Expanding on Foobars “How to write a Linux virus”

Philippe Delodder linked & Planet.grep’d an interesting blog post about linux virusses. Foobar: How to write a Linux virus in 5 easy steps and Followup.

The article points out important & interesting issues and problems. Its an interesting read and everyone using linux should read it. Certainly people interested in security and most of all, the people advising others to use linux. The “No viruses” argument is often used as a strong selling point and that is, as the article points out, partially incorrect or at least inaccurate! Let me quote pieces of the article here before I continue..

The first question is How to get these files to be executed, since linux has quite a few saveguards in place..

Desktop environments treat those files [launchers] as a special case, so when you click on them Gnome or KDE will happily execute the command that was specified within the launcher description and without the need for the execute bit to be set on the launcher itself.

This obviously solves the obvious first question. Its a limited vector, it relies KDE or Gnome, but since those are the most popular, this will Work more that it will not!
The second thing everyone is thinking here, would obviously be – but you dont have root yet.

You don’t need to be root to 0wn someone
None of that so far required root privileges. And our script now can do whatever it wishes to do within the confines of the user account

No, but you dont NEED root for what most of that bothersome windows malware is doing!
This last one should be obvious (there are So many ways to do this) but its important too, so for those wondering about this..

Autostart after reboot
.. Users do not need root privileges in order to configure certain applications for autolaunch when they are logging into their own user sessions.

Now, why do I bother copying certain parts of the article here? Because this deserves a lot of attention and I want to make a further point here.. its easy to minimalise the impact of this by stating “It might be trojans, but those are no viruses”. Which is true but misleading.
The current windows problems lie with browser hijacking, mail spamming, chat spamming and ofcourse the dreaded botnets. Linux is quite secure against the malicious software automatically installing itself in the sense that any code would need to be user activated and still, it would then only have the users access rights, not system root rights. Yet none of these current windows problems really need that. The viruses of old did, but except through blatant security exploits (and that still happens frequently in windows), those viruses are now obsolete.

KDE/Gnome driven Linux is vulnerable. It is possible to write a linux trojan that, after execution by the user, scrapes some data together (email adresses? ..?) mails itself to your entire adress book and uploads data it would be interested in to any location online. Possible but not simple, mind you. Linux is all about choice and the trojan would have to be incredibly broad to actually work on even half of the systems. Incorporating specific code Thunderbird, Evolution, .. and whatnot email software it would want to support. Same goes for chat clients. An incredible lot of clients and possibilities would have to be written to make the virus work even half of the time. But it IS possible.
And that incredble amount of different possibilities, combined with the fact that linux isnt widely spread enough to really be worth while for those malware authors is what keeps linux malware free for the moment..

Taking it to the next level, downloading the virus source from a single source would be a risk, since taking that location out would stop the procreation of the virus. This however is easily remedied by setting up a small & customised (some random port for example) http server on the infected host and having the fresh machines getting it from the host. Not utterly failsafe, but there are possibilities.. Solving the inherent problems like NATing of the first machine will be up to the mallware guys, but I’m confident they would find ways to solve that.. UPNP might be a nice vector for those thus enabled routers..

As for Botnets.. And taking the previous into account.. its not that hard to upload a botnet client to the machines and run it automatically. Thus no longer restricting all those botnets to the windows world. (The provisions for botnets exist already for linux servers, so there wouldnt even be actual coding involved there)

Linux is safe from viruses, but that doesnt really matter as much as we d like it to.. All the major threats annoying modern day windows users, are technically possible on Linux. (then again, what isnt ๐Ÿ˜‰ ) Now to quote the article once again..

Solutions for the problem
Thirdly, stop perpetuating the myth that malware and viruses are only a problem for Windows. Linux is รขโ‚ฌโ€œ in principle รขโ‚ฌโ€œ vulnerable as well, of course. Even though users don’t operate with root privileges, if they inadvertently execute a bit of malware then a lot of damage and autostart installation can still be done. The simple fact that an executed attachment won’t run as root is NOT a useful protection against much of anything, as we have seen. The fact that attachments are not saved with the execute bit is NOT a sufficient protection either, since modern desktop environments allow you to neatly maneuver around that.

I dont expect Gnome & KDE to solve this since its the obvious “Security vs Comfort” battle. But its a grim realisation everyone should have.

Published by Gert


2 thoughts on “Expanding on Foobars “How to write a Linux virus”

  1. This may not be revelant but i figured i’d post this anyway. If you’re using ubuntu 8.10 you may be in for some issues with the network manager. For some unknown reason it stops functioning. You will need to manually set you’re resolv.conf with your ISP’s DNS servers. That file is located in /etc/network/resolv.conf


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: