Korean Mozilla Binaries Infected

Magnus writes "Korean distributions of Mozilla and Thunderbird for Linux were infected with Virus.Linux.RST.b. This virus searches for executable ELF files in the current and /bin directories and infects them. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."

And so it begins...

[eno2001]

...expect to see more of this as the popularity of OSS continues. Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.

Let the thrashing begin!

[smooth wombat]

I can hear it now; "See, FF isn't as secure as its supporters claim it is."

Whatever.

Considering this only affects one operating system (Linux) and occured in only one area of the world (Korea), despite this flaw it's still a whole bunch better than getting an update for IE our Outlook and having everyone who uses Windows, regardless of where they are in the world, being infected.

Every OS needs protection

[TarrySingh]

And that applies to Linux as well. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception. This is what we ought to teach end users to practice and also system Admins need to follow advice on this. Understand SELinux, Firewalling and virus detection is crucial.

Re:This proves ...

[eno2001]

Exactly. If you run as root, you're a moron. If you run as a regular user, then the only thing you might hose is your own /home dir. If you're a smart user, you've been backup up your /home dir to a location that only root can access... That way recovery is painless. Very different from Windows where you have to reinstall the OS to be sure you're clean. (BTW, we're talking home users, not corporate users)

Re:Everything is vulnerable.

[gcw1]

The more common users that are starting to embrace what are thought of as secure products... the more people will start to exploit.

Re:Virus data

[_bug_]

That's odd... I learned here that Mozilla is clearly more responsive to security bugs than Microsoft. What gives?

You mean besides the fact that the binaries were removed as soon as they found out?

Permissions?

[InternationalCow]

Well, the symantec description wasn't very useful to me. But if I read it right, the virus tries to infect /bin. But iirc it will have to be run with root privileges in order to be able to infect /bin. Dunno about you guys, but I never ever unpacked firefox builds into my home directory when running as root. Basic security. So, if I understand this correctly, it only infects /bin when you've been sloppy. Not much of a threat, is it?

Um...

[Noksagt]

Of course, unlike Windows it won't get far since MOST users are smart enough to not be running as root.

Most users still install software as root & even if they don't, the user usually has access to /bin & would be able to run scripts.

Infecting /bin?

[Danathar]

I'm assuming this can only occur if you installed the virus infected material as root?

Nothing new here....if you install software as root from a compromised source and don't check the md5sums along with other precautions you put yourself at risk

Re:And so it begins...

[NineNine]

So then are you saying that only security experts run Linux, or that all Linux users somehow magically learn about what "root" is upon installation? I'm not understanding what you're saying, since I've never met a non-IT person who knew that "root" had anything to do with computers.

Re:Secure..

[Wierd Willy]

And they said Linux is more secure than Windows..

It is. The fact that the only way for it to be effective is to pre-infect the original distribution. Which means someone miscopulated the canine. Still cant get around human fallibility in that regard.

Linux is still much more secure in its raw state than almost any closed-source product even after post-install configuration. Anyone with a modicum of experience with a fresh *nix installation will likely spot this before it does any real damage.

Suppose it was only a matter of time before someone figured this out though. Goes to show you, it is not a good idea to hook any system up to a network or the web before you finish the basic post-install configurations.

Re:First time real-world linux virus spread?

[imr]

Where does it says it spread?
It is a 3 years old thing and it never spread, why should it now?
It has been found somewhere on some server in some package.
OK, then?

Distros build their version of softwares from source, they check the sources, their users get their software from their distro.
End of the story.

Moral of the story:
-don't download binaries from other sources than your distro.
-don't install binaries from other sources than your distro as root.

Re:6 stories down on the front page

[NutscrapeSucks]

They do own and control the international trademark used by that domain name (I hope). Maybe they should be more careful who they loan it to.

You're fine?!?

[Anonymous Coward]

Even so, as long as the user you run doesn't have write acccess to any executables (tis a good idea), you're fine.

Uh, but don't you need write access to be able to install the infected mozilla executables? Even if it can't infect executables, having your web browser infected is more than bad enough since you typically enter all sorts of "interesting" information in your browser. How is this "fine"?

Re:Um...

[Lussarn]

Most of all programs in Linux, about 99.99% is distribution supplied and isn't likely to have virus/trojan/spyware in them.

file permission...

[herve_masson]

Who is that guy who don't feel necessary to precise that "/bin directories" can't be written by non-root users... Jeez, "all about internet security", really ? Make your facts accurate !

Re:Virus data

[DigitumDei]

I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior. And they'd all be modded +5.

Of course saying the reverse here will quickly get you troll/flamebait/overated down to -1.

Tinfoil shoes?

[bitslinger_42]

OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?

My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.

Oy...

[dpaton.net]

When are people going to lean that the only truly secure computer is the one that's free of any connection to anything, wired or otherwise, powered off, encased in concrete, and then shot into the sun? Anything that people build will have some kind of vulnerability. The trick is mitigating them so that damamge is minimal.

Come on...this isn't rocket surgery. Use some common sense.

Re:And so it begins...

[arkanes]

User-friendly distros (like Ubuntu), borrow a page from OSX and don't even expose the root account. You create a user account in setup, you're prompted for your admin password when you need to install stuff, and when you use the CLI you use sudo. Therefore, without taking proactive steps, it's not even possible run programs at root, and you have to go well out of your way to log in as root.

Re:Virus data

[boaworm]

If you've read TFA, you'd know that this has virtually nothing to do with mozilla or OSS.

A third party, a mozilla fan site in korea, distributed infected binaries.

If you find an infected version of Winzip on an internet site, would you blame Winzip.com ?

Checksums do not exists for nothing.

[renoX]

While you're right normally one installing software as root, installing software from a FTP site without checking at least the md5sum from a trusted origin is dumb.

Unfortunately this part can't be fully automatised, because you would rely on the untrusted package to find the originator sources which can be facked, obviously..

If the installation on Linux was standardised maybe just asking the user where is the originator website of the software.
But Linux's distribution can't even standardised on a common packaging format, so standardising on a common installation tool is a pipe dream..

Alan Cox was right

[Saunalainen]

Yet another example of the lamentable state of modern computer security. This wouldn't be a problem if operating systems required a trusted signature for software to be installed.

I use a lot of OS software (e.g. Firefox, NeoOffice/J, LyX, R), but the standard installation process on my platform (OS X) does not allow checking for an authentic signature. Why is this not built in? It doesn't have to be this way: for instance, Red Hat signs its own RPMs (though Debian's APT didn't support this last time I looked).

We already have to trust the developers. We shouldn't have to trust every FTP server too.

Re:No, no, no... Windows is as secure.

[Galileo430]

Provided your Windows install is not on a FAT partition. In which case, security what's that?

Re:6 stories down on the front page

[ifwm]

One of the reasons that people supported Linus trademarking Linux was to prevent other people from releasing buggy code.

How is this different?

If Microsoft did it, it would be Microsoft.

[khasim]

I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior. And they'd all be modded +5.

If Microsoft distributed infected binaries, then it would be Microsoft distributing infected binaries.

Of course saying the reverse here will quickly get you troll/flamebait/overated down to -1.

You do realize that you're completely wrong.

This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.

This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.

The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.

The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.

This couldn't happen to us?

[russg]

When Security companies and security experts write or say anything derogatory about Linux/OSS security everyone jumps on them. When corroborating news comes out OSS people deny or try to explain it away as an aberration and not the norm.

And I thought part of the OSS religion was diligence and persistence in security. M$ are the ones that deny the problem exists and do nothing about it right? Well, RIGHT?

The emperor has no clothes!
--russ

Re:More evidence that Mozilla is NOT secure by des

[ArsenneLupin]

Yes, you'll download it from microsoft.com, not from microsoft.kr. Hmm, why not take the same care when downloading Mozilla?

Re:Some stuff

[idlake]

Just because those responses are predictable doesn't mean that some of them aren't also true.

Besides, Microsoft is constantly broadcasting the message that Linux sucks, and they are paying billions a year to have that message repeated wherever they can. Do you expect Linux supporters to just respond once and then shut up?

Microsoft has bought the airwaves, print publications, billboards, and face time to get their message across. Leave the rest of us a little space on discussion groups for expressing our views.

You don't understand "vulnerable".

[khasim]

Writing a virus for Linux is easy.

Getting that virus onto someone else's box is very difficult.

Getting that virus to spread from that box is even more difficult.

Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.

The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.

Re:Virus data

[GreyPoopon]

I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior.

Let's compare apples to apples here. If MS was offering infected binaries form one of THEIR sites, yes, we'd be jumping down their throat. On the other hand, if MS decided to let Download.com distribute versions of a "freeware" application (like Messenger), and the binaries on Download.com were infected, most of us would just be avoiding Download.com like the plague. Sure, some people would still blame Microsoft, just as some people are going to blame Mozilla here.

Now, having said all of that, I'll bring up the question of accountability. Since Mozilla is being distributed by public mirrors, it's probably a REALLY good idea to have some sort of guidelines that need to be met by the administrators to make sure this doesn't happen on a "Mozilla-certified" mirror. Maybe this is already in place.

Re:So let me get this straight...

[glesga_kiss]

That's because viruses on Linux are so rarely reported due to their limited scope of effectiveness.

That's a falacy. Linux is just as vunerable to trojaned installers as any other OS. You install mozilla as root, right? Debian apt runs as root, so you'd better be trusting those apt repositories, and all of the contributers.

OS security does help against worms and other methods of infection, but dealling with trojans is a 90% user function. This improved security, along with market share (as you point out) is what makes Linux "safer". To get a virus on Linux, you essentially have to do something wrong yourself. Which is no consolation to the gran and grandpa users, "Download Weather Bar (linux version) popups" are only a few years away...

And that is "insightful"?

[khasim]

Comparing Microsoft's ActiveX implementation (installed on every Windows box) to an infected Mozilla binary hosted on some Korean site that I'll never download from is "insightful"?

Please, I like firefox as much as the next poster, but please apply equal standards when comparing/recommending firefox.

"equal standards"? You're comparing ActiveX to an infected binary on some Korean site.

If you still believe firefox is Perfect, surprise, no software is.

Again, this was not a flaw in FireFox. It was some Korean site putting up infected binaries.

ActiveX is a stupid security model. That is why so many exploits for it exist and why you have to keep your anti-virus signatures updated every day.

There is no equivalent in FireFox.

Anyone, anywhere can put up infected FireFox binaries. Whether anyone will ever download and install them is another matter.

www.mozilla.or.kr is not an official Mozilla site

[lpontiac]

But Mozilla as a whole (the organisation and the products) are already getting bad press for this.

People have complained in the past about the Mozilla organisation being heavy handed about trademarks, and trademarks (eg the Linux one) have been getting a bad rap in general. But here's the other side of the coin - the actions of an organisation that identify themselves as "Mozilla", even though they're _not_ the Mozilla foundation, are tarnishing the reputation of the genuine article.

Re:Secure..

[dr. greenthumb]

rm -rf ~/*

Severe enough .. :)

Re:Black day for Unix Firefox users

[Anonymous Coward]

How is it a black day? According to the exploit you posted it was fixed the day it was reported.

Re:Virus data

[SimGuy]

And sadly, Linux administrators have been unable to suitably protect their systems in all this time, so it continues to be a pain in the ass, never really going away. I work for a hosting company, and I've dug Linux.RST.b out of too many servers.

I think too many Linux admins don't believe there's such a thing as a Linux virus. Usually the easiest way to recognize the infection is if a large number of common programs in /bin like "grep" start crashing. Tends to make boot up and shutdown clumsily fail.

Apples to Apples?

[Greyfox]

Ok, to get infected on Linux you have to download and install binaries from untrusted third parties and run as root all the time.

To get infected on Windows you... have to turn the system on. As far as I can tell.

Sure a lot of Windows infections are because the user downloaded and installed binaries from untrusted third parties, but equally as many just turned their computers on.

If you ran untrusted binaries on your Apple you'd be exposing yourself to similar risk. Hell, we used to have the same problem on IBM mainframes back in the '80's -- every year around chistmas time all the freshmen would run those greeting card programs in their in-boxes and bring the network down as the trojan spread itself to everyone in their address book. Windows just eliminates a lot of the work for you.

As the Linux userbase expands into increasingly less clueful segments of the population compromised systems are going to be more of a problem, but I predict that even if the installed Linux base ever grows to the size that Windowss is, the problem won't be as severe as it is on Windows. Unless everyone's running Lindows...

Re:If Microsoft did it, it would be Microsoft.

[AviLazar]

This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.

This would hold true, imho, except that Mozilla encourages others to distribute these programs. As such, they give authorization for people to represent them. It's like going to a Quizzno's and buying a sandwhich, getting sick and then sueing the store (which has a placard of being independently owned) and the parent company. Yea the parent company didn't make a bad sandwhich, but guess what - they authorized this store to make them in their name.

Does it suck for the parent company, yes, but that is the chance they risk for letting others do their job.

Re:If Microsoft did it, it would be Microsoft.

[MikeFM]

It sounds like a deliberate plant to me. Either that or this site has horrible security. Linux viruses just don't spread without effort - especially in apps compiled from source. Possibly a pay off to discredit Mozilla?

I guess this proves that Mozilla needs to take more care in selecting who is allowed to act as major redistributors. Maybe start releasing code hashes for every version of Mozilla offically released so that all can be verified before install?

No, it is not.

[khasim]

And re "this is not a flaw in firefox" yes you are right, this time, but comments like the OP pop up every time, and is a (possible)flaw in the distribution system not a flaw in the software?

Duh! Of course it isn't. The software is the code.

The distribution system is how people get the code.

I know it's a common situation where software is downloadable from different sources but still there appears to be a problem (not that I have a solution) You know none of the users will check the md5sums from the original website (moz.org)

If the md5sums from the main site would be valid, then why not download from the main site?

Once you start installing apps from random sites you open yourself up for all kinds of problems.

if some windows flaw is posted everybody goes "boo ms" even though you are also required to run as admin and whatever, but if it's an OSS flaw they go "this isn't a flaw because I secure my pc"

Yeah. Keep believing that. Maybe you've heard of this stuff called "spyware" that infects machines via IE's ActiveX implementation.

Or maybe you haven't heard that a restricted user cannot use IE because the permissions aren't correct.

So, on Windows, you must have elevated permissions just to use the various apps and THAT is what results in so many infections.

Re:Infecting /bin?

[Zathrus]

I'm assuming this can only occur if you installed the virus infected material as root?

Last I checked all the major repository systems (rpm, apt, etc) require you to do so. Yup.

if you install software as root from a compromised source and don't check the md5sums

Checking the md5sums will do you absolutely no good unless you get the md5sum from a completely independant source -- which isn't true in most cases. In this case there was no independant source -- the Korean site compiles it and distributes it themselves and is not affiliated with the Mozilla foundation.

along with other precautions you put yourself at risk

My, that's nebulous. What precautions?

You could compile from source... and then you're safe as long as someone didn't trojan the CVS server (either intentionally or maliciously). Or are you going to evaluate every line of code prior to compiling it as well? Make sure to double check your compiler and libraries -- if they have a trojan injector then you'll have one hell of a time figuring that out.

No, it's not anything new. But it should be a wakeup call to a lot of people who think they're "safe" for running non-mainstream software. We're not -- we're just a smaller target. It's just a twist on "security through obscurity", and that's been proven to be inadequate countless times.

Re:If Microsoft did it, it would be Microsoft.

[Kythe]

People on /., remember that is the target audiance we are talking about, would cry foul on MS.
Obviously it is not reasonable, but people here are not always reasonable, and they get mod'd -5 Reasonable, automatically, when MS is involved.

Well, since this thread and line of argument was started by "poor Microsoft! Can't get a fair shake on Slashdot! Look how bad Mozilla is!" whining, I think this statement is a tad disingenuous.

It's amazing to me, considering all the complaining pro-MS types do around here, just how well represented they are in these discussions.

Re:Secure..

[Tim C]

If you run mozilla as a normal user

But you'll have installed it as root, and the installer was infected, and you're still screwed.