Looking At The New Linux Trojan

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

Technical detail:

It installs a backdoor which listens for incoming connections on UDP port 5503 or higher, and allows remote attackers to connect to, and take control of, an infected system.

Unless it also reconfigures my firewall to allow incoming traffic to port 5503 and higher and fiddles with my hosts.allow file, I'm not particularly concerned. Anyone who fails to have more than one layer of precaution on their system has a bit more to worry about.

Partial isinformation

Unless it also ... fiddles with my hosts.allow file, I'm not particularly concerned.

Whoa, cowboy! /etc/hosts.allow only affects friendly programs that bother to parse it (e.g., inetd, or programs that use tcpwrappers). An unfriendly program is free to ignore it.

However, your advice to use kernel firewalling is sound. 'Defense in depth' is the only way to go.

What file did they find did this trojan infect?

It says initially surfacing in the /bin directory, ok what file? What distro? What rpm? What .tgz do I have to watch out for? Little more info please. I don't know that any unix admin who would run /bin utilities that they get off the Internet, maybe source, but not binaries.

This is no way as bad as Code Red, Code red self replicated on unpatched servers. This trojan will not replicate without a user doing it. Sheesh, bad journalism.

a similar story in history

"...a guard at the top of the castle gates spots something in the distance, just beyond the walls. What could it be? Its...a giant wooden penguin! Imediatly, guards from different corridors of the castle rush to percieve what appeared to be a gift from the gods. All at once, they hoisted the behemoth bird onto a make shift wagon and hauled it within the castle. After much celebration and talk of good tidings, the kingdom lay it's head to rest. Later on that night, the wooden bird's bottom opened, releasing thousands upon thousands of Bill Gates' shock troops, sent to terrorize the castle and townspeople."

Cute kittens

The problem with saying "oh yeah this is easy to detect/fix" is that you're not looking from the standpoint of non-linux geeks. I've never really had a problem with trojans or virii on any of my Windows machines because I know how not to pick them up. They're headaches because most people don't know how to avoid them. The same goes with all the people who picked up a copy of RedHat and run around as root because they don't know any better. Linux is only as secure and efficient as the people using it. Weenie.

This explains a lot...

Now we know why slashdot has been down so much the last couple days.

Don't worry, this is no Linux Code Red

For starters to get infected with this animal requires activity on the part of a user on the Linux box.

Code Red required no user activity at all. A typical orphaned Linux box standing around in a corner would not be at risk, the same machine running IIS would have been a sitting duck for CR. There are a lot of orphaned servers out there with standard Redhat or IIS installs. These are the real danger. Any remote-root security holes on these popuplations are cause for real concern.

I don't know if I'm typical or not, but where I work, Linux is used on servers (yup, I'm responsible for that) but we hardly ever read our mail on a Linux box. We use a Windows platform for that. So -> no risk.

I'm thinking a Linux desktop user would be a better victim for this. Fortunately, hardly anyone uses Linux on the desktop so we're all safe!

Regards,
Xenna

Give me a break...

I have 12 to 24 hits a day from unique IPs that are Code II/III probes (hundreds all combined). To compare this worm/virus/trojan to Code Red is just plain old marketing hype. Linux to me is a server OS (quickly ducks). I use Mac OS X as my desktop OS -- its a personal thing (Darwin + Quartz + Aqua + X > Linux + X). The last thing I would do is open an e-mail attachment on a server that doesn't receive or need e-mail (duh). Code Red didn't need e-mail, it just needed a newbie with Windows NT/2000 w/ an unpatched IIS installed to spread -- which most of my probes come from (at least what nmap tells me).

This really is a non-story. Anyone that has the skill to install Linux would know better than to execute this sort of attachment.

Offtopic: We need a Slashdot Virus Pool for the first distributed threat to Apple's Mac OS X. I am guessing May 16, 2006.

These journalists must be desperate for attention.

First: why is Apache mentioned AT ALL? It sounds like this thing only "spreads" (if you can even call it that) when someone is brain-dead enough to READ their EMAIL as a user who can WRITE to IMPORTANT BINARIES! That has nothing whatsoever to do with Apache. Is it just to support the idea that there are a lot of Linux servers?

As virii go, this is pretty pathetic, and prompts one to question the competence of anyone who thinks it is significant. The email-vector mechanism can't even take advantage of address books, since Unix mail clients are so far from standardized.

I don't have much faith in the analysis

It also installs a backdoor in the infected host, listening on UDP port 5503 or higher. An attacker could connect to this port via TCP

Wait, so it listens on a UDP port, but it can be compromised using TCP? Do the people that analysed this actually bother proof-reading, or do they simply not understand what they write??

It's a Virus not a Worm.

Why on earth do people think that this code can infect machines remotely over the Internet ? Does it say so anywhere in the article ?? No !!

From the article:
The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system.

It's simply a trojan that you will have to get in mail or on a floppy and execute YOURSELF.

Then it will infect other executables on your system, but in no case will it be able to infect any other systems without human assistance (i.e. executing a binary on that computer).

Whoever thought this is even remotely as scary as Code-Red is in need of some serious medication.

A new one has been found!

Advisory # 44526

FOR IMMEDIATE RELEASE

Overview

The Really Silly Command Virus identified by Blackant Systems has the potential to remove all files from a hard drive. It was recently spotted in the wild a few days ago when a junior sysadmin logged in as root on a production server and executed a shell script he had been emailed from a user known only as script_kiddie@hotmail.com.

Impact

Given a detailed analysis of the source code behind this virus, it is possible that the Really Silly Command Virus may eventually mutate into a self-propagating worm.

Recomendations

Blackant Systems reccomends that every sysadmin who would run shell scripts from untrusted parties be shot.

In order to determine if your email may contain this new virus, please look for the following first few lines in a shell script:

#!/bin/sh
#1337 script by script_kiddie!!!
#props to all my homies!!!!
rm -rf /

#this doenst seem to work yet...
mail $0 $1

If you find a file with similar lines, do not execute it on your server, but remove it immediately. Blackant Systems will be releasing a utility to identify stupid sysadmins shortly.

What counts

I don't mind if there are trojans nad virii for linux as long as they are GPLed and Open Source.

I'm sorry but i felt it had to be said even if I loose karma

His arm has grown long indeed....

...if he can throw virus alerts all the way from Redmond.

This "alert" is clearly bought and paid for by MS. The idea that a machine running Apache is "vunerable" to a trojan that depends on a superuser saving and running an email attachment of unkown origin (or a normal user somehow setting the suid bit on the attachment) is so stupid that it can't be stupid: it must originate with someone that has a vested interest in spreading FUD.

Let's see now, who do we know that doesn't like Linux, is having a major launch of a new version of their OS and is known for sponsoring "research" that shows that Linux is the tool of the Devil? Hmm.... Is it Bill, the mild mannered janitor? Could be, could be!

TWW

The New Linux Trojan!

Harry: Just a few more lines to be debugged, and it'll be finished!

Cindy: Oh Harry, You're so smart! It really turns me on!

Harry: Oh wow!

Cindy: As soon as you finish that, I'll think up something to allow us to Celebrate!

Harry: Oh, WOW!!!

<horse braying>

Singers: "TROJAN MAN!!!"

Trojan Man: Looks like you two are planning to... exchange private keys?

Harry & Cindy: Well... Uh... I don't...

Trojan Man: Try new Linux Trojans! The Condom for the virus conscious!

Harry & Cindy: Thanks Trojan Man!

Trojan Man: My job is done here!

<horse braying>

Trojan Man: Yes, we'll find a philly for you some day...



Hey, geeks can dream, can't they?

Impact on Linux

To me , the real issue here is whether this trojan will have much of an impact on Linux boxes, but its impact on people's perceptions of Linux.

If the popular media picks up a story that "LINUX USERS FACE DEADLY TROJAN (film at 11)", it will help create a perception of vulnerability, and its a small step to go to "and since Linux is freely distributed, who knows what can lurk in that copy you download..." While techies familar with Linux will have a reasonable grasp of the true threat and how to overcome it, what about the deciosn makers who are deciding what to implement at their companies? The ones that set budgets and decide what IT will implement (and IT may not have much of a say in the decision) will remmebr "Linux - oh yeh, that's the system that got hit with that DEADLY TROJAN."

It's almost fun

Notice how ordinary communication paths are re-named to "infection vectors" to make them sound technical and dangerous - way to go Hemos ;)

Anyway, it will be fun to see if the crap media picks this one up "uh no! a worm on Linux, we always knew it would happen! we haven't seen it yet, but someone mentioned it may get worse than CodeRed!"

But I'm really happy /. warned me - otherwise I might just have saved the program, marked it as executable, su'ed to root, and run it on my main web/ftp servers or the firewalls. Year, right...