foobar on computers, software and the rest of the world


Follow up: How to write a Linux virus

, posted: 12-Feb-2009 08:10

Yesterday I published an article about How to write a Linux virus in 5 easy steps. There has been quite an overwhelming response for this. Within just a few hours this article became my most visited blog post ever. Wow! Just goes to show that either the article hit a real nerve, or the other articles on my blog are just really boring. :-)

Anyway, a lot of interesting feedback arrived, some of which tthrough the comments on Reddit, some in the comment section of my article, some by email and others yet on different forums. I just want to take a moment to summarise some interesting points:
  • Commenter Burninator discovered that you don't even need the .desktop ending in the attachment. The Gnome and KDE desktops actually read the file, and don't base their decision to special-case the file on the file-name extension! So, the critical meta data here (make this something that can be executed) is NOT encoded in the filename, as some have suggested, it is actually derived by reading the first line of the file contents. So, in that respect the desktop environments are not quite as hapless as some had indicated and are not just making the same mistake as Windows has.
  • On the flip-side of that same discovery: You can make your attachment now even less suspicious looking. Rather than naming it something like some_text.odt.desktop, you only need to name it some_text. That has two nice side effects: Firstly, email clients will now never know what to do with the file (no useful extension) and are more likely to prompt the user to save the file to disk. Thus, you don't need to get the user to explicitly do that anymore by putting proper wording in your email. The user will be more or less prompted to do that automatically by the email client. Secondly, there is now no suspicious file-name ending. If the Name  line in the launcher description file still specifies something like Name=some_text.odt then Gnome at least will actually show THAT as the name of the file, rather than the actual file name on disk. However, KDE will just show some_text, which is the actual file name. KDE will only display some_text.odt after the .desktop suffix has been added. Nevertheless, even in KDE the some_text file remains 'executable' by clicking on it. So, while on KDE the user may look at a file without a proper file extension on the desktop, the name and icon can still look convincing and the email attachment didn't have a suspicious suffix. That, combined with the email client now automatically prompting for it to be saved makes this a good strategy: No .desktop suffix in the actual name of the attachment.
  • One more thing about the naming of the file: You cannot just name the file some_text.odt, since then the filename extension (.odt in this example) takes precedence. The desktop will call OpenOffice if that's your word processor, based on the extension. Only if there is no extension (or the extension is .desktop?) will the content of the file be taken into account.
  • Someone pointed out that the trick won't work under KDE when the attachment is not saved on the desktop: KDE only treats launcher files in a special way when they are actually on the desktop. So, if an email client saves the launcher in another location (for example a ~/Downloads directory) then this wouldn't work. Well, I can only partially confirm this! When I move the launcher into a different directory the exploit still works all the same. However, the .desktop suffix becomes visible! This is yet another reason to just drop the .desktop file-name extension altogether.
  • The editor over at LWM.net pointed out here that the vulnerability of .desktop files was discussed back in 2006 already. I would have been surprised if I were the first person to think of this, frankly.
  • Several commenters felt the need to point out the technical distinction between a virus, a worm and malware. They pointed out that what I described is just a worm or malware (they couldn't agree). Well, look, I have been in the security industry long enough to know about the technical distinction, about which most people don't care anymore. As I mentioned in some responses to those comments: The popular press and indiscriminating coverage of the topic has completely blurred the line. Besides, I gave code for automatically spreading of the malware in high-level pseudo code: ...it can start to pilfer through the user's address book to harvest email addresses ... [and] ... can spread itself by email. So, get over it! I don't need to spell out everything in Python code for you, right? You can read pseudo-code, right? :-)
  • Commenter David F. Skoll suggests that rather than special-casing those launcher files, the first line should merely be something like this:#!/usr/bin/desktop-launch, with the rest of the script following afterwards. With the execute bit set this would become merely a normal script, which is interpreted by the specified separate 'shell' or utility, rather than something integrated into the desktop environment. Very *nix-ish. I like it.
  • Many people commented on issues or possible problems with the suggested means of obtaining root privileges. I can only point out again: As the article stated, the gaining of root is NOT necessary to successfully infect a system. That's why this was in an appendix. It is not the main point of the article.
  • A few commenters complained that I wasn't talking about anything new. That with social engineering you can get users to do even complex things like, download an executable, set execute bit and then run it. Some even say that all you need to do is send an email to a user: Please type 'sudo rm -rf /' in your terminal and that would have the same effect. My gosh, how dense are those commenters? These kinds of comments completely miss the point. The necessity of the execute bit for normal execution is a big and useful security feature of *nix OSs, such as Linux. Non-technical users probably don't know how to do that! Non-technical users also don't know how to open a terminal. Why do I have to explain this over and over? This is some of the typical, damaging arrogance of some Linux users that is at display here. So, anything that can take 'difficult' extra steps off the chain of events towards a successful infection greatly increases its chances. That's what this article was about: How to infect a user who just knows how to click with the mouse and has never heard of permissions or execute flags before. If he had, he probably wouldn't fall for this anyway.
  • Other people are talking about how the average Linux user is more technical than the average Windows user. Look, all I can say is: Go read the article. I talk about that, you know? Don't comment on my article until you have read the whole thing, not just the summary. That's annoying and wastes everyone's time. Geez...
So, there. That was a small follow up on the feedback and comments about my 'How to write a Linux virus in 5 easy steps'.


Other related posts:
Munich already saved millions by switching to Linux
Smooth sailing with the Karmic Koala
A Linux distro for Cuba








Comment by TripleII, on 12-Feb-2009 10:30

The follow up does not change the fact that you do not know what a virus is. You are describing how to possibly create malware that you fool people into loading on their system, but is in no way a virus.

My original comment reposted here.

"You don't know what a Virus is. A virus is a piece of software that installs, propogates/replicates on a users system with no user intervention through a security exploit in a program or the underlying OS itself.

http://en.wikipedia.org/wiki/Computer_virus

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user.

You have outlined a possible way to more easily write "malware" which requires user intervention, and as outlined a whole host of conditions, etc. You should update your title though, this is as much a virus as "hit your own head with a hammer" is a stealth way to get the user to be hurt.



TripleII"


Author's note by foobar, on 12-Feb-2009 10:55

@Triplell: And if you would have read more of the Wikipedia article you have linked to, you would realise that they include 'email viruses' as well. In fact, go seach Wikipedia for 'email virus'. It redirects to the article you mentioned. Then scroll down and find this sentence:

Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware.

Geez...


Comment by seo wales, on 12-Feb-2009 11:13

I'm with TripleII on this - just because other people misuse the term "virus" doesn't mean that you should too. I can see the title as linkbait, that's fine, but you should just say "this example of course is not automatically spread and executed but needs user intervention" .. scaremongering gets links I guess.


Comment by cb951303, on 12-Feb-2009 11:16

WWW, email or IMs are a way of distribution for a malware or virus. If a malware travels through email it doesn't make it a virus. To call a malware virus it still needs to infect automatically other files in the system (only one systemi not the system of your email contacts).


Comment by TripleII, on 12-Feb-2009 11:35

You are right, and prove my point, the term "Virus" is used as a catch all, which helps nobody. As I said, you have valid points on Malware, and if you don't want to be correct, and do what all in the industry do, call everything a Virus, then fine, just don't complain when "old timers" like myself get stuck on the definition.

Also, as quoted, they are delivering viruses that propagate through email exploits via email, unlike originally, infected floppies. It's just the delivery mechanism that changed. Viruses and worms are a grey area, but both install through exploit, not user intervention. The very last part, hey, if others want to water down the definition (usually for $ gain in corporations), doesn't me we all should.

I will ask you.

Malware - tricking a user into installing malicious software.

Virus - auto install through an exploit without user intervention

If the solution to the problem is NOT the same and can never be the same (education vs fixing the exploit) they can't functionally be defined as the same thing. I will make the point again, if everything is a "Virus", the loosely losing meaning definition, you can never get regular users to understand that the majority of viruses are actually their own fault and you have to fix their behavior.

I didn't say anything about OS vs OS, you are an idiot (which you are not, what you wrote is important and now exposed), I simply think, especially being a Geek, we have to be accurate, more accurate than average. I'm sorry if this bothers you.

Now, thanks for the underlying information, whether we agree or not on what it actually is.


Comment by Alan, on 12-Feb-2009 11:36

The way you respond to your critics does you great discredit. People have raised valid points about your use of the word "virus", and all you can do is hurl exasperated insults back.

If you wrote this article to convince "linux zealots" to man up to their inaccurate hype, you could maybe lead by example and man up to your own.

Discussing vulnerabilities in the way desktop environments handle .desktop files is great -- excellent point and well worth looking at. Calling this a "linux virus" was hype and you know it. If it has descended into fanboy flaming you have only yourself to blame.


Comment by Andrey, on 12-Feb-2009 12:46

Where is the main point? I mean "it is impossible to make Linux like Windows without making it like Windows".

All that Gnome and KDE and whoever care about "non technical users" is Linux self distraction.

On the other side, with enough compensation, I CAN make your email experience so secure that a malicious hacker will find it easier to send a missile than email. Isn't it what all that "support" is about?


Comment by David F. Skoll, on 12-Feb-2009 15:53

All the people who are splitting hairs about "virus" vs "worm" vs "trojan" are completely missing the point.

What is described here is a plausible method for the distribution and propagation of malware. It certainly requires no more steps than a .zip file virus on Windows, and we know those do spread in the wild.

What saddens me (though it doesn't surprise me) is the utter silence from the GNOME, KDE, XFCE and Freedesktop developers. This problem was pointed out years ago, and they did nothing to mitigate it. That's bordering on negligence.


Comment by EvilPixieMan, on 12-Feb-2009 16:04

Fundamental to your article is the claim that you can create a linux "virus" in 5 easy steps.

Since this is your major claim, I don't think it unreasonable fro people to make such a fuss about getting it right.

Fundamental to the distinction between types of malware (i.e. malicious software) is whether it requires user intervention to propogate.

If you need a user to explicitly initiate execution of code, and the code does not do what the user thinks, then it is a trojan. End of story.

If it does not, and it can exploit flaws in an OS to propogate, then it is either a worm or a virus.

Distinction between worm and virus doesn't matter for the sake of this argument, because you have quite clearly described a trojan, which requires tricking the user into running your code.

Any modern desktop OS that accepts requests from the user to run programs will be susceptible, the only difference is the ease with which the user can make it run.


Comment by bud freeman, on 12-Feb-2009 17:34

(yawn) Two articles, and I still haven't learned how to write a Linux VIRUS.

It's not splitting hairs, it's asking the author to either tell us how to write a Linux VIRUS, or to admit that he's engaging in FUD, or, simply change the title to reflect what he's actually demonstrating in his article.

cheers,


Author's note by foobar, on 12-Feb-2009 17:55

@bud freeman: You know, if you and others wouldn't have come across with your pitiful sarcasm and would have chosen a somewhat nicer tone, maybe I would have thought about putting additional disclaimers in about the title. Maybe even modified the title? Who knows?

But as it stands, you and your ... yawn! ... attitude can go wherever you want to. Because your continued complaining here is boring for everyone else. If it's so boring for you (you keep yawning) then why do you keep coming back? Come on, admit it, you are having way too much fun with this and it's not boring to you at all!

In case you haven't got it: The point of this article was to show that non-technical users of Linux can be had by malware just as easily as Windows users. As far as those users are concerned: They call all types of malware a virus, because they don't know any better. They don't care about the technical subtelties of these definitions, which is why in this particular case I didn't care for it either. if you look at the Wikipedia definition of a computer virus, you will find that email viruses (virii, whatever) are part of their definition. And other sites on the Internet have the same. A while back it was popular to call things that don't need any user interaction 'worms'. But all those definitions have been hopelessly blurred. The self-propagation aspect of this was explained sufficiently in the article, I don't need to elaborate on this any further.

Care to comment on anything in the article other than your perceived misuse of the word 'virus'?

Anyway, enough of that. The title stays and you can go if you want to...


Comment by fest3er, on 12-Feb-2009 21:19

Don't pay no never mind to geeks, engineers and others who can't communicate with the regular people who make up the largest portion of the population.

Yes, there are significant differences between virii, trojans, worms and other malware, just as there are five ways of looking at a 16 oz. glass that has 8 oz. of water in it. Depending on my mood, I'll respond with any of those views: the glass is half empty, it's half full, it's bigger than it needs to be, it isn't large enough, and it's extraneous because you can drink straight out of the bottle or faucet. But most regular people will simply note that there is water in the glass. Likewise, most regular people will refer to all malware as viruses because using one word easily recognized word in a sentence communicates much more clearly than than using a convoluted, complex statement with multiple clauses that identify every known variant of malware and a catch-all that identifies the unknown varieties.

People who are pedagogically pedantic are accomplishing one thing only: distracting attention from the issue at hand. This is pert near the same thing politicians do when they don't want to be pinned down to a firm stand on an issue: obfuscate and distract.


Comment by Huygens, on 12-Feb-2009 22:01

Thank you for the previous article and that one. It enlightened me on a few tricks that I should be aware of.

In a way, I support you and your articles. What you state is true, I have heard countless times from co-workers (who have a vague idea of Linux) that you cannot have viruses on Linux. Or that they were wondering at least why...

I guess every serious Linux developers knows that they are risks also on Linux (cf. the many rootkits available). I like your previous article because it showed a vulnerability somewhere I didn't expect! And as you mention it, there are a few issues at various levels of the application stack: desktop, e-mail client, etc. Those issues should be reported and corrected.

In addition, I understand that some people wanted to correct the "definitions" of virus/trojan/etc, but anyway that is only the form and not the meaning of the article. So I do not see why making such a big fuss about it. I, myself, had no clear definition of virus, worm, malware, etc. apart from trojan perhaps.


Comment by oldbasara, on 12-Feb-2009 22:35

email viruses - require NO user intervention (think VBScript ActiveX exploits). Just viewing the mail might trigger the program.

email trojans - REQUIRE user intervention ("click on the attached photo/letter/movie")

For the first - patch exploit - Code is at fault

For the second - educate user - User is at fault

As an analogy, no change in the postal system can stop 419 mail scams - only educated users can.


Comment by Jc, on 12-Feb-2009 22:58

This kind of "FLAW" in Gnome or KDE is just the price to be paid by Linux for being user friendly.

The developers of that desktop environments should be able to deter that behaviour. They simply ignore because there are no massive threats aimed to Linux right now.

Are AppArmor or SELinux valid alternatives to be shielded of that kind of virus?


Comment by dk0110, on 13-Feb-2009 00:41

completely agree with the author here, a load of commentary based on semantics - the fact remains that malicious content can be delivered to the desktop, perhaps some more thought and/or suggestion should be given to overcoming the issue, not how its been described


Comment by David Faure, on 13-Feb-2009 00:59

Link to the discussion between the KDE, Gnome, XFCE (and other interested) people:

http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527

I note that the KDE developers were in favour of requiring +x for desktop files, but Rodney Dawes (gnome) was not...


Comment by Anon, on 13-Feb-2009 02:13

---quote---

As far as those users are concerned: They call all types of malware a virus, because they don't know any better. They don't care about the technical subtelties of these definitions, which is why in this particular case I didn't care for it either.

---quote---

Ah, but you miss two very important, and subtle points.

1) Why do these non-technical users not know any better? Because members of the press where they obtain their knowledge do not take that extra step to be accurately precise with their usage of terms. If every single article those non-technical users read utilized the terms "virus", "worm", and "malware" properly and accurately, those non-technical users would in fact know that there is a difference. They may not understand the underlying technical reasons for why there is a difference, but they would know full well that there is a difference. Which would be a step in the right direction.

2) You, as a member of the press (you are blogging, that makes you a member of the modern day press) have an obligation to go that extra step in order to accurately utilize the terms in your publications. To wash your obligation to be accurate away with "the non-technical user does not know the difference, so I won't care either" is not only lazy on your part but also does a disservice to all those non-technical users who read your publications. Non-technical users become technical users only by having accurate information from which to learn. Giving them inaccurate information because they do not already know the accurate information is simply doing them a grave disservice, and in large part makes you guilty of the same hubris you accuse many of the "old-timers" of who are on your case about your article.


Comment by Rich E, on 13-Feb-2009 02:15

---quote---

As far as those users are concerned: They call all types of malware a virus, because they don't know any better. They don't care about the technical subtelties of these definitions, which is why in this particular case I didn't care for it either.

---quote---

Ah, but you miss two very important, and subtle points.

1) Why do these non-technical users not know any better? Because members of the press where they obtain their knowledge do not take that extra step to be accurately precise with their usage of terms. If every single article those non-technical users read utilized the terms "virus", "worm", and "malware" properly and accurately, those non-technical users would in fact know that there is a difference. They may not understand the underlying technical reasons for why there is a difference, but they would know full well that there is a difference. Which would be a step in the right direction.

2) You, as a member of the press (you are blogging, that makes you a member of the modern day press) have an obligation to go that extra step in order to accurately utilize the terms in your publications. To wash your obligation to be accurate away with "the non-technical user does not know the difference, so I won't care either" is not only lazy on your part but also does a disservice to all those non-technical users who read your publications. Non-technical users become technical users only by having accurate information from which to learn. Giving them inaccurate information because they do not already know the accurate information is simply doing them a grave disservice, and in large part makes you guilty of the same hubris you accuse many of the "old-timers" of who are on your case about your article.


Comment by k.g, on 13-Feb-2009 03:06

First off, I agree with many others that this is a point that most users are unaware of, and there IS a misapprehension among linux users that linux is "totally secure". On those grounds, kudos on the informative article.

On the other hand, you are overreaching quite a lot. First, regardless of whether you think the line between different varieties of malware is, "hopelessly blurred" or not, as someone attempting to educate users about security issues, you should at least not be trying to further blur those distinctions. To pick out what seems to be your core argument in support of malware==virus, the phrase "email virus". This refers to an email attachment that is *automatically executed* upon receipt of the email itself with *no user intervention*, which is of course the distinction between a virus an other malware as has been pointed out. Just because viruses delivered by email exist does not mean all malware delivered by email is a virus. You also state that you don't care about the distinction because that isn't the point of your article, but as you can see, it IS seen as the point of your article by quite a few people, because you are making additional, *false* claims about the vulnerability of the linux environment by stating that this is a virus.

Additionally, I have a problem with your hand waving of the distinction between compromising a user account and fully compromising a system (obtaining root access). While many of your points are correct (there is a large amount of damage that can be done with the compromise of just a user account, especially on a single-user system) once again you exaggerate the extent of the situation.

For example, sometimes even experienced sysadmins can be careless and do something like run an untrusted attachment. In a windows environment that is immediately game over as the attachment can immediately do whatever it wants, whereas in a linux environment where it must then mount an additional attack to attempt privilege escalation, there is some breathing room for the target to realize what is happening and deal with it.

Once again, I understand that the article is well-intended, but you dilute your message by making exaggerated claims.


Comment by s1n, on 13-Feb-2009 03:06

Most desktop environments actually use mimetype information to determine which application, and if that is unsuccessful will refer to the file magic result (man file). For example, under GNOME, you can set mimetype handlers from nautilus from the properties window of a file of such a mimetype.

The result is I can open an OO.org document named blah.desktop if I associate that mimetype to open with OO.org. I can alternatively change the file magic database to match my new "desktop" file and now everything on my system will be fooled.

I've manually changed the file magic and mimetype databases before to for some crafty script I've written to be handled in a new and unique manner.

If the user manually clicks on something to execute it, the executable can do anything your heart desires (even break into higher security levels if determined enough). A simple shell script that removes everything allowable would be damaging enough. About the only thing that can slow you down is EIP (execute in place) security.


Comment by Sean Hodges, on 13-Feb-2009 05:47

It was a very interesting article, and this was a good follow-up for the most part.

2 things I would suggest:

1) Your original article has a conflicting target audience. The content is clearly intended for technical users (laymen would not read past the title, they do not care about the intricacies of .desktop files and executable bits). Using marketing/layman terms like "virus" in place of "malware" is bound to bring criticism. It also gives a script-kiddie tone to the article. Either adjust the article, or just accept that you will be continuously corrected.

I firmly believe that the criticism you have received is focused on the language, rather than the content, of the article.

2) You describe the problem in great detail, but so far you have only skimmed on the complexity of the solution. Perhaps another article detailing the problems of using the executable bit in .desktop files?

Some points which could use expansion:

- Countless .desktop files in the wild with no exec bit set
- Difficulty of coordinating a change to the .desktop file standard between distributions
- Requirements on KDE, Gnome, and other DE's, and how this will affect their timescales (your current proposal is essentially calling for a mass audit, rather than a simple security fix)
- The effect on programs that are dependent on .desktop files, especially ones that are no longer maintained. How might backwards-compatibility work?
- How a proposed fix could be Q/A'd, and how it might be leveraged to avoid other potential security issues in the future.


Comment by Wind Fox, on 13-Feb-2009 06:07

Ay...

Another techie wannabe trying to write an article on computing/computer science yet refused to get the terminology correct even when people with better judgement gave a chance to put it right.

It's exactly people like the author that cause Windows users to disregard Linux users.


Comment by C. Whitman, on 13-Feb-2009 06:26

Well, I think that the article points out a legitimate concern: that it is too easy to get KDE and Gnome to execute something that doesn't have its executable bit set.

Does that excuse the stretching of the word virus in the title? I'm not sure.

In any case I think the original article should have pointed out in the text that this is not technically a virus, but rather a trojan.

The definitions for these terms that I am familiar with go as follows:

Worm: A malware that requires no user interaction whatsoever. It takes advantage of a software or firmware exploit. To be infected a computer merely needs to be connected to the source through a network, usually the Internet.

Virus: A malware that requires no more than limited, normal user interaction that should not normally place the user at risk. It takes advantage of a software or firmware exploit. To be infected a user must do something like, for example: access a floppy disk or CD-ROM, or boot a computer with such a removable medium in place; open an email; visit a web page, etc.

Trojan: A malware that requires the user do something that would normally be considered a risk. It takes advantage of social engineering techniques to at least some degree (or, on some occasions, a previously compromised server/source that would normally be considered trustworthy), possibly in conjunction with a software exploit. To be infected a user must do something like, for example: save and execute/activate an email attachment; download and execute a file from a website; install a program which has not been validated, etc.


Comment by Huri, on 13-Feb-2009 07:40

Wind Fox,

Actually, it's you, the pedantic geek, who makes Windows users disregard Linux users (as a bunch of pedantic geeks.)

Non-technical users don't CARE about the nature of the intrusive software. They don't CARE about the subtle differences between viruses, worms, trojans, and any other form of malware. Honestly, they don't care how it spreads, what language it's written in or what methods it uses internally to cause mayhem. All they care about is, preventing infection.

When I'm talking to my 78 year old father, I don't stop to make the distinction when telling him to delete the suspicious looking e-mail without opening it. And when he says, "yeah, I figured it might be a virus." I don't spend 30 minutes explaining why it probably wasn't a virus, but more likely a trojan horse.

It is you pedantic geeks who give Linux a bad reputation (and shouldn't that be GNU/Linux? Sorry, couldn't help myself.)


Comment by t.wolstencroft, on 13-Feb-2009 09:27

The thing is, if you can talk someone into running a program on their computer(whatever the OS is), you can spread malware. It is as simple as that. Linux does not seem many of these at all because the people who code malware don't want to code something for such a small percentage of the desktop world and most (note the use of the word most) linux users tend to be a bit more suspicious of these types of things. Python is a widely used language and an easy one to read at that, so opening the trojan up and looking at what it is doing would not be difficult either (something you can't really do on Windows). Also, you forget about SELinux. While I have not tested this, I do think you might run into some issues with your solution were it properly configured.

If you take out the user interaction from the equation, writing a virus for Linux is much more difficult than writing one for Windows. Windows has gotten better, but it not there yet. I would like to see if you can come up with something that does not require a click or a ./ of something to work.

Also, while this might work for the desktop users, Linux servers (for the most part) would be unaffected. Mail is not opened on them and most don't run a mail client on them. So to get the file on there, you would need to find a vulnerability in the network config first.

Just my 2 cents


Comment by _pi, on 13-Feb-2009 10:56

http://sites.google.com/site/paulignatenko/news/linuxandenduserviruseswhygeneralcomputersystemarevulnerable

Automatic infection using Java explained, only needs the user to click okay on a security warning like you would see on a 3rd party file uploader.


Author's note by foobar, on 13-Feb-2009 11:05

@_pi: Ok, that's interesting (drive-by Java exploit). However, you too require user interaction. You need to get the user to visit a site, possibly a site that the user doesn't normally visit. How to do that? With an email with containing the link in it? If so than the opening the email is step 1  and clicking on the link is step 2 of the user interaction. If you get this onto a site the user just stumbles across than it would only be one step. But then you also need the user to click Ok on a warning (scary?), which definitel is the next step, either 2 or even 3, depending on how we count.

In the exploit I described the user needs to open the email (step 1) and save it (step 2). Since the user would only save it in order to open it the next step (clicking on it) is basically part of step 2 already, right? Maybe step 2.5, or so. But since the user already made up the mind to open it, since otherwise they wouldn't bother saving it, I figure those two steps go together.

Clicking Ok on a warning dialog is not what the user intends on doing anyway, just because they visit a site.

So, in the end, I think the amount of user interaction for both exploits is roughly the same.

What do you think?


Comment by Joe Buck, on 13-Feb-2009 11:29

It's disappointing that so many commenters would prefer to focus on arguing about whether the term "virus" was used correctly, instead of discussing the issues raised.


Comment by Benjamin Geer, on 13-Feb-2009 13:22

t.wolstencroft, you've missed the point. When someone sends me a JPEG image and I double-click on it, I'm running a program, but crucially, it's a program I know and trust: the JPEG viewer. If that program is indeed trustworthy, opening images with it shouldn't put my system at risk. In the case of the exploit here, the user is tricked into thinking that they're running a known and trusted program, when in fact they're running a malicious program. That's why it's a serious problem.


Comment by Bill, on 13-Feb-2009 13:28

"users of Linux can be had by malware just as easily as Windows users"

And that's where you are wrong. There are countless Windows virii that spread *without* user intervention. Your "virus" requires user intervention, and is thus far less capable of spreading.


Comment by Yet another Anonymous Coward, on 13-Feb-2009 14:22

That's the reason smart people use neither GNOME nor KDE - because .desktop files will happily be ignored.


Comment by foo, on 13-Feb-2009 15:21

OMG foobar, I really pity you for all these silly comments about your use of the word 'virus'. :(

And even though the problem you write about is not new (as pointed out by LWN's wonderful editor), it's important to give it visibility, for the very reasons you gave in your original post. I definitely support your attitude!


Comment by Jonas, on 13-Feb-2009 15:48

"Someone pointed out that the trick won't work under KDE when the attachment is not saved on the desktop: KDE only treats launcher files in a special way when they are actually on the desktop. So, if an email client saves the launcher in another location (for example a ~/Downloads directory) then this wouldn't work. Well, I can only partially confirm this! When I move the launcher into a different directory the exploit still works all the same. However, the .desktop suffix becomes visible! This is yet another reason to just drop the .desktop file-name extension altogether."

That would be me :) However, I know perfectly well that the file would be launched no matter where it is saved. If my comment made it sound like the desktop would have been invulnerable just because it was saved somewhere apart from ~/Desktop, I'm sorry. That was not my intention.

All I meant to say that as long as it's not on the desktop, it would be harder to disguise it (with or without the .deskop suffix).

Still, I'm not sure what a good solution would be. Mounting /home as noexec would obviously not suffice even if the .desktop files would need the x flag. All it would take to circumvent that would be to save the malicious file in /tmp and create a softlink to it in ~/Desktop or wherever the ~/Desktop is located.

Correct me if I'm wrong, but I suspect mounting /tmp as noexec would or could cause havoc for legitimate programs.


Comment by wesmo, on 13-Feb-2009 16:40

typo - lwn.net not lwm.net


Comment by Jesse Weinstein, on 13-Feb-2009 19:38

Arn't .desktop files just a form of redirection/softlinks/Windows Shortcuts? If so, what's wrong with using the same technique as on Windows, where shortcuts have a small square arrow in the corner of their icon? Has this been known to be unseen by users? Are the "viruses" that people mistakenly click on in Windows actually shortcuts?


Comment by Marcel, on 13-Feb-2009 23:03

The little difference....

If you send the file named as picture, then KMail will a) show you, that it's an executable (gears icon) b) _never_ prompt to run it, but rather to open it with KWrite or save as.

So the difference to a real virus is, that the user has to save the file _and_ run it afterwords. That's not how users do interact, which are usually just clicking on everything. A poweruser, who knows, how to save and afterwards run the file, will realize the fake.

If there is a mailclient, which runs the file directly, it should be patched not to do so.


Comment by Don, on 14-Feb-2009 01:32

I know dozens of Linux users and admins and not a single one of them ever claimed that Linux was immune to user stupidity. They are sensible.

Debunking a myth propagated by Linux FANBOYS is good to get their feet on the ground but not very useful overall. Anyone stupid enough to fall for their talk will screw up their own system someday anyway. For example, you said the "sudo rm -rf /" example is too technical? Fine, do a bash script with "rm -rf $HOME", make it executable and attach it. No terminal and no root required.

If I google for pages claiming that black people are inferior, I'll probably find dozens of racist websites. That doesn't mean it makes sense for me to write a long post to "debunk the myth that black people are inferior".


Comment by Mattia, on 14-Feb-2009 09:46

I have to admit that I never thinked about this problem. So I could have clicked on an "infected" attachement, even if I use Linux for 8 years and I am an it professionist. I think this is an issue that they should fix as soon as possible.

Maybe lanchers should only point to a script in a special folder (~/.lanch). I.e. if the command's lancher is "openoffice", then kde (or Gnome) should execute ~/.lanch/openoffice. Obviusly a string that contains "../" should not be accepted and the command should not be executed. I think this is a better solution. Change x bit is very easy with Gnome or Kde.


Comment by Marc, on 14-Feb-2009 20:13

I agree, that desktop launch files should not start without the executable flag set.

But in general, there's no mean against stupiditi. In airports, you must learn not to take baggage from strangers and to keep an eye on yours. That's well known and expected behaviour. You'll go to prison for drugs if your caught, even though they might be put in your bag by someone else.

Same on Computers: Don't start programs nor anything else unless you know where they come from and why.


Comment by Paul_one, on 14-Feb-2009 21:21

Virus: Users application get's infected from a vulnerability in the code.

Malware: Small program users run which do more then they should (the easiest one is : 'play this game!' .. where you need to set the execute bit, it plays a game and infects the machine without the user knowing it)

Worm: Is using one machine as a zombie box to exploit a security hole in some network service. Automatically infects a machine and spreads with NO user even required on the box (Virus requires the user to initiate a program when has a vulnerability in it to look at some data).

Trojan: Piece of software (installed through varying methods above) which gives control over your machine/user instance, or sends back information, to an external destination.

----

Your use falls into Malware.

A user launches a (quite nicely) disguised shell script.

- unfortunately the icon is the hardest thing to try and set (different distributions use different paths).

Overall, the message is:

"Don't be a fool. Don't run things on your PC if you don't know what they are."

.. and also:

"Recognise what a malware mail is"

... Most email clients/ISP/webmail servers should flag this.


Comment by I, on 15-Feb-2009 18:46

@Fester

Brilliant


Author's note by foobar, on 16-Feb-2009 06:48

@Don: I think you have a misunderstanding about how attachments work: You can't make a script executable and then attach it: The executability is expresse d via the execute bit, which in turn is a flag for the file in the filesystem. If you attach a file, however, only the content (!) of the file is being encoded (and the file name for your convenience), but not any additional attributes, which are maintained by the file system.

So, your example doesn't work.


Comment by WayOfTheIronPaw, on 17-Feb-2009 03:43

Hey, dude,

I sent you a message on to your reddit foobar3001 account, but it looks like you haven't been posting from that for the last few days at least (I don't blame you) and I wanted to make sure you received it... The message was as follows:

I've been debating the severity of the exploit with a fellow redditor called lufthanza, here:

http://www.reddit.com/r/linux/comments/7wpnx/follow_up_how_to_write_a_linux_virus/c07ma71

One of the things that came out of that along the way was that the Exec= line has a limit of 1024 characters. And I assume that applies to all of the Name=value lines in the desktop file.

What I have discovered is that it is possible to add arbitary Name=value lines to the file and they will be ignored (comments beginning with # would also work). What this means is that an arbitrarily large payload can be base64 encoded and included within the desktop file.

Encoding is as follows: base64 -w 1000 > desktop_shortcut

The Exec= line to decode this is: Exec=bash -c 'mkdir -p ~/.hack; NUM=0; while grep "Payload\[$NUM\]" ~/Desktop/hack; do NUM=$((NUM+1)); done | cut -d= -f2 >> ~/.hack/encoded; base64 --decode ~/.hack/payload.tar.gz'

As you can see, one would need to add a couple of commands to unpack the payload and run it. I also haven't tackled the issue of finding the desktop file if it isn't saved to ~/Desktop. I suspect the best that can be done there is to look in ~/Desktop, ~/Download and ~/tmp.

I think you're doing the right thing in raising this as an issue, even if it is contentious.


Comment by robsku, on 17-Feb-2009 05:28

Originally the most common way to start spreading virus was to infect an executable with it - that needs user intervention just like this, the user usually had to (and in case of many viruses, still has to) run the executable for the virus to spread. Now using this technology to write a program that infects the system and keeps spreading (most simple thing that comes to mind would be infecting users .bashrc and every possible executable found that the user has write rights to) and it will, by any definition, most certainly be correct to call it a virus.

I'm with you on this, foobar


Comment by Karthik, on 18-Feb-2009 07:55

Well,

Many distros (Ubuntu and now OpenSUSE) create users with sudo privileges by default. So your exploits are easier and deadlier than they appear.


Comment by Diego, on 18-Feb-2009 08:28

I file a bug about this security problem in March, 2005 (https://bugs.freedesktop.org/show_bug.cgi?id=2714). I'm glad that you've been able to make the issue public...

IMHO, the obvious fix is just to require the +x bit. It's easy to fix in Gnome and KDE, and it's easy to deploy in existing distros (just make a script that sets +x in all the .desktop files)


Comment by Steve, on 18-Feb-2009 17:07

By any standard technical definition, this is not a computer virus. You're writing a technical article (which isn't half bad, by the way), yet INSIST upon using the "layman's" definition of a "virus".

Just for your future articles, I don't think you should be doing that. Others feel the same way. Yes, I do understand that a majority of people call what you describe a virus, and apparently you even know better, yet choose to call it a virus anyways.

To be honest with you, I, personally, think that's pretty damn cheap. Mistakes are mistakes, but if you're going to write a technical article, you should use the proper terminology, or expect the kind of comments you've been receiving and graciously admit that you've either made a clerical error or an error in judgement.


Comment by Joe, on 18-Feb-2009 19:20

Does anybody really believe that GNU/Linux is invulnerable to the average user's ignorance? I doubt it. This post is just dumb to suggest it. When people recommend it they aren't wrong to suggest it is more secure. It still has better defaults than MS Windows. For better and worse things are changing in certain areas to accommodate less technical users. That doesn't mean it has lost all its advantages. For once users don't need to use repositories to install software-easily. For once users can get infected more easily. Users still have to approve of the installation. Users who save a desktop file are still going to have to be tricked into executing it. If this were more automated I'd be concerned. It isn't. It still requires significant user interaction.

I like the fact you are pointing out things that the community has failed to make corrections for. This is a good thing. It seems like that before a desktop is executed for the first time that a warning should be displayed warning the user of a possible danger and that they should not execute the file unless are sure it is safe. Asking the user before anything is executed that may possibly infect them is key. Any user who then succumbs to malware is only themselves to blame-or in a situation where the machine needs to be limited in some way.


Comment by deant, on 18-Feb-2009 21:49

all this made quite a fuzz. i dont have time to read all comments,i just post mine as it were first. my point is: report this to gnome and kde developers along with the possible solutions. both desctops are evolving good, so lets do this smart and do it together. lets make kde and gnome real alternative desktops.

peace all, and work together.


Comment by Barton, on 19-Feb-2009 07:32

It might be a good idea to set the immutable bit on the files in ~/local/share/applications with chattr. While this would mean the updates would be a bit more difficult it would prevent anyone from exploring your root attack.

Then again it would always be a good idea to take a look at anything that one downloads using a text editor. If on did that your launcher exploit would soon be discovered. Also one could run such interesting but suspect stuff in a virtual machine. But then again that means the user is pretty careful and your exploit expects that some users are not!


Comment by George, on 20-Feb-2009 08:37

do I really have to write a malicious auto propagating "thing" and send it out to all those wannabe "I am secure because using linux" experts and watch with amazement how half of the geek world gets washed away by my contraption?

Come on, take this seriously! This exploit can be nicely designed so that even experts can be fooled.

True, it's about fooling people, but as long as humans use computers, all malware is just fooling people.

The suggestion to not execute anything in a .desktop file when the desktop file has no execute bit is the best thing to do!

Other OSes have the information "this has been downloaded from the internet, really run it?" kludge pasted on the file manager. We don't need it, we only need correctly designed desktop managers who know what execute is and how to handle it.


Comment by Salih Goncu, on 21-Feb-2009 00:15

Well, in fact, foobar got the terminology right.

Who told you that viruses (virii) spread without user intervention?

Remember old days when viruses spread through floppies. User has to insert the infected floppy into the reader for the infection proceed, and this is user intervention. Or user has to run the infected application, which now puts it in place of Trojan. The only "self propagating" type of malware is worm. It uses the security holes in the underlying system to spread.

Consider a boot virus: The system should be boot with the infected floppy, and the user should be fooled into using the infected floppy to boot her system.

Consider a file virus: The user should be fooled into executing the infected executable, so that the virus code can execute and infect the rest of the files.

In any case, you need to fool the user to do what the attack vector requires. These are called viruses and by this definition, what author showed is a virus.

Don't try to show off here. Anyone who used floppies once upon a time can get the analogy right. If you - the commenters who say that we need to get the terminology right- are in fact getting the terminology wrong.

That's my 2 cents.


Comment by Lumpy, on 23-Feb-2009 00:51

I am a total newbie when it comes to Linux. I have tinkered with it in the past, but it just wasn't there for me yet. Like so many others, I was married to the money slaver because of my job requirements.

When my computer service job went from fixing broken computers to almost exclusively recovering systems from malware from the same people over and over again, I decided to get out of it. I have had my fill of m$ users who leave their passwords taped to their monitors in an open public place, constantly visit porn sites and turn off their anti-virus because it slows their computer down and refuse to change their habits to protect their valuable data or personal information.

The Bible tells us that a dog returns to his own vomit and a pig will trample your pearls. The fact is - you can't save an idiot from himself.

While I believe your article title is deceiving, you bring up two valid points -- There is a vulnerability and it can be fixed.

I can't tell if KDE and Gnome use the same 'launcher' or if they just use the same method of launching programs, but according to what I am reading, the easy fix is to edit the launcher so it will not launch a script, etc. without the execute flag set.

Based on what I am reading here, the only thing needed for an email virus checker to do is test to see if an attachment might become an executable if launched from a desktop. That sure beats searching for 125,000+ virus patterns for every email...

If KDE and Gnome are known for this vulnerability, why hasn't someone made a contribution of code to fix it? Are they not supported by the community?

So what are the odds of a "virus" running thru Linux like one does in m$? If one sends an email to a random list of 1,000,000 emails, how many will be Linux? maybe 100,000? Then how many will run KDE or Gnome? 50,000? then how many will click on a porn ad? 30,000? then how many will move the 'link' to their desktop to execute it? maybe 1,000? Even Linux users don't like spam and will think twice before reading an email from a stranger unless it is something they want to read.

I think a Linux 'virus' will virtually starve to death in the wild very quickly, especially if it requires personal intervention to be executed.

So, really, how much of a threat is this 'virus', as you call it?


Comment by Madman, on 25-Feb-2009 00:14

Who cares WHAT he calls it? The point is, it's a vulnerability. If morons are going to use Linux, they aren't going to care what it's called, if they execute it and it does damage, they won't like it too much.

More importantly, this article has drawn enough attention to have the KDE devs working on a solution: http://commit-digest.org/issues/2009-02-08/

(I'm not sure whether HTML works in this blog). Hopefully, the solution can be ported for GNOME and other DEs with this vulnerability. Even more hopefully, these will be implemented in the next feature release (or even bug release) of each DE.

I have to say, it was a very clever discovery on your part. One feature that Linux definitely has that Windows doesn't: direct communication between users and developers. It's not just some company on the other side of the phone line. These people DO listen.


Comment by Sleepy, on 26-May-2009 14:23

Good article. Thanks foobar. Traditional "computer viruses", targeted individual computers. Modern "net viruses" target "the Internet." While computer viruses replicate themselves on a single computer, net viruses spread over the Internet, often using email. Most writers of definitions do not appear to have appreciated this subtlety. You appear to use "virus" in this more modern sense.


Comment by bidossessi, on 23-Jul-2009 03:59

the issue is being addressed:

http://lists.freedesktop.org/archives/xdg/2009-February/010212.html


Comment by Stefan W., on 5-Nov-2009 12:35

I have two unraised questions:

1) To spread from machine to machine, you need the worm to send itself further. You told, that in pseudocode, this isn't an issue.

Isn't it?

A desktop machine normally doesn't have sendmail installed. So how is the mail sent?

2) You need the people to run your desktop-files. How do you convince the people by a massmail, to install the attachment? On Windowssystems, it is common usage to claim gratis photoshop or office programs, which isn't useful on linux, where the software normally is free by defaut. There will be much more suspect on 'install me!' mails than on windows.

I don't believe your kind of worm would spread, too. Some nacistic hackers surely already tried such, to be the author of the first, widespread linux worm since 1888.


Comment by Thomas, on 12-Apr-2010 01:29

Hello,

thank you very much for your two posts!

I am just the naive user who is attracted to Linux because it has less problems than Windows (so I was told). Thank you for making geeks aware that a species of my kind exist! CHIP, a big computer magazin in Germany invites people to try Linux and claims it is so user friendly. So more of my kind are to be expected!

I am a Linux user since 4 weeks and still struggling with getting my loudspeakers run and similar stuff. I read ubuntuwikis and type (or copy) commands in a shell which I have no idea what they mean. Would it be possible to hide dangerous code underlying such a helpful line in a helpful wiki?

I use OpenOffice and Firefox. So I need a helpful extension for writing in Indian languages, or preformatted letter or graphics, wallpapers etc. That would be a nice place I imagine to hide dangerous code for Windows as well as for linux.

Naturally I have read what the difference between a virus and a trojan horse etc. is, and pressed hard I could give a somewhat more or less correct idea, but I do not care, anything which disturbs my works (like spam) or wants to get control over my bank account etc. is bad in my opinion, whatever the exact technological name for that. So you are absolutely right, there is an "idiot" behind a box which is not eager to learn computers but who wants to do (!) something with it and if one click is enough why do more?

What I like: your articles are from 2009, now is April 2010 and I expect this is still valid. Some information I read in the net is from 2004 or 2006 and I have no idea if that information is still important for Linux users.

Thanks again to making me aware!

Kind regards to all geeks out there!

Thomas (a member from the silent mass, looking for solutions from you!)


Comment by Joe, on 7-Jun-2010 19:54

Why the modern GNU/Linux environment is more secure than the modern MS Windows environment today has nothing to do with the existence of the execute bit or root. The modern desktop environment is more secure because of package management and repository structures. Users get infected because they don't know what is safe to install and what isn't. Followed by gaps in security left by proprietary software. Largely Microsoft's fault.

Security updates on GNU/Linux are all streamlined. It doesn't matter if it is an operating system update or an update for an application. The user is presented one screen every so often and they don't need to manually update every application like on MS Windows. Users know the screen that is safe to say ok to and they do it. User aren't dumb. They can figure that out. It is when you present them with 20 different screens that they don't do it. If you give an average person a GNU/Linux system and tell them not to install 'coupon printers', 'plug-ins', and other software without consulting technical support most will listen to you. And combined with blacklisting plug-in for firefox that replaces anti-virus you really can't screw it up. Most user don't install much software anyway. Plus, the vulnerabilities that most Java applets take advantage to install spyware just don't exist in GNU/Linux. The Java vulnerabilities sometimes-to-often do, but not the OS ones. As long as you point out the Ubuntu Software Center, give them a tech support number to call in the event of a problem, and a firefox-plug-in that black lists sites most users are OK.

By the way I do computer repair and support for errTech and sell Penguin computers for www.ThinkPenguin.com full time and I can tell you that this stuff works. People don't get infected and it is easy to use.


Comment by fuzzynuss, on 4-Nov-2011 07:45

I know this blogs a bit old but i should just point out that the file type under unix/linux systems is normally handled by the core os using a magic number in the file header which is defined in a file as to what the file is 'file filename' ('man file' as it explains quite a bit) in a terminal is the tool the x windows manager is likely to use to determine the file type as extensions mean nothing to unix.


Comment by chris, on 5-Nov-2011 00:32

Reading some more firstly there are 3 x execute bits one for the owner group and other 'chmod' is the best for setting all or individualy you can also set read/write and execute for all using binary chmod 777 filename rather than just +x. someone mentioned finding the .desktop file after quite a neat single line script. 'which filename' will return it if its on the current path as specified in the .profile file in the current users home directory if not then 'find / -name "filename" -print 2>/dev/null' expressed into variable might help but harddrive will go crazy for a bit.


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

foobar's profile

 
New Zealand


  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.




Google Search


Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...


Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 403809 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 56405 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 43690 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 21186 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 18831 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 18624 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 17108 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 16390 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 15738 views)
Slow file copy bug in Vista: A...
(21-Dec-2007 12:18, 14624 views)