Linux Malware – Proof that Linux is not as secure as we all think

There was an interesting post on Ask Slashdot discussing the ethics of releasing non-malicious Linux malware to simply prove a point to all of the people who rant and rave about Linux being so secure.  A developer by the name of buchner.johannes

buchner.johannes writes:

“I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can ‘pwn’ systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don’t want to turn the Linux desktop into Windows, hence I’m slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?”

This is a great thing for the community at large to see that Linux can be exploited with malware just like it’s rival operating systems.  However, I share the same concerns the developer does.  This indeed could result in a black-hat user injecting something malicious into the code and actually turning the example into real evil malware. I’m on the fence though, maybe this is what Linux users need to prove that we aren’t like typical Windows users who click any random link and download any random software from any random untrusted third-party site.  A user who goes by the name of silentcoder wrote: “Linux users (hardly ever) download and install software from the internet. We download and install packages from repositories. The average user simply cannot tell the difference between a useful piece of freeware and a bugridden-malware-spreading piece of add-ware.”

Paranoia aside, this definitely proves that Linux is just as susceptible to malware and viruses as any other operating system.  But, as I’ve always said, viruses and malware are usually a result of user error, no matter the operating system.

What do you all think, should this type of code be released as proof of concept even if it’s risking malicious manipulation?  Should we all just start using SELinux and be done with it?

SELinux Available on Ubuntu 8.04 “Hardy Heron”

It has been announced that Security-Enhanced Linux (SELinux) will now be available as an alternative security option to AppArmour in Ubuntu 8.04 “Hardy Heron”.

Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel.

Here is How to install SELinux on Ubuntu 8.04 taken from the Ubuntu Wiki:

How To Install SELinux on Ubuntu 8.04 “Hardy Heron”

Installing SELinux in Hardy:

  1. Update /etc/apt/sources.list by appending the following:
  2. Update repo:
    • > apt-get update
  3. Install updated packages:
    • > apt-get upgrade
    • These packages have SELinux support patches:
      • libpam0g
      • openssh-server
      • grub
      • login
  4. Install selinux:
    • > apt-get install selinux
    • These packages will be removed:
      • apparmor
      • apparmor-utils
  5. Reboot

If using aptitude instead of apt-get, you will need to manually remove apparmor and apparmor-utils, deselect selinux-policy-dummy, and then choose selinux-policy-refpolicy.

Basic Linux Security Tips

William Stearns has a good write up on Linux security tips for first time Linux users.

Here are a few:

  1. Set up regular updates for your particular Linux distribution
  2. Lock your system when you step away from it. To lock the Gnome graphical desktop, run the following command, part of the “gnome-screensaver” package:gnome-screensaver-command –lockFrom a text console, run this, part of the vlock package:vlock -aFor KDE, right click on the desktop and select “Lock Session”. In Ubuntu, press Ctrl-Alt-l (the letter “Ell”, configurable in System/Preferences/Keyboard shortcuts). All require the password of the logged-in user to continue work.
  3. Do your day-to-day work with a non-root account. When you need to do root-level tasks, become root with “sudo” or “su” long enough to do the task (alternately, log in as root on a text console for this task). http://www.stearns.org/doc/sudo.current.html

Go check out the rest of the tips.

The Best Linux Security Tools

You can never be too safe these days. Viruses, spyware, rootkits, remote exploits, you just never know what security issue is going to be your downfall. That’s why it is important as a Linux administrator to have an understanding of some of the best Linux security tools available to you. In this article, you will learn about ten of the best Linux security tools, and resources on how to use them to your advantage.

  • Nmap Security Scanner
    Nmap, which stands for “Network Mapper” is a free open source utility that allows you to explore and audit a network. From the website: “Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.”
    For Nmap installation documents, go here.
    There is a very useful tutorial here on the numerous scan types Nmap allows.
    This PDF is a great print-out reference that includes all of the major Nmap options.
  • Nessus Vulnerability Scanner
    Nessus is a vulnerability scanner that probes your network machines against an up-to-date security vulnerability database, alerting you of security holes, with detailed analysis on how to fix each hole. From the Nessus website: “Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.”
    See an example scan report here.
    For Nessus installation documents, go here.
    A nice technical guide to Nessus can be found here.
    The Nessus knowledge base is here.
  • Clam AntiVirus
    ClamAV is a GPL anti virus toolkit. The main purpose of ClamAV is the integration with mail servers, but can also be used to scan files for viruses on the command line. It provides a flexible and scalable multi-threaded daemon, a command line scanner and a virus database that is kept up to date. The most popular use of ClamAV is on a mail server, tied in with a anti-spam application like Spam Assassin.
    For installation help, go here.
    The Clam AntiVirus wiki can be found here.
    This PDF document covers all you need to know about ClamAV.
  • Snort
    Snort is one of the greatest weapons you can have in the fight against intrusions. Snort is mainly used in three different ways: as a packet sniffer, a packet logger, or as a complete intrusion detection system (IDS). From the website: “Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.”
    The official Snort users manual can be found here.
    For a very complete comprehensive list of documents, go here.
  • Chkrootkit
    Chkrootkit is a tool designed to locally check for signs of a root kit on your Linux machine. “Root kits” are basically files that can hide on your machine after a break in that allow the attacker to gain access to your computer in the future.
    This PDF explains adding chkrootkit to your auditing arsenal.
  • Tripwire
    Tripwire is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. Basically, tripwire has the ability to alert you when files have been modified on your system.
    A comprehensive guide to implementing tripwire can be found here.
    This is a nice howto on setting up tripwire.
  • Rootkit Hunter
    Rootkit Hunter is a great tool for analyzing and monitoring the security of your systems. Like Chkrootkit, this tool also checks for rootkits that may be hiding on your machine, as well as other tools on your system that may be potentially dangerous.
    A detailed guide on downloading and installing Rootkit Hunter can be found here.
  • Kismet
    From the website: “Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.” If you have a wireless network, or travel with a laptop, this security tool is a must have.
    This Kismet readme covers just about all you need to know.
    There is also a lot of useful information located within the Kismet forums.
  • Shorewall
    Shorewall is a very powerful and flexible firewall that utilizes iptables and Netfilter. Very flexible configuration allows the firewall to be used in a wide variety of firewall/gateway/router and VPN environments.
    The Shorewall Installation document can be found here.
    Here is a quick start guide to using Shorewall.
    Shorewall Features can be found here.
  • Ethereal (Now called Wireshark)
    Wireshark is a very popular network protocol anyalizer that has a varaiety of security features including a packet browser, live capture and offline analysis and more. Basically, Wireshark captures packets going across the network and displays them to you with as much detail possible. From the users guide: “You could think of a network packet analyzer as a measuring device used to examine what’s going on inside a network cable, just like a voltmeter is used by an electrician to examine what’s going on inside an electric cable (but at a higher level, of course).”
    Here is the Wireshark users guide.
    The Wireshark wiki is here.

Now that you’ve gotten a glimpse at ten of the best Linux security tools, it is up to you to install them and put them to use in your network environment.

WordPress Exploit

David Kierznowski has uncovered an exploit in the popular WordPress blogging software that everyone should be aware of. Popular security website Security Focus has the issue documented, and it is suggested that you upgrade your template.php file as soon as possible to avoid becoming a victim.

The WordPress team has issued an updated release, version 2.0.6 that contains a fix.

Simply put, to fix the wordpress exploit, visit the wordpress site and edit line 114 in your template.php file.

Create stronger passwords

Safepasswd is a website dedicated to helping you choose a safe and secure password. The secure passwords are automatically generated for you, allowing you the following options: easy to remember, letters only, numbers only, letters and numbers, all characters, and hex. This is a great tool for both administrators and standard computer users, as it practices the need to create stronger passwords.

Modify SSH Config To Maximize Security

SSH is a powerful remote logging protocol that took the place of telnet back in the mid-to-late 90′s. With so many people using SSH as an every day tool, it is important for server administrators to understand some ways of making the secure shell a bit more… well… secure. In this article you will learn how a few simple configuration modifications to sshd_config on your SSH server can improve the security of your SSH daemon and allow you to sleep better at night…

Continue reading

Prevent users from logging into your system

If you are a system administrator who allows remote access to your server or desktop, you may want to disable certain users from logging into the system both remotely and locally. This article will explain how to prevent certain users from logging into your Linux machine via SSH (OpenSSH_4.4p1) and FTP (vsftpd 2.0.5).

First we must understand that in most cases there are two different ways an allowed user may be logging into your Linux server. Continue reading