Xorg working again

    2) Linux commands on their own can look very cryptic to the uninitiated.. add into that the scripting abilities of most shells.. and a new Linux user won't be able to differentiate a malicious command from one that will get their nvidia driver working again

    3) The out-of-box remote admin abilities of Linux are excellent.

    4) Standard tools like nc can easily be used to establish out-connecting remote shell sessions

    5) OR you can just get them to wget and execute your favourite piece of malware.

    • Re:Commendable (Score:5, Interesting)

      by Orion Blastar (457579) <orionblastar@gm[ ].com ['ail' in gap]> on Monday November 30, 2009 @11:26PM (#30278920) Homepage Journal

      Yeah but Windows suffers the same thing, when Windows goes wonky people will ask over the Internet for random strangers to fix it.

      "Here download this program, run it, ignore any warnings, choose 'allow' for every UAC prompt, and then it will give me remote control of your system so I can 'fix' it for you."

      My son's system got hacked that way when his older cousin came over and the game he was playing did an update and his character was hovering instead of walking. Instead of asking me to fix it (it was a Nividia driver issue) he got some random stranger from Ohio. I was busy in the other room with my wife and monitoring another cousin who came over on a different system. I had to remove the remote control trojan, and rootkit, and then fixed the driver issue, after learning that he let some stranger into my son's system and pwned it. Lucky there was no bank account or other info, as my son is too young for that. Lucky I was able to find the malware and remove it. Just to be safe I even reformatted the system. It only took 15 minutes for that to happen, while I was busy on something else, and my wife isn't tech savvy enough to know what the kids are doing on the computers. Watch one nephew, and the other nephew is doing something he shouldn't be doing. My brother had to disable their computers at his house because of stuff like that, he even tried Linux, and they managed to get Linux infected that way you described. So my brother zero formatted the hard drives and then took out the RAM, until they grow up and show enough responsibility to have working systems again.

      Teenagers, seesh, looking for the quick fix, but adults are just as dumb and fall for the same thing as there are so many helpful strangers on the Internet willing to help/hack the system for them.

      • Re: (Score:3, Insightful)

        by Mista2 (1093071)

        Don't give newbies root 8)
        My kids happy play on my Mac as the prental control on that is friggin awesome - limit the UI, list only allowed apps, limit logon times and total hours per day. Their own first computers are going to be used Macs. They can run windows in a non persistant VM if they really need something in Win32, and the Xbox and Wii will be fine for games. Once they are browsing by thems selves, then I will also install Squid proxy on something to track their access. Have a secured location or vm

    • Re: (Score:3, Informative)

      by cbiltcliffe (186293)

      That doesn't make Linux less secure than Windows. That makes the user just as insecure as the same uneducated fool running Windows.

      1) Newbie Windows users who are having problems with their systems will pretty much click on anything as any user you tell them to in a desparate hope to get IE working again.

      2) Windows settings dialogs on their own can look very cryptic to the uninitiated. Add into that the scripting abilities of cmd.exe... HAHAHA ...ok.. I can't complete that thought without falling out of m

    • Re: (Score:3, Interesting)

      Linux commands on their own can look very cryptic to the uninitiated.

      My sister uses Ubuntu, and I'm her tech support. Sometimes, I need distro-specific advice (I use Fedora.) and ask on I've glanced at some of the forum rules, both there and at the Fedora fourm I use for my own system and they both specifically forbids suggesting certain commands as "solutions" to problems, even as a joke, because they're so destructive.

  • by topham (32406) on Monday November 30, 2009 @10:48PM (#30278624) Homepage

    Malware can exist for any platform.
    However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.

    I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.

  • Wasn't SELinux implicated in part of making the mmap_min_addr root exploit even worse a few months ago? In fact, for one of them, I'm pretty sure that it was the cause of it. Just sayin'.
    • by eparis (1289526) on Monday November 30, 2009 @10:58PM (#30278706)
      SELinux was not the cause of any of the recent kernel exploits making use of NULL pointer dereference. For this class of bugs SELinux systems were stronger than non-SELinux systems when the attack was coming from a network facing daemon, but were weaker for logged in authenticated users. So for the purposes of this discussion (logged in users clicking things they shouldn't) Yes, older SELinux systems might be weaker than non-selinux systems. But SELinux was never the actual problem, just made the real problems harder or easier to exploit (in current kernels SELinux is believed to be stronger against both classes of attacks for these types of bugs)
    • by WuphonsReach (684551) on Tuesday December 01, 2009 @02:49AM (#30280060)
      SELinux, in a lot of cases, is basically file system permissions on steroids. Daemons run inside a domain, files and ports get labeled with SELinux labels. Then you define what and how the domain is allowed to touch. (And it's more fine grained then just "read / write".)

      Sorta like how you define what a user is allowed to touch on the file system by assigning group membership and file permissions.

      If the SELinux policies are very tight and the service is well behaved and you can easily define the allowed actions, things work well. It just gets trickier when daemons are not well defined and tend to talk to random ports and touch random files. Just like coming up with a reasonable set of permissions and group membership for a user that allows them to get their job done without constantly pestering you, it can be a bit of an art form to define SELinux policies.

      (There's probably more to it then describing it as file permissions on steroids, but it gets the general idea across. The system is only as secure as the labeling and policies.)
  • by Anonymous Coward

    "My other computer is your Linux box"

    Everyone who is paying attention knows there are plenty of hacking tools, bots, worms, and virus-like tools for Linux systems already. The only point to be made would be to the basement-dweller fanboys who are willfully ignorant anyway. So go ahead and release it, but don't expect anyone to applaud you for it.

  • by Anonymous Coward on Monday November 30, 2009 @10:50PM (#30278654)

    Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.

  • by _Sprocket_ (42527) on Monday November 30, 2009 @10:55PM (#30278682)

    This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.

    • by HisMother (413313)
      That's my reaction, too; I appreciate the concern, but I think your opinion of your own uniqueness might be a tad overblown.
  • by Logic Worshipper (1518487) on Monday November 30, 2009 @10:58PM (#30278708)

    Show it to distro developers and repository maintainers, people who do security work, etc. Let them look at it and see if they can defend against it. Don't release it on unsuspecting users, publish the directions to remove it, and defend against it so no one else can do it either. Putting malware in the wild is not the way to get white-hats attention, but it is the way to get black hat's attention. The white hats are usually well behind the black hats with malware that's been released in the wild. Give this to white hats and not black hats.

    Post it as security bug against all the distros you've confirmed it works against. That'll attract the attention you want and not the attention you don't.

    • Show it to distro developers and repository maintainers, people who do security work, etc.

      Probably a good idea.
      I would e-mail it to the security teams for Debian, Ubuntu, Red Hat, etc... and tell them they have 6 months to play around/fix the issues and then they code is coming out.

      Nothing would help/motivate open source security like an open source trojan.

      ...hmm...that's actually not a bad idea. An open source virus. Virus writers can try new and interesting things, and security people can download, run, and figure out how to patch against them. It's like a battle of wits without a Sic

      • The thing is, it is not a security bug that you can fix, more a 'I-am-here'-code. You would have to find a exploit first, then apply this code onto it.

        For example:

        You can get a PHP file onto the webserver, and it allows exec() --> you use this payload to show you got here.
        User downloads and runs a file without checking if it is authentic --> you use this payload to show you got here.
        You found a exploit in Firefox --> you piggyback and run this payload to show you got here.

        It is a way of more effici

  • Dear Slashdot (Score:5, Insightful)

    by Daniel Dvorkin (106857) * on Monday November 30, 2009 @11:04PM (#30278730) Homepage Journal

    I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?

    • by Orion Blastar (457579) <orionblastar@gm[ ].com ['ail' in gap]> on Monday November 30, 2009 @11:11PM (#30278786) Homepage Journal

      Yeah but if you punch me in the face, expect me to use Akidio on you and throw you into the nearest wall and use your attack against you. Ordinary people will get punched in the face, but we martial arts students will know what to do if someone is trying to punch us in the face. Grab your wrist, spin around, and throw you into a wall. I studied several forms of martial arts, and I could do a simple block, or just grab your fist and crush it with my hand thus breaking your bones in your hand, or dodge and do a hammer fist on your chest and crack some ribs.

      Did I mention I am a pirate ninja? :)

    • by geckipede (1261408) on Monday November 30, 2009 @11:22PM (#30278900)
      The day that somebody starts releasing automated face punching machines into the streets, I certainly will be among the first to buy a helmet.
    • Re: (Score:3, Informative)

      An excellent analogy. Both insightful and funny. I like it.

      However: This does not do any harm, neither physically nor virtually. In your analogy, it would be releasing the technique of touching someones nose, so everyone can do it. Everyone can alter it to a punch in the face, and they can apply it. I guess it boils down to 'The Physicists - Friedrich Dürrenmatt': Is a developer responsible for the users that apply the product, or is each user responsible himself for how they apply? With the A-bomb and

    • Re:Dear Slashdot (Score:4, Insightful)

      by slyn (1111419) <> on Tuesday December 01, 2009 @12:03AM (#30279146)

      People do NOT walk around the world indiscriminately. They avoid bad neighborhoods, treat suspicious people like aliens, profile people in any way possible, and then react. Take a white male and walk them around times square, then a full body tattooed, gauged ear, sub-dermal implanted carnival exhibit and walk them through the same area and watch the difference in how people react. They may be the nicest person in the world but the women will still hug their purses and the men will lower their heads. Ever heard "Don't look at anybody on the subway/bus/EL/whatever"? It's because people acknowledge that there are mouthbreathing retards that will fuck you up because you looked at them funny or because they like your briefcase.

      People DO interact with the internet indiscriminately. Most can't tell a good site from a bad site, don't know the difference between a "funnycats.avi" and "funnycats.avi.exe", blah blah blah blah blah. Chances are if you are reading this you have fixed someone's computer because of this haphazard e-disregard, so I don't need to tell you that most people just don't get safe browsing practices.

      This guys issue is that there is a select, very vocal group of people who think they are safe on the net but aren't, so he wrote a proof-of-concept to show them that it doesn't matter what platform you are on, there is no replacement for safe browsing practices (and not using default passwords, and and and and and...).

    • Re:Dear Slashdot (Score:4, Insightful)

      by Josh Coalson (538042) on Tuesday December 01, 2009 @01:27AM (#30279666) Homepage
      bad analogies are like waxing a monkey with a rainbow.
  • release it (Score:4, Insightful)

    by codepunk (167897) on Monday November 30, 2009 @11:07PM (#30278752)

    Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
    understand where it would be all that interesting.

  • by rudy_wayne (414635) on Monday November 30, 2009 @11:07PM (#30278756)

    the way it persists itself in autostart is really nasty,

    Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.

    Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!

    • by dmomo (256005)

      > Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.

      And why would that be? Maybe because there isn't money in it. Or if there is, Windows malware gives more bang for the buck in terms of conversions. I could write a linux worm, but I'm pretty confident I could make one more easily for Windows. Hell, I wouldn't even have to code it.. I could just find one and re-purpose it. It's easier and would

  • I was fed up with the general consensus that Linux is oh-so-secure and has no malware.

    Just because it's a consensus doesn't mean it's correct. As you have demonstrated, it's very much possible to write malware targeted at Linux.

    In fact, there are plenty of viruses and malwares specifically targeted at Linux, and their numbers are rising: []
    However, because desktop Linux has an extremely small market share, malware for Linux has a correspondingly tiny market share.

    Think of it this way, a few weeks ago you woke up and came up with th

    • Re: (Score:3, Informative)

      by jedidiah (1196)

      ...yes. Malware that has to be manually run.

      How utterly pathetic.

      At least you can say that Windows has one thing on Linux. Installation of Trojans is automated. No end user interaction is required.

      It would be interesting to see how far a manual trojan could get on Linux...

      • Re: (Score:3, Funny)

        by roguetrick (1147853)

        Once they develop a conversable chatterbot that targets linux basement dwellers. The bot will say she uses a particular type of webcam software and really wants to show them something.

  • Get in touch with the security community as some other poster said.

    Then concentrate in releasing a paper about your software. If your techniques are good, they might be an interesting read. Even more important is that if your software does not escalate privileges (as I understand), cleaning your software should be a straightforward job from the superuser account. Those cleaning techniques will probably be even more interesting.

    I'd use a rather obvious payload that reveals itself when interrogated (instead o

  • Smell test (Score:5, Insightful)

    by mhall119 (1035984) on Monday November 30, 2009 @11:14PM (#30278818) Homepage Journal

    The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.

  • I'm sure there are some people in the computer security world who you admire. So ask yourself, what would these people do if they had discovered the exploits? What would Phil Zimmermann [], or DJB [] do? Some of these people were unhappy with the current situation, and took their own road and created some good, secure software.

    Also, maybe your code isn't as good as you claim. Or maybe it mostly uses known exploits. It's time for a reality check. You should try to find some peers, and discuss it with them to deter

  • Absolutely evil (Score:2, Interesting)

    We already know how to break into systems with buffer and heap overflows. We know how to do SQL injection into not-so-smart applications. If you work at it you can break into almost anything.

    Absolutely no good purpose is served providing a toolkit that allows people to break into naively configured systems. Much of what you describe is akin to leaving the keys in your Maserati with the doors unlocked and the engine running. Please don't make things easier for joyriding teenagers.

    If a site wants to know

  • to CERN or some other security group, or to White Hat Hackers who won't release it or use it, but study it and find a way around it.

    I would pass it on to some Linux kernel and Linux OS developers, and see if they can fix the security holes you found that allow the hacking of Linux.

    If you release it into the public for anyone to download, dollars to doughnuts some idiot is going to replace the Bonic client with a packet sniffer or key logger or something else. It is like inventing a rocket or missile and the

  • I'll help you out, just send it in a tarball to me, and I'll verify if it works or not. Oh, I'm sure you want to keep it opensource and all, so just put the source in there too... I'll make sure your given proper credit. Thanks. :)

  • Easy. (Score:2, Interesting)

    by nhytefall (1415959)
    Since, despite the popular belief, the idea of a grey/black/white hacker being distinct solely because of intent is, at best, a falsity, the idea that one could release something with the potential of being as destructive as TFS claims is a no-brainer.

    The answer is no. Under no circumstances should the package be released.

    Because, to release the code is no different than than saying "I only illegally accessed your systems, Mr. FBI, to show you how it could be done. I am honest little boy/girl".
  • by melikamp (631205) on Monday November 30, 2009 @11:29PM (#30278934) Homepage Journal

    Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client

    It would be nice to see the code. As it stands, I am surprised that this "news" made it this far, with no links of any kind.

    No one credible claims that malware is impossible in GNU/Linux or *BSD. In fact, since UNIX is a much more robust networking OS, maintaining a botnet should be helluva lot easier than on Windows. What we have with a free OS, though, is something that proprietary OS users will never have: a complete and total control over our security policy and every other aspect of our software environment. When and if a vector is identified, our security policy will promptly change to nip it in the bud.

    A Speculative Example

    Lately I've been thinking about one major vector: the human-assisted privilege escalation. Take the latest Ubuntu and imagine a piece of software which runs with user privileges and does the following: it tricks the user into thinking that it is the automatic updater. Lacking in both expertise and time, I am not going to do a proof of concept, but how hard can it be? You just need to draw a window named "Update Manager" using the standard Gnome API, list a few bogus updates anyone would find legit, with version number irrelevant to their day-to-day life (e.g. binutils), wait for the user to click [Install Updates], and then "gksu". The user will enter the password, and your work is done. Then, of course, you still need to draw some progress bars to lull the user into believing that an update is going on, but that's all just an icing on the cake.

    If anyone can see why this won't work, I would like to hear it.

    Looks scary, right? Wrong. Because the solution is as simple as changing the default policy. Make it so that the default behavior is to notify only. On every system update the user should be told: "Go start the updater via the system menu. By the way, if you EVER see an "updater" you didn't start yourself, you are being pwned." Make sure that the system menu is strictly read-only, and even the dimmest user will be safe.

    This won't be implemented in Windows. Why? I really cannot guess why Microsoft's security policy seems to be designed from ground up to fuck the user, but it is. The usual excuse seems to be: "it's easy to use". But whatever is the reason, you just cannot make a proprietary platform secure because you cannot pop the hood open. With a free OS, you can.

  • by flyingfsck (986395) on Monday November 30, 2009 @11:34PM (#30278974)
    Insecurity through stupidity is a common problem on Linux. The Ubuntu forums are full of users wailing that their machines got hacked after they installed FTP, SSH or VNC with a kewl four letter password. One could argue that it is not the users, but rather the Ubuntu developers that are stupid by not configuring PAM to enforce password complexity by default, since it is not really a flaw in 'Linux' per se, but it could certainly be considered to be a dumb-ass flaw in the Ubuntu distribution.
  • Lamesauce (Score:3, Insightful)

    by Anonymous Coward on Monday November 30, 2009 @11:52PM (#30279080)

    Sounds like you have too much time on your hands. Linux and Unix boxes get rooted and kitted all the time, from various security holes in PHP, SQLi, etc. Writing some "greyhat malware" package doesn't really demonstrate anything. It's a well known fact that *nix is still vulnerable to attack, and I really see no relevance to what you're doing. Besides, anyone who runs a locked down system and has any degree of paranoia wouldn't run SETI@Home, or any other similar distributed client software. OSSEC would pick this jazz up in half a second. Congratulations on some questionable bash scripting.

  • by bmo (77928) on Monday November 30, 2009 @11:53PM (#30279100)

    >mindless execution of unverified downloads

    There is no cure for stupid on any platform.

    People will install purple gorillas and cd-drive-cupholders. This is not new.

    But beyond user stupidity, there are reasons why propagation of badware on Linux and Unix sucks, and I suggest that people read Tom's excellent rant here: []

    This situation may not last (c.f., sudo silliness on fedora), but unless you can do a miracle of social engineering, treachery, and underhandedness and get your badware included in the main repositories as source (which repo maintainers and end users use to build packages), you're not going to get very far in the *nix world.


  • by Alex Belits (437) * on Tuesday December 01, 2009 @12:03AM (#30279144) Homepage

    I have a strong suspicion that this whole "question" is merely an attempt by Windows marketdroids to spread one of their favorite FUD formulas: "Linux is not really secure, it's just too unpopular to be targeted by malware writers". Please note how often it is mentioned in otherwise content-free comments.

    There is no actual "malware". All author claims is that he wrote something that demonstrates the fact that a program executed on a Linux box by a user has that user's access privileges and can do stuff that the user does not expect or like. That's at best a trojan horse -- without capability to gain superuser privileges or compromise other users or hosts, such "malware" is firmly in the range of stupid pranks -- slightly below changing someone's wallpaper to goatse and slightly above asking someone to check out the Last Measure web site. It has nothing to do with millions-strong botnets and hours-to-worldwide-pandemic worms that make Windows such a great platform for crooks and vandals.

  • by coolmoose25 (1057210) on Tuesday December 01, 2009 @12:07AM (#30279164)
    I work with AS400 and iSeries machines (and I accept your collective condolences). When I first got trained on them, the teachers told us that OS400 has never been hacked. Not having any real data to confront them, I just let it pass. When we covered the section about user ids and passwords, I found out that 400's force you to disable a user id and password after a certain, finite number of logon attempts. This was by design. All user ids, including system administrator ids had to have some number (I forget how high you can set it) of illegal attempts before the id is locked out. (Usually this is set to 3) They explained, smugly, that this was to keep out intruders.

    We further learned that user id's could not be set to more than 10 characters. So I raised my hand and asked what happened if all the user accounts got disabled. They said that IBM would have to back door their way in to unlock a system administrator account, and from that account, others could be reset. (This would be BAD and time consuming, so it was good practice to keep a few SYSADMIN accounts around just in case) I asked if they had ever heard of a denial of service attack. Of course they said. So I asked the obvious question, "What if someone wrote a script to log on to every 10 digit user account 3 times with a blank password?" The reply was "Why would anyone do THAT?"

    I pointed out that while I couldn't "hack" their system by their definitions, I could sure as heck turn it into a boat anchor, and do it remotely if it was hooked to the Internet... "Yes, but you can't HACK it was the reply..."
  • by AnotherUsername (966110) on Tuesday December 01, 2009 @12:21AM (#30279260)
    If you release it, you had better release it under the GPL, or it really will be an unethical release...
  • by Gudeldar (705128) on Tuesday December 01, 2009 @01:00AM (#30279508)
    Linux malware that requires manual running is trivially easy to do.
    Copy and paste: sudo rm -rf /
    Enter your password

    Come back when you have malware that can remotely infect a target machine without user interaction.
  • by smash (1351) on Tuesday December 01, 2009 @01:09AM (#30279562) Homepage Journal
    Would it be different if it was Windows malware? The fact that it is linux malware is irrelevant. Your software is doing the same thing (installing unauthorized code onto people's machines).

    I say release the ideas, or at least document the concepts with pseudocode so that the average skript kiddie can't just download and modify - they'd at least need to spend the time implementing it in some language.

    This way, people qualified to fix the problem can review your proof of concept and fix the problem, but you're limiting the exposure to the average bored 15 year old who's skillset doesn't extend too far beyond downloading a .c file and running gcc.

  • by dAzED1 (33635) <brianlamere AT yahoo DOT com> on Tuesday December 01, 2009 @01:20AM (#30279634) Homepage Journal

    No malware? I think the claim is that Linux doesn't have the threat from viruses that Windows does - actually, it has little threat from them at all.

    loose security configurations and mindless execution of unverified downloads - so, the sort of thing no admin with any brains, regardless the OS they were using, would do? The difference is, you can fairly much lock up Linux very fast, with little a non-privileged person can do, while not really limiting what services the machine will offer. With Windows on the other hand, it takes more effort to lock it down, and things become far more burdensome to deal with once you do. Let me tell you how much I loved having errors all over the policy editor in windows because of some basic security settings...which meant that doing normal, everyday windows admin tasks you would be confronted with errors left and right because of the policy settings. Doing normal, everyday UNIX admin tasks on a locked down box issues.

    Why do people take the argument so damn personally, anyway? The OSes are meant for different things. That one is better at some things than the other should make sense - they have entirely different methodologies.

    PS - it took you a *week* to write something that could exploit "loose security configurations?" Give me 5 minutes and I'll write something. Go ahead and publish whatever you wrote, I'm sure several of us could use the laugh.

  • by BountyX (1227176) on Tuesday December 01, 2009 @01:30AM (#30279694)
    Open source it, that way we can all contribute to the malware and discuss if it should use gtk or qt. We know that gnome users will refuse to install anything with qt dependencies and kde users will refuse to install gtk+ dependencies. None of the windows malware coders are willing to release their code to us, so we are limited on integration, especially with wifi. I personally think we should target gnome users, they like stepping on people -- just look at how condescending their logo is. Plus I have a grudge against the way they put their contributers down. Once we get enough malwared machines we can convince windows malware coders to support our platform.
  • Silly (Score:3, Insightful)

    by vadim_t (324782) on Tuesday December 01, 2009 @02:31AM (#30279992) Homepage

    Linux has two main things over Windows:

    First one is that people can't accidentally execute some random program they downloaded with their browser. They have to intentionally save it somewhere, chmod +x, then run it. There's no "ok, ok, ok, yes I am stupid" sequence of warning dialog button selections that's going to do that, so it takes very intentional actions to run some random code you got from the web.

    The second one is that Linux users don't, as a normal thing, run random programs they downloaded from the web. They generally install packages provided by their distribution. If a Linux user needs a RAR compressor they don't go hunt it around the web, possibly landing on a page offering a trojaned version, they "apt-get install" their distribution's verified version.

    The first means people are very unlikely to run your code by accident, the second that you have to provide a good reason to run your malicious code.

    I think that all this really proves is that if you really insist on running untrusted code on your system it can go and screw with your system (or user account). Well, duh. The question isn't whether it can happen at all, it's how easily it can happen by accident or lack of attention. If the user really insists on shooting their foot there's little anybody can do about that.

    But, suppose that Linux got lots of stupid desktop users, who'd download and actually go through the steps they need to run it. In that case distributions could add some extra security quite easily, by for instance denying the user the ability to run programs from non-root owned directories (grsecurity does this). This would make it so that even if the user does download your script, sets the permissions, and tries to run it, it will fail to work anyway.

    Now of course there's the workaround, but that's not going to happen from the GUI, and the distribution could always patch their to obey the grsecurity restrictions

    Given all this, IMO, this exercise proves very little. It proves that if you manage to convince the user to intentionally run untrusted code, it'll be able to do nasty things. But this is a given on any system that's not locked down in a really fascist manner. It'll take a cell phone-like environment with sandboxed applications to defeat that. And even there applications must be allowed to do potentially harmful things to be able to do some entirely legitimate functions.

    At that point you have two possibilities: you completely refuse to run unsigned code (pissing off the user), or ask the user "do you want to let this program delete all your data?" and allow them to shoot their own foot.

  • release it! (Score:3, Funny)

    by someone1234 (830754) on Tuesday December 01, 2009 @03:32AM (#30280238)

    This is an important milestone in the Linux to the Desktop campaign.
    Without a "healthy malware ecosystem", Linux isn't mature enough to be called a desktop operation system.
    Think about the AV industry!

  • by Tony (765) on Tuesday December 01, 2009 @09:48AM (#30282408) Journal

    So one of my users accidentally runs your trojan. No problem. I write a script that cleans it up on every machine in my network without interfering with the users at all. It takes me about 5 minutes.

    On MS-Windows, I have to go around to every machine on the network to clean it up. There have been times I've had to re-ghost a machine because it was so infected.

    I'm not sure what this whole apple-to-oranges gedanken is all about. It surely doesn't explain how MS-Windows is just as secure as Linux.

It's later than you think, the joint Russian-American space mission has already begun.