Korean Mozilla Binaries Infected

Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."

Virus data

[NoInfo]

This virus has been in the wild since at least early 2002.

Here's Symantec's take on the virus:

http://securityresponse.symantec.com/avcenter/venc /data/linux.rst.b.html [symantec.com]

Everything is vulnerable.

[bugbeak]

Guess anything that can be programmed is also vulnerable, regardless of how impenetrable it is.

Black day for Unix Firefox users

[teslatug]

A new flaw affecting Firefox users under Unix allows webmasters to craft a URL that when run from an application like Evolution can execute any command. The flaw stems from the use of backticks in the shell script used to launch Firefox. Read more about it here on the Secunia advisory [secunia.com]. Version 1.0.7 fixing the flaw is already out.

source?

[mmkkbb]

Where does this information come from? I can't find any corroborating story from another source. However, I did find this bit of trivia here [mozillazine.org]:

Those hackers could just as well have served people distributions of Firefox infected with a virus.

They could have easily replaced the app signatures to match the infected binaries.

Re:Secure..

[Anonymous Coward]

Actually Linux is more secure. If you run mozilla as a normal user, then mozilla and the virus can't write to the files in /bin, and therefor can't do any really servere damage.

Re:6 stories down on the front page

[dtfinch]

If you're talking about mozilla.or.kr, the Mozilla Foundation does not own or control that site.

No, no, no... Windows is as secure.

[MyTwoCentsWorth]

Since if you run it as a normal user on Windows it cannot damage the system files either :)

Ehh, this is a hijacked package.

[Anonymous Coward]

Its not about a security exploit. Somebody managed to put up an altered binary on a public server. Its the exact same thing as if someone managed to alter a binary at download.com for windows. You wouldnt blame Microsoft for that would you?

Re:6 stories down on the front page

[tpgp]

"Mozilla hits back at browser security claim"

Funny? Yes. True? No - you see its not exactly a mozilla problem.

Whilst searching for more information about this, I stumbled across this page [mozillazine.org]last time these servers were hacked in June).

Choice quote:

Unlike Mozilla Europe, Mozilla Japan and Mozilla China, the Korean Mozilla site is not officially affiliated with the Mozilla Foundation.

So, its not mozilla.org (the article states "on public servers. Mozilla.org is the latest example")

Its someone who's taken the mozilla source and made their own binaries. A problem yes, a serious problem even, but not to the scale that Kaspersky Labs would have us believe.

Who would have thought it? A security company overhyping an issue!

I'm not sure why they bother. Do they really think stories like this are going to make linux users go and buy their security 'solution'?

Normal installation runs binaries as root

[Bogtha]

Before everybody starts pointing out that they don't browse the web with their root account, and so can't write to any of the binaries on their system, you should be aware that one of the infected files is the installer - which most people do run as root.

Also, even if you don't run the installer binary, but simply unpack the tarball manually, the release notes tell you to run included binaries as root as part of the normal multi-user installation process [mozilla.org].

Re:Virus data - It's old! RTFM

[Anonymous Coward]

If the poster would have read and UNDERSTOOD the original article, he would have realised that it was only a general hint about dangers that can happen when you dowload binaries. He refers to an OLD mozilla security breach (check out the version numbers).

"Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.

Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b"

Linux.RST.B was not effective virus in 2002

[Anonymous Coward]

This Linux virus was not effective virus in 2002. It is even less effective now. The firefox was about 2 version old, so the infection rate is extremely low.

OSS virus software - Clam AntiVirus

[Anonymous Coward]

The article suggests that one should scan the files downloaded from the internet for viruses.

For excellent antivirus software see free open source Clam AntiVirus [clamav.net].

Re:Let the thrashing begin!

[NutscrapeSucks]

Incorrect -- The official US Windows Firefox installers have an authenticode digital signature -- if they had infected the win binaries, the shell complains and users would have been able to easily see something was amiss.

(Also, I wouldn't be surpised if they have pgp sigs somewhere for the Linux tarballs, but that takes work to verify.)

Fine under Linux emu and OpenBSD

[Anonymous Coward]

I can trace the code trying to run but OpenBSD just err's out a message to the console and Mozilla keeps running.

Awesome.

Re:Virus data

[schon]

The files should have been checked for viruses when uploaded onto the Mozilla site.

Uploaded by *whom*?

The files weren't on the Mozilla site, they were on a third-party site that Mozilla neither owns nor controls.

Re:No, no, no... Windows is as secure.

[despisethesun]

Yeah, and then you can't do anything with your system because so many vendors write their software so that it's only useable by users with administrator priviledges. Thanks for nothing, ISVs!

Re:Secure..

[badriram]

Sorry you require a duh... If you are not running as a Admin/Power User it is the same in windows as well. And yes it is possible to run as a regular user in the windows world, and i am typing in this as a user logged in without any admin priviledges, and wow i can run ff, office, VS, photoshop, dreamweaver, gaim, sql manager, query analyzer, cygwin, yahoo music engine and 7-zip.

I think people need to quit complaining that they cannot run as regular users as windows. Use RunAs if you a pain in the ass game that requires admin access

no surprise

[burnin1965]

The web site was hacked 3 months ago and back then they admitted the site was not an official Mozilla site.

http://www.mozillazine.org/talkback.html?article=6 771 [mozillazine.org]

Sorry for hack.
by channy

Thursday June 9th, 2005 6:39 PM

Reply to this message

This is Channy Yun, leader of Mozilla Korean Community. This site is not official web sites of Mozilla Foundation. And this hack is orginated by no patch for PHP vulnerability of my hosting company for mozilla.or.kr. I will change it with backup and fix it with my ISP. Sorry for your worry.

I'm thinking they should give up their domain which likely causes the confusion and give the false impression that what you are downloading from the site is an official Mozilla binary.

burnin

Re:Infecting /bin?

[chill]

Enlighten me. How do MD5 sums protect you from trojaned software? If it was a mistake on the part of the maintainer, wouldn't they have hashed the trojaned software to begin with? If it was malicious, anyone who could have uploaded the trojan could have uploaded the hash.

In either case, the hash would have shown valid. I was under the impression hashes (MD5, SHA-1) were mostly just for making sure nothing was corrupt in the transfer.

Digital signatures are for ensuring validity, though they wouldn't protect against the case of a maintainer signing infected code by mistake.

  -Charles

Re:Virus data

[Anonymous Coward]

Umm, wrong. "Whom" is the object of the preposition "by". It is NOT the subject.

If you are going to correct someone's grammar, make sure you get it right yourself.

Re:Virus data

[CastrTroy]

If you download from a mirror you should always check the MD5/SHA1 Sum to ensure that you are getting the proper files, and that they haven't been tampered with.

Re:Alan Cox was right

[Tom]

More recent versions of apt support signatures, and require confirmation before they will install an unsigned package.

Re:Alan Cox was right

[I'm Don Giovanni]

Windows XP SP2 does check for digital sigs of downloaded software every time said software is run, and warns the user if there is no sig or if it's invalid (the user can override the warning and still run/install the software). It even allows the user to view the details of the digital sig certificate.

Re:Ha.

[Slack3r78]

Interestingly, MS also shipped a Korean [microsoft.com] product infected with a virus (Nimbda). Clearly this is a case of OSS being unable to innovate on their own, stealing valuable ideas from Microsoft.

HOW YOU RIKE ME NOW HANS BRIX? :-P

you cant install software as a normal user

[Anonymous Coward]

unless you only want to use it yourself.

Re:So let me get this straight...

[dougmc]

clamav and klamav

Yes, virus scanners exist for *nix.

However, what you seem to have forgotten to mention is that the primary use of these scanners is to scan emails for Windows viruses, not Linux viruses. And while it does look like these scanners have the ability to scan your filesystem for infected binaries, that's probably meant more to scan filesystems mounted by Windows boxes via SMB ... for Windows viruses.

Sure, their virus signature databases probably do have some Linux viruses in there, but scanning for them is not the main reason that people install clamav and similar programs.

Yes, there are Linux viruses out there. However, the usual architecture of a Linux installation (restrictive permissions, user processes not having permissions to alter most binaries) makes it very difficult for a virus to propagate the way most Windows viruses do -- by infecting binaries. (Granted, Windows can be run in the same way, but since it breaks so many things, it's rarely done unless programatically enforced by an IT department.)

That, and most *nix mail readers and web browsers are not as willing to execute arbitrary code it finds as IE and Outlook unless explicitly told to do so.

But, if you do find a virus, and run it as root ...

Re:Alan Cox was right

[seifried]

Uhh every major RPM based distro (Red Hat, SuSE, Mandriva, Trustix, etc, etc.) does this. Third party guys like Dag who distribute literally hundreds pf RPM's also sign their packages (thus if I have Dag's key I can verify his RPM's regardless of where I actually get them. In RPM based systems adding a key consists of:

Download the key (RPM-GPG-KEY-fedora for example)
rpm --import RPM-GPG-KEY-fedora

And voila. This works for third party developer's keys.

As for your other comments they are just misinformed, you should read the article maybe. Or not and justmake stuff up, that works too.

Re:No, no, no... Windows is as secure.

[Anonymous Coward]

But you can write arbitrary code into another process's memory space and then (gasp!) execute it via CreateRemoteThread(). One of the Phrack's articles discusses inserting a piece of code into a trusted application (IE if I remember correctly), thus fooling ZoneAlarm into letting the outcoming traffic through. Here is the article:
http://www.phrack.org/phrack/62/p62-0x0d_Bypassing _Windows_personal_fw_with_process_infection.txt [phrack.org]

I understand you were being funny though : )

Re:So let me get this straight...

[ivan256]

Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.

Since official debian packages are signed, it's easy to trust the repository and the contributers due to the magic of the PGP web of trust and the Debian developer vetting process. It's not like you're installing software from some random people you don't know, and it's certainly not like the mirror you use could be compromised as long as the signature is valid.

You install mozilla as root, right?

Is somebody forcing you? I never install as root if the package didn't come from a trusted location. If I want to test a nightly, even the binary tarballs from mozilla.org go in my user directory, and aren't installed system wide.

It's the dumb user that's vulnerable, not the OS. That's equally as true for Windows as it is for Linux.

check your md5sums and gpg sigs !

[tendays]

Downloading from any mirror, official or not is fine as long as you check the archive using md5 or sha1 (or ideally, gpg) from the main site, which provides signatures for every archive.
Though what I don't know is why mozilla doesn't insist more on that (you have to go on the ftp site clicking on "other systems" to find the checksums and signatures : ftp thunderbird [mozilla.org])

Because you cannot ...

[khasim]

Care to support that assertion with some solid facts and numbers?

http://securityresponse.symantec.com/avcenter/ve nc/data/linux.cheese.worm.html

http://securityresponse.symantec.com/avcenter/venc /data/tfn2k.html [symantec.com]

http://securityresponse.symantec.com/avcenter/venc /data/linux.adore.worm.html [symantec.com]

http://securityresponse.symantec.com/avcenter/venc /data/linux.hijacker.worm.html [symantec.com]

http://securityresponse.symantec.com/avcenter/venc /data/linux.jac.8759.html [symantec.com]

You see? All but one had "number of sites" between 0 and 2.

They
Do
Not
Spread

Linux's security model is far more effective than Microsoft's one for Windows.

Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.

Re:Alan Cox was right

[iMacorIBM]

Uh, Debian signs packages and repositories. And it actually maintains its' own packages. Not going to find the power of Xen [slashdot.org] signed by RedHat. In Debian, sure. With DSA updates, you can trust a rogue developer with lax programming techniques.

Anything not signed by Debian requires user intervention by default. Repositories outside the standard distribution (i.e for Adobe Acrobat, RealPlayer, non-US DVD ripping and encoding tools, etc.) have signatures too, but I have added them to my keyring myself to avoid prompts about installing untrusted software. Package md5sums still validate package integrity.

This is standard behaviour in Etch and Sid. The repository signatures are not in apt in Sarge by default.

What is the cost of all this hard security maintenance? Well using modern techniques, this estimate [upgrade-cepis.org] is worth a read.

iMac

Re:Black day for Unix Firefox users

[vernonjvs]

This "flaw" only allows the excution of any command if you are running firefox as root. Otherwise, this "flaw" only allows excution of commands that the user has priveledge to execute.

Re:So let me get this straight...

[frontloader]

i feel i need to weigh in here..
> You install mozilla as root, right?

Actually, for anyone out there who even marginally cares about thier system, you can install like:

• $ sudo chmod +wrx /usr/local
• $ ./firefox-installer
• when the installer asks for a directory, point it at a new one: '/usr/local/firefox-1.06'
• $ ln -s /usr/local/firefox-1.06 /usr/local/firefox

nothing untrusted running as root.
didnt take longer than 15 seconds.

Re:If Microsoft did it, it would be Microsoft.

[BZ]

The Korean site is NOT A MIRROR. That's the whole point. They're not offering the official Mozilla.org binaries, but binaries they compile themselves.

The question of what constitutes a normal distribution channel in this case is a good one, however.