jump to navigation

Linux malware 18 February, 2009

Posted by aronzak in Uncategorized.
trackback

A recent article, How to write a Linux virus in 5 easy steps outlines a vulnerability in KDE and gnome desktops. The article is well written and makes some good points about how no operating system is “inherently secure”. Essentially, the .desktop format bypasses the binary execution bit, which would otherwise stop a script that someone downloads from executing malicious code without explicitly allowing it to. Unfortunately, the article suffers from a few simple problems:

1. .desktop

Let’s try this out for size. First, I’m going to create a blank file called hotpictures.jpg.desktop, and email it to myself. The first thing any user would notice is the unusually poor grammar, and unusual request. (Most people these days are fairly good at managing to use Google to look up things for themselves, though some Linux help forums beg to differ.) Here’s how opening the attachment appears in Gmail and Thunderbird.

hotpictures2To download this file, I would have to ignore the .desktop filename 3 times. Same with Thunderbird:

hotpictures3

Even if there is a long name, there is plenty of space to display the filename in the dialog boxes. The end of the filename will still show in the bottom of Thunderbird. Also, while the article states that a user would often download files to the desktop, Google’s online office software and PDF-HTML conversion system means that users are increasingly viewing documents as in the browser first, rather than downloading files straight away. If this fails, most users would be extremely cautious.

Next, if a user downloads the file to their home directory, and not the desktop, they will see the .desktop file for what it is again.

hotpictures

Finally, even if there is a bogus “document” icon or some such, people will expect a preview of the image, as with the portrait of Obama. Users would have to be very stupid to download a file with a format that they have never heard of, which doesn’t have a preview of the image that it is pretending to be.

2. root permissions

The article says that root permissions don’t matter as much as people may think. This is true. Superuser privileges are’nt needed to change some software like adding a keylogger to a single browser. this could be dangerous, but it is fairly trivial to pick up and remove. I’m not aware of a porgram like this being able to hide itself with only user level access, so a root shell can easily monitor the running process, and, if a user is on the ball, note that it is a rogue process. The possibility that graphical password managers, like kdesu and gksu can be subverted is unlikely, with a smart user picking this up very quickly. Observe:

virus

Again, a smart user will not fall for this one. Also, having only user level access makes it much easier to recover by booting to level 2 and then sorting out the results. Simply creating a new user and copying the old data will ‘disable’ the code.

While an interesting theory, this couldn’t really be used to spread malware. The article does point out that groups like governments are adopting Linux, which could mean that there are a lot of users that are unfamiliar with Linux that are on each other’s email contacts lists. Other than that, this couldn’t work in real life as emailing Windows and Mac users with a Linux virus is just stupid. There’s no way for a virus to be able to know which platform email contacts are running (and not just which OS, but if Linux users are running a particular distribution, desktop etc…). In this way, multiple platforms, as well as the myriad of possible choices in Linux are a help. Just as it makes it hard to write an application that will work on all Linux distributions, it is hard to write malware that will.

What does scare me, and should you, is the alarming ease with which someone with physical access to almost any machine caget full access to it. Using grub, someone can press ‘c’ and add “init=/bin/bash” to the kernel parameters, and immediately get full root access, and the ability to change all of the passwords (or worse). Grub passwords can prevent this, but booting off other media (eg USB) will also give full root access straight away. The only real solution to this seems to be full system encryption, which is a pain.

There is a fair point that is made by the article that the security of Linux isn’t absolute. This doesn’t negate, however, any of the real security benefits the OS has. Many open source naysayers will say that this is evidence that the model of development doesn’t work when it comes to security, but it is evidence that it does. An article like this can be released, people can make note, and if there are any serious issues, the code can be changed, whereas in the proprietary development world the issues are suppressed with gags and NDAs, and outstanding issues can go unresolved.

By the way, Linux computers can still spread Windows viruses, through network sharing and other means. If you run antivirus software on Windows, it is a good idea to run antivirus software in Linux also.

Advertisements

Comments»

1. Linux Users and Security :: Flow of Logic - 19 February, 2009

[…] is truly a more secure Operating System than Windows.For example, a blogger by the SN of aronzak posted a response trying to point out a few problems with the original post.First, he* argues that when downloading […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: