Forgot your password?
typodupeerror
Mozilla The Internet Security Software Linux

Korean Mozilla Binaries Infected 592

Posted by CmdrTaco
from the caught-with-their-pants-down dept.
Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."
This discussion has been archived. No new comments can be posted.

Korean Mozilla Binaries Infected

Comments Filter:
  • Virus data (Score:5, Informative)

    by NoInfo (247461) * on Wednesday September 21, 2005 @09:42AM (#13613011) Homepage Journal
    This virus has been in the wild since at least early 2002.

    Here's Symantec's take on the virus:

    http://securityresponse.symantec.com/avcenter/venc /data/linux.rst.b.html [symantec.com]

    • by Anonymous Coward on Wednesday September 21, 2005 @10:02AM (#13613244)
      If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).

      "Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.

      Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"
      • by NickFortune (613926) on Wednesday September 21, 2005 @10:52AM (#13613721) Homepage Journal
        "Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.

        mmm... So do you not think the phrase "Mozilla.org is the latest example" is a just the teeniest bit misleading in this context? You know, what with most people taking "latest" to mean "happened very recently" as opposed to "even so, there hasn't been one for simply ages so I wouldn't get too worried".

        Not that anyone would do such a thing deliberately, of course... Except I can't help wondering how many people pondering a change away from Windows/IE will read that and form a false impression of Mozilla and Linux.

        Now who could that benefit, I wonder...

    • by doublem (118724) on Wednesday September 21, 2005 @11:07AM (#13613838) Homepage Journal
      See! Windows and IE ARE more secure!!!

      MWHAHAHAHAHA!!!!!!!!!

      The larger number of exploits in Firefox is just the tip of the ice berg!

      Open Source, you are going DOWN!

      And I for one, welcome our new DRM laden overlords.

      Oh, wait, they're not NEW overlords, they've been the overlords for a few decades now.

      Well, I welcome them anyway.
    • Re:Virus data (Score:5, Insightful)

      by SimGuy (611829) <.ten.yugmis. .ta. .nivek.> on Wednesday September 21, 2005 @11:19AM (#13613933) Homepage Journal
      And sadly, Linux administrators have been unable to suitably protect their systems in all this time, so it continues to be a pain in the ass, never really going away. I work for a hosting company, and I've dug Linux.RST.b out of too many servers.

      I think too many Linux admins don't believe there's such a thing as a Linux virus. Usually the easiest way to recognize the infection is if a large number of common programs in /bin like "grep" start crashing. Tends to make boot up and shutdown clumsily fail.
  • by SpocksLoveChild (829854) on Wednesday September 21, 2005 @09:42AM (#13613012)
    it's a virus?... for linux? I'm sorry but just don't understand the situation?
    • by Anonymous Coward on Wednesday September 21, 2005 @09:50AM (#13613115)
      No worries. That is common for most slashdot readers.
    • by Crusader7 (916280) on Wednesday September 21, 2005 @10:12AM (#13613344) Journal
      That's because viruses on Linux are so rarely reported due to their limited scope of effectiveness. Since Windows is more popular in the combined server and desktop markets, outbreaks cause significantly more damage (though I'm willing to bet the damage caused per exploited system is a far lower average than the lower volume, but higher cost server attacks that UNIXes more often suffer). In addition, Windows users tend toward not being so, how to put it nicely, interested in learning the proper maintenance of their systems (hey, I'm not complaining, doing it for them pays my bills), so they tend to frequently get infected by things that don't exploit security holes in the systems but rather excess holes in the heads of the users.

      Compare to Linux in which most exploits are a result of actual security problems in either the kernel or the supporting applications, and you have less widespread attacks that affect fewer systems.

      Difference in market shares, my friend. If you want to exploit a Linux system you're probably an attacker targetting a specific network and installation for a very specific purpose (making this attack something of an oddball). If you're looking to exploit a Windows system, however, you're more likely just a general Internet thug trying to install spam bots and backdoors on home machines. The latter causes more problem since the target is a much, much larger pool of users, so the latter gets more heavily reported even though the targetted attacks usually cause more on-average damage.
      • by glesga_kiss (596639) on Wednesday September 21, 2005 @10:52AM (#13613718)
        That's because viruses on Linux are so rarely reported due to their limited scope of effectiveness.

        That's a falacy. Linux is just as vunerable to trojaned installers as any other OS. You install mozilla as root, right? Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.

        OS security does help against worms and other methods of infection, but dealling with trojans is a 90% user function. This improved security, along with market share (as you point out) is what makes Linux "safer". To get a virus on Linux, you essentially have to do something wrong yourself. Which is no consolation to the gran and grandpa users, "Download Weather Bar (linux version) popups" are only a few years away...

        • by ivan256 (17499) on Wednesday September 21, 2005 @11:34AM (#13614058)
          Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.

          Since official debian packages are signed, it's easy to trust the repository and the contributers due to the magic of the PGP web of trust and the Debian developer vetting process. It's not like you're installing software from some random people you don't know, and it's certainly not like the mirror you use could be compromised as long as the signature is valid.

          You install mozilla as root, right?

          Is somebody forcing you? I never install as root if the package didn't come from a trusted location. If I want to test a nightly, even the binary tarballs from mozilla.org go in my user directory, and aren't installed system wide.

          It's the dumb user that's vulnerable, not the OS. That's equally as true for Windows as it is for Linux.
  • by bugbeak (711163) on Wednesday September 21, 2005 @09:43AM (#13613018)
    Guess anything that can be programmed is also vulnerable, regardless of how impenetrable it is.
  • "Mozilla hits back at browser security claim"

    BWAHAHAHAHAHAHA.

    • Well this has nothing to do with their browser's security. It really has to do with the security of the Mozilla servers in Korea.
    • by tpgp (48001) on Wednesday September 21, 2005 @09:59AM (#13613214) Homepage
      "Mozilla hits back at browser security claim"

      Funny? Yes. True? No - you see its not exactly a mozilla problem.

      Whilst searching for more information about this, I stumbled across this page [mozillazine.org]last time these servers were hacked in June).

      Choice quote:

      Unlike Mozilla Europe, Mozilla Japan and Mozilla China, the Korean Mozilla site is not officially affiliated with the Mozilla Foundation.


      So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")

      Its someone who's taken the mozilla source and made their own binaries. A problem yes, a serious problem even, but not to the scale that Kaspersky Labs would have us believe.

      Who would have thought it? A security company overhyping an issue!

      I'm not sure why they bother. Do they really think stories like this are going to make linux users go and buy their security 'solution'?
  • Ha. (Score:5, Funny)

    by Anonymous Coward on Wednesday September 21, 2005 @09:43AM (#13613021)
    So much for OSS security. Show me one instance of this happening to Microsoft...

    Oh, wait.

    • Re:Ha. (Score:3, Informative)

      by Slack3r78 (596506)
      Interestingly, MS also shipped a Korean [microsoft.com] product infected with a virus (Nimbda). Clearly this is a case of OSS being unable to innovate on their own, stealing valuable ideas from Microsoft.

      HOW YOU RIKE ME NOW HANS BRIX? :-P
  • by Anonymous Coward on Wednesday September 21, 2005 @09:44AM (#13613025)
    Birdflu ?
  • by eno2001 (527078) on Wednesday September 21, 2005 @09:44AM (#13613026) Homepage Journal
    ...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
    • Um... (Score:5, Insightful)

      by Noksagt (69097) on Wednesday September 21, 2005 @09:51AM (#13613118) Homepage
      Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.
      Most users still install software as root & even if they don't, the user usually has access to /bin & would be able to run scripts.
      • Re:Um... (Score:5, Insightful)

        by Lussarn (105276) on Wednesday September 21, 2005 @10:02AM (#13613245)
        Most of all programs in Linux, about 99.99% is distribution supplied and isn't likely to have virus/trojan/spyware in them.
      • the user usually has access to /bin

        Write access ?
    • by NineNine (235196)
      So then are you saying that only security experts run Linux, or that all Linux users somehow magically learn about what "root" is upon installation? I'm not understanding what you're saying, since I've never met a non-IT person who knew that "root" had anything to do with computers.
      • by arkanes (521690) <arkanes AT gmail DOT com> on Wednesday September 21, 2005 @10:17AM (#13613395) Homepage
        User-friendly distros (like Ubuntu), borrow a page from OSX and don't even expose the root account. You create a user account in setup, you're prompted for your admin password when you need to install stuff, and when you use the CLI you use sudo. Therefore, without taking proactive steps, it's not even possible run programs at root, and you have to go well out of your way to log in as root.
    • Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.

      And as we all know nobody installs Linux software as root. :)
    • Please explain how to install Mozilla on a generic linux box without being root. If the installer binaries are infected, well, you're screwed.
    • because most users run as root despite being smart enough to know its safer not too. For the same reason New Orleans didn't have category 5 safe levees, most users spend a lot of their time running as root. Its simply easier to take the risk and, unless your system is critical, getting taken down once in a while just represents an opportunity to clean up. Especially in America, we like our freedom and we are risk takers. Its in our blood.
  • Is this the first time a linux virus has been spreading in the wild?
    • by imr (106517) on Wednesday September 21, 2005 @09:56AM (#13613185)
      Where does it says it spread?
      It is a 3 years old thing and it never spread, why should it now?
      It has been found somewhere on some server in some package.
      OK, then?

      Distros build their version of softwares from source, they check the sources, their users get their software from their distro.
      End of the story.

      Moral of the story:
      -don't download binaries from other sources than your distro.
      -don't install binaries from other sources than your distro as root.
  • by Ingolfke (515826)
    Steve Balmer is going to have a good day today.
  • by teslatug (543527) on Wednesday September 21, 2005 @09:45AM (#13613043)
    A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory [secunia.com]. Version 1.0.7 fixing the flaw is already out.
  • source? (Score:4, Informative)

    by mmkkbb (816035) on Wednesday September 21, 2005 @09:45AM (#13613045) Homepage Journal
    Where does this information come from? I can't find any corroborating story from another source. However, I did find this bit of trivia here [mozillazine.org]:
    Those hackers could just as well have served people distributions of Firefox infected with a virus.

    They could have easily replaced the app signatures to match the infected binaries.
    • I've just spent the last ten minutes searching for corroboration and all I found was the same thing you did. It is quite posible the hackers were serving up trojan binaries for a while before they defaced the site. That would fit in with the time line and explain this pretty well.

      The other important point is that the Korean site was not officially affiliated with the Mozilla organization (unlike US, China, Europe, Japan, etc.). Because of this the the Mozilla foundation had no control and couldn't impos
  • by smooth wombat (796938) on Wednesday September 21, 2005 @09:46AM (#13613062) Homepage Journal
    I can hear it now; "See, FF isn't as secure as its supporters claim it is."

    Whatever.

    Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.
    • aside from the obvious jokes about their perceived security issues, I don't know that Microsoft's update servers have ever dumped viruses onto people, have they?
      • This wasn't a "Linux Update Server". There is not such a thing. It was a virus planted in ONE APPLICATION, in ONE LANGUAGE. Mozilla also runs on several other platforms, in several other languages. Using any MS vs. Linux comparison is totally void in this context.

        This is a reflection of the people managing the Korean servers, not of Mozilla. It is not Mozilla's server or under their control. All these references to yesterday's security report on Mozilla are irrelevent, as they simply do not apply.

        You
  • And that applies to Linux as well. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception. This is what we ought to teach end users to practice and also system Admins need to follow advice on this. Understand SELinux, Firewalling and virus detection is crucial.
  • by dtfinch (661405) * on Wednesday September 21, 2005 @09:49AM (#13613090) Journal
    First the unofficial Korean Mozilla site in July, and now long obsolete versions of the Korean Mozilla (not Firefox) and Korean Thunderbird builds. I doubt anyone was infected, nor was that likely the intent, especially given the old, neither stable nor current, version numbers, but one thing is clear. Someone out there really doesn't like Koreans.
  • Permissions? (Score:4, Insightful)

    by InternationalCow (681980) <mauricevansteenselNO@SPAMmac.com> on Wednesday September 21, 2005 @09:50AM (#13613110) Journal
    Well, the symantec description wasn't very useful to me. But if I read it right, the virus tries to infect /bin. But iirc it will have to be run with root privileges in order to be able to infect /bin. Dunno about you guys, but I never ever unpacked firefox builds into my home directory when running as root. Basic security. So, if I understand this correctly, it only infects /bin when you've been sloppy. Not much of a threat, is it?
  • Infecting /bin? (Score:5, Insightful)

    by Danathar (267989) on Wednesday September 21, 2005 @09:51AM (#13613128) Journal
    I'm assuming this can only occur if you installed the virus infected material as root?

    Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk
    • Re:Infecting /bin? (Score:3, Informative)

      by chill (34294)
      Enlighten me. How do MD5 sums protect you from trojaned software? If it was a mistake on the part of the maintainer, wouldn't they have hashed the trojaned software to begin with? If it was malicious, anyone who could have uploaded the trojan could have uploaded the hash.

      In either case, the hash would have shown valid. I was under the impression hashes (MD5, SHA-1) were mostly just for making sure nothing was corrupt in the transfer.

      Digital signatures are for ensuring validity, though they wouldn't prot
    • Re:Infecting /bin? (Score:4, Insightful)

      by Zathrus (232140) on Wednesday September 21, 2005 @12:33PM (#13614564) Homepage
      I'm assuming this can only occur if you installed the virus infected material as root?

      Last I checked all the major repository systems (rpm, apt, etc) require you to do so. Yup.

      if you install software as root from a compromised source and don't check the md5sums

      Checking the md5sums will do you absolutely no good unless you get the md5sum from a completely independant source -- which isn't true in most cases. In this case there was no independant source -- the Korean site compiles it and distributes it themselves and is not affiliated with the Mozilla foundation.

      along with other precautions you put yourself at risk

      My, that's nebulous. What precautions?

      You could compile from source... and then you're safe as long as someone didn't trojan the CVS server (either intentionally or maliciously). Or are you going to evaluate every line of code prior to compiling it as well? Make sure to double check your compiler and libraries -- if they have a trojan injector then you'll have one hell of a time figuring that out.

      No, it's not anything new. But it should be a wakeup call to a lot of people who think they're "safe" for running non-mainstream software. We're not -- we're just a smaller target. It's just a twist on "security through obscurity", and that's been proven to be inadequate countless times.
  • only old people get infected
  • by Shaman (1148) <shaman.kos@net> on Wednesday September 21, 2005 @09:52AM (#13613137) Homepage
    Then you'll know this virus was distributed on purpose or the core distribution was hacked and the hackers distributed it on purpose.

    You'll also know that the virus isn't infecting *anything* unless you're running as root or you're using a version of kernel and glibc that have specific flaws to allow the virus to do something as a regular user. Are they using a kernel and software from 2001? Maybe, for all I know, but that's pretty irresponsable if they are.

    This is such a non-issue for anyone except the stunned distributor that sent around the CDs. Not the first time it happened to the Windows world, either.
  • by Bogtha (906264) on Wednesday September 21, 2005 @10:01AM (#13613235)

    Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.

    Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process [mozilla.org].

    • While you're right normally one installing software as root, installing software from a FTP site without checking at least the md5sum from a trusted origin is dumb.

      Unfortunately this part can't be fully automatised, because you would rely on the untrusted package to find the originator sources which can be facked, obviously..

      If the installation on Linux was standardised maybe just asking the user where is the originator website of the software.
      But Linux's distribution can't even standardised on a common pac
  • file permission... (Score:2, Insightful)

    by herve_masson (104332)
    Who is that guy who don't feel necessary to precise that "/bin directories" can't be written by non-root users... Jeez, "all about internet security", really ? Make your facts accurate !
  • by Anonymous Coward on Wednesday September 21, 2005 @10:05AM (#13613276)
    This Linux virus was not effective virus in 2002. It is even less effective now. The firefox was about 2 version old, so the infection rate is extremely low.
  • Oy... (Score:3, Insightful)

    by dpaton.net (199423) on Wednesday September 21, 2005 @10:17AM (#13613394) Homepage Journal
    When are people going to lean that the only truly secure computer is the one that's free of any connection to anything, wired or otherwise, powered off, encased in concrete, and then shot into the sun? Anything that people build will have some kind of vulnerability. The trick is mitigating them so that damamge is minimal.

    Come on...this isn't rocket surgery. Use some common sense.
  • Alan Cox was right (Score:5, Insightful)

    by Saunalainen (627977) on Wednesday September 21, 2005 @10:24AM (#13613452)
    Yet another example of the lamentable state of modern computer security. This wouldn't be a problem if operating systems required a trusted signature for software to be installed.

    I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).

    We already have to trust the developers. We shouldn't have to trust every FTP server too.

    • by Tom (822)
      More recent versions of apt support signatures, and require confirmation before they will install an unsigned package.
  • no surprise (Score:5, Informative)

    by burnin1965 (535071) on Wednesday September 21, 2005 @10:50AM (#13613705) Homepage
    The web site was hacked 3 months ago and back then they admitted the site was not an official Mozilla site.

    http://www.mozillazine.org/talkback.html?article=6 771 [mozillazine.org]


    Sorry for hack.
    by channy

    Thursday June 9th, 2005 6:39 PM

    Reply to this message

    This is Channy Yun, leader of Mozilla Korean Community. This site is not official web sites of Mozilla Foundation. And this hack is orginated by no patch for PHP vulnerability of my hosting company for mozilla.or.kr. I will change it with backup and fix it with my ISP. Sorry for your worry.


    I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.

    burnin
  • by lpontiac (173839) on Wednesday September 21, 2005 @10:55AM (#13613750)
    But Mozilla as a whole (the organisation and the products) are already getting bad press for this.

    People have complained in the past about the Mozilla organisation being heavy handed about trademarks, and trademarks (eg the Linux one) have been getting a bad rap in general. But here's the other side of the coin - the actions of an organisation that identify themselves as "Mozilla", even though they're _not_ the Mozilla foundation, are tarnishing the reputation of the genuine article.
  • by ndogg (158021) <the.rhorn@gmail . c om> on Wednesday September 21, 2005 @11:50AM (#13614204) Homepage Journal
    It's about freaking time virus writers started supporting Linux and Mozilla...

    Err, wait...
  • by bmo (77928) on Wednesday September 21, 2005 @01:25PM (#13615044)
    If you're going to install a package such as FF, why bother going to an unoffical site that has had /known/ problems with security?

    www.internetnews.com/security/article.php/3512081

    Come on! Don't blame Mozilla.org for something that's not under their control. This goes double for the Windows idiots that point and say that "oo! FF is just as vulnerable!" and forgetting all about that this is just like going to "Shady Joe's Windows Upgrades" instead of microsoft.com for SP2.

    --
    BMO
  • by Krellan (107440) <krellan@NoSpaM.krellan.com> on Wednesday September 21, 2005 @02:50PM (#13615776) Homepage Journal
    This has been a worry of mine for some time.

    Notice that when you use MSIE on Windows, it shows you the true URL of the site you are downloading from. In the download box, it will show you the URL it's downloading from, and you can see Mozilla's choice of mirrors around the world.

    With Firefox, however, you don't get to see this by default. It just shows the basename of the file you are downloading, not the full URL containing the hostname and directory path. By right-clicking on the progress bar in the Downloads popup window, and choosing Properties, you can then view the true URL, but many users don't know about this.

    If the user has turned on the "Ask me where to save every file" option, the popup file-chooser window also unfortunately does not show the true URL. It would be an ideal place to show it in this window, as there seems to be plenty of room there.

    Right now, I have to download the file multiple times, open the Properties to make sure I'm getting a different mirror, and then diff the files to make sure they're the same, before I can consider them trustworthy enough to install.

    By itself, this is just a nitpick, but it turns into a nasty bug when combined with other things:

    1) The user not being able to easily see the true originating URL of a file, before making the download decision

    2) Mozilla's decision to use a huge variety of seemingly random sites as mirrors, some more questionable than others

    3) Mozilla's decision to not have any way whatsoever of verifying the integrity of the download, such as a cryptographic signature

    Put all three together, and it's virus time!

    Microsoft: Smug Mode.

    With the large numbers of mirrors Mozilla uses, spread throughout the world, the odds of someone sneaking malware in there (either by ignorance, hacking, or a good old-fashioned bribe) is quite high.

    The solution probably lies in a plugin. If there's not already a plugin to let the user plainly see the true URL and verify where files are coming from, it should be made (I wish I knew how). The plugin should also have some cryptographic method of verifying a downloaded file, and Mozilla should sign all releases with a strong key. It's just basic common sense, and I'm shocked Mozilla hasn't done this already.

Stupidity, like virtue, is its own reward.

Working...