A deb package claiming to be a screensaver is malicious

Releases and other announcements
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.

Re: A deb package claiming to be a screensaver is malicious

Postby rich_roast on Sun Jan 03, 2010 4:06 am

I'm reasonably well-informed that in this case it wasn't a virus but a trojan, fortunately - it didn't seem to have any way of self-replicating. It was an example of social engineering in that the kiddie used a well-known and reasonably trusted site to spread the malware. I have seen at least one other (legitimate) screen saver distributed as a .deb on that site, and even where sources are provided afaik you still need root permissions to "make install" or copy the contents of the package to wherever in /usr/share/ (I'm sure it can be worked around to avoid system-wide installs but most of the time the instructions for any screensaver offered there involve "becoming root" at some point).

Bottom line is that too much of the time sudo is skipped as a sort of chore rather than a warning from the system - who here actually does check what gDebi has to say or opens a package to look at it before entering the passphrase? I also know that on occasion I've thought for all of three seconds before deciding that importing a GPG key was too much of a chore, for example. Shame on me.

Unfortunately I agree with posters above who point out that the bug lies behind the keyboard in this case. Make sudo more restrictive (e.g. make your default user not a sudoer) and making system changes, even regular updates, becomes tiresome; keep it as it is and less experienced / more lazy users will fall victim to giving their root password to what amounts to a perfect stranger without checking what they are doing first. Same goes with putting in code found in forums or blogs. One doesn't even need root privileges to hose ones data. rm -rf tilde is a really scary set of characters - ideally users would chmod their data to make it read-only by default but I don't know of anyone who actually does this (except me very recently). I don't know much about SE Linux or hardened kernels, but I wonder if as time goes on the whole reliance on permissions as the primary defence against accidents or malicious acts will fade away and predefined security contexts will take over.

What I'm wondering is why does a user need to enter a root password to update their system? The PGP-key check is relied on to check the source is kosher anyway, the user has already defined what to update and what to leave alone (in theory :wink: ), or left it to the skilled developers. So why this final check? Who actually doesn't just enter their root password, perhaps scroll through the list and click "OK get on with it", and why should they do any more? And yet, it's this kind of routine work which reinforces the bad notion that entering the root password is just part of a chore rather than a warning to be taken seriously. Thus, permissions should be more context specific - updates should require root password to reconfigure them (change sources or whatnot), but to simply keep the system up to date the process shouldn't need the user's constant reassurance. And so on. Why does one need root permissions to pop some pixmaps in /usr/share ? That's crazy. The root - user dichotomy is far too strong, there needs to be a gradation in permissions so that users can make safe changes, say installing a bunch of new pixmaps for a screensaver (ahem), but get a warning and a requirement for doing anything that could be a threat, like chmod +x as root on a file headed for /sbin, or putting something new in /etc/profile.d instead of the user's own profile...

I'm not a security expert or anything and I'm sure there're significant problems about implementing something along the lines of the above, but either users stop getting bugged about their password for routine tasks or they will on occasion hand it out to the wrong person (i.e. their malicious software). I seem to recall, a while back, a problem in Vista where users en masse disabled its equivalent of su because it was constantly in their face. That way lies baldness and poverty.

The encouraging thing about the incident in question was how quickly it was discovered, communicated and fixes were distributed, although this was facilitated in part because the perpetrator, script kiddie that they are, omitted to actually supply a screensaver with the trojan which sort of gave it away a bit :lol:

Nevertheless I suspect that if and as attacks on Linux desktops begin to appear more frequently, it will be the strength of the community that will be a new challenge for the malicious. Where in proprietary software there must be PR, code secrecy and perhaps even legal concerns, communities using free software like GNU/Linux may go ahead and pounce all over anything that's discovered, to the extent that I believe Ubuntu forum users in the original post even launched a small investigation on the person who released the trojan. In this particular instance the community had the advantage simply knowing Linux a lot better than the kiddie who didn't seem to have a fantastic understanding of permissions or scripting. Nevertheless as a community our collective understanding of our operating system should always outstrip that of a given individual, and that shared hacker know-how will perhaps stand as a better defence than the reliance in other communities on proprietary and automated software tools which, on day zero, inevitably fall behind the enemy.

It sounds vigilante and I suppose it is, but there was an agility about the response to this threat which was eye opening and encouraging.
User avatar
rich_roast
Level 6
Level 6
 
Posts: 1136
Joined: Sat Sep 05, 2009 4:37 pm

Linux Mint is funded by ads and donations.
 

Re: A deb package claiming to be a screensaver is malicious

Postby linuxviolin on Sun Jan 03, 2010 10:43 am

If you want some information about Mac (and a little Linux, Unix, at the end), and some examples, you can read my post at http://forums.linuxmint.com/viewtopic.php?f=61&t=35527&p=223615#p223615

Yes, there are virus/malware on Mac... and on Linux and Unix too!
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: A deb package claiming to be a screensaver is malicious

Postby linuxviolin on Sun Jan 03, 2010 7:33 pm

ikey, good post! :!:

And your post makes echo to what I wrote to the end of my post at the location given in my precedent post:

"You can also consult a site like http://www.packetstormsecurity.org/ to measure how many, day after day, appear many critical vulnerabilities for SunOS, GNU / Linux, Unix, Mac OS X... which are in probability less often corrected than in Windows due of some laxity by the user."

And it's also for this a user MUST make/apply the security updates/patches as soon as possible, as soon as they become available, even for the kernel updates for example. And the distro maintainer MUST give these patches soon after their publication. This is a good security policy! :twisted:
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: A deb package claiming to be a screensaver is malicious

Postby rich_roast on Fri Jan 08, 2010 10:05 pm

Reviewing the discussion here just prompted my memory to recall the "More Control and Package Management using Package Users" scheme by Matthias S. Benkmann for Linux From Scratch. The full document is here. Please focus on sections 1, preface, and 3.1, introduction, if you're consulting it, as this best explains the principle and doesn't get too entangled with the specifics of an LFS build. I never implemented this for my own LFS back when I was running it, but I was very attracted to it at the time, merely lacking the time or the confidence to put it in place.

The deal-breaker is automation; the document was directed, IIRC, at admins rather than at single users of desktops, and entailed quite a bit of effort (this being the reason why I never bothered with it). From a security standpoint, and thinking about what Ikey wrote about - I guess you'd call it fundamental Linux (Unix-like?) principles - I can't fault the system, and if it were possible to take care of the complications it raises in an automated fashion for single desktop users it would be far more secure and reliable than the current approach of having everything except ~ belonging to root.

In the specific instance of the malicious scripts the .deb package that is the subject of this thread installed, they would be easily annihilated after a find of that package's user's files, and they wouldn't be able to cause too much harm in the first place since, and this is important, they would not have root rights.

I hope I'm not being tremendously anachronistic and/or foolish in submitting this, I've not properly reviewed or thought about the scheme, but I thought it might be a good basis for thinking around the present strong and dangerous dichotomy between root and user. Of course, the trouble would be in departing or seriously adapting dpkg, but as a starting point for thought on the matter I hope it's of some interest.
User avatar
rich_roast
Level 6
Level 6
 
Posts: 1136
Joined: Sat Sep 05, 2009 4:37 pm

Re: A deb package claiming to be a screensaver is malicious

Postby linuxviolin on Mon Feb 08, 2010 9:33 am

Just a new information about malwares/virus in Linux:

Pretty much every Linux user thinks they're immune to viruses, but they're wrong. Just recently, malware was found hidden inside an innocuous-looking Gnome theme from a reputable site. Users who installed the theme also got several scripts installed as root that were designed to attack internet targets, but it could easily have been much worse.

You see, the problem with thinking that Linux is immune is that sooner or later, something like this happens

(Thursday February 4th 2010)
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: A deb package claiming to be a screensaver is malicious

Postby linuxviolin on Tue Feb 09, 2010 5:01 pm

ikey wrote:Please provide the link to that post

Ok. It was just an excerpt from the beginning of the article at http://www.tuxradar.com/content/get-best-virus-scanner-linux (Get the best virus scanner for Linux - Posted at 1:12pm on Thursday February 4th 2010)
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: A deb package claiming to be a screensaver is malicious

Postby DrHu on Tue Feb 09, 2010 6:11 pm

Something like the zeroinstall, roxfiler/roxdesktop, which allows user installed system software can prevent much of even this type of problem
http://0install.net/injector.html
    Zero Install Injector: Downloads
    The injector (0launch) is a small Python program. You ask it to run a program by giving it the program's full name (a web address). The injector does not need to be installed or run as root. It does not write to any shared directories (like /usr/bin or /usr/lib). It stores downloads in a cache directory so that you don't need to download anything twice, and programs can still be used when you are off-line.
http://rox.sourceforge.net/desktop/static.html
    Although not as efficient as the shared library approach of Linux and most modern OS's
    giving .dll (windows) or dependencies issues (Linux)
User avatar
DrHu
Level 16
Level 16
 
Posts: 6292
Joined: Wed Jun 17, 2009 8:20 pm

Re: A deb package claiming to be a screensaver is malicious

Postby rfruth on Wed Feb 10, 2010 12:09 am

thanks 4 the heads up !
User avatar
rfruth
Level 1
Level 1
 
Posts: 47
Joined: Mon Jan 15, 2007 11:53 am
Location: Texas (USA)

Re: A deb package claiming to be a screensaver is malicious

Postby Melon Bread on Sat Mar 06, 2010 11:52 am

Thanks For The Tip, I Will Spread The Word
User avatar
Melon Bread
Level 1
Level 1
 
Posts: 16
Joined: Sun Sep 13, 2009 7:09 pm
Location: USA

Re: A deb package claiming to be a screensaver is malicious

Postby rich_roast on Tue Apr 27, 2010 6:11 pm

As part of what seems to be a now monthly necromancy of this thread, I'd like to rejoin by pointing out that some users appear to be logging in to their X session as root, perhaps on a regular basis. See this and this.

Probably not cool.

ikey wrote:.desktop files look like one possibility, another being the high usage of Python and bash scripts readily available
on the Internet. I, for one, always read through the code before executing said script, maybe I'm just
paranoid :) I know for a fact that many people don't, and if the script is of some considerable size, or of the
self-extracting .run type shell scripts, people will not bother to even look. That to me is a yet unexploited
possibility for the malicious um.. 'developers' out there.


Agreed, it is essential to carefully look over and make sure one understands fully the script that's about to be executed. Even discounting malicious third parties, accidents cost (Linux) lives too :wink: Whenever I post some commands that need su(do) (kinda rare), I pray (and sometimes point out explicitly) that the user should review the code before executing it.
User avatar
rich_roast
Level 6
Level 6
 
Posts: 1136
Joined: Sat Sep 05, 2009 4:37 pm

Re: A deb package claiming to be a screensaver is malicious

Postby rich_roast on Tue Apr 27, 2010 7:07 pm

ikey wrote:Long time no speak rich, hi :)


ikey, hi o/

I've not been on irc for a few months and my forum activity's been sporadic because apparently my life is in a state of "transition" (substitute whatever expletive is appropriate for what's in quote marks :wink: ). There's a half-decent chance I'm going to try to establish some regular irc hours to coincide with my downtime in the near future. See you Friday eve gmt (not just ikey, a great guy, but everyone. It's like going to the bar or caff, except most everyone has a similar interest to you. If you have an irc app on your phone you could even be at the rl bar and on irc at the same time :D )

ikey wrote:I'd like to point out a post made by Fred (much love :D) : http://forums.linuxmint.com/viewtopic.php?f=90&t=46634&p=269043#p269043 which iterates just some of the risks of being root.
(I know rich_roast has seen it but I feel others should take the time to look too :))


Yes, absolutely a great point by Fred. I try to touch upon it in the sticky draft by mentioning zero-day attacks and security holes, but Fred's great for explicitly outlining what sort of attack could find a user logging into an X session as root defenseless.
User avatar
rich_roast
Level 6
Level 6
 
Posts: 1136
Joined: Sat Sep 05, 2009 4:37 pm

Re: A deb package claiming to be a screensaver is malicious

Postby Nexus on Wed Apr 28, 2010 9:10 pm

clem wrote:DEB packages do not only contain data, they can also contain executable code. A lot of packages do, and this code is executed with root permission. So for instance, a DEB could contain "nothing" and have an "rm -rf /" as its post-installation script, and that would be run as root...

So be aware that debs aren't simply containers, they're very much like Windows self-installing .exe files, and they get run with full permissions. One of the main reasons why Linux is safer than Windows is because distributions package the available software themselves and so you rarely have to get .debs from untrusted sources, whereas Windows simply provide the OS and lets you browse the Web to get everything else... so most Windows users are used to install things they don't know without looking at where it came from. Don't be tempted to do the same under Linux as it's just as dangerous.

Clem.


I try and scream and yell this to the masses as often as I can, just because you are using a *nix type system you can never ever be complacent in protecting your system. I think I make the Mac guy at Best Buy cry every time I walk in because I make sure to point out the whole "Mac's don't get virus'" stick is a sales gimmick. No they don't get actual virus' most of the time it's not that they can't, but the average end user can't tell the difference between a Virus, a Trojan, or simple Adware, and there are some out there that can get us as well as the M$ fans.

I've not been using Mint myself very long, actually Mint 8 is my first install of it after spending time evaluating several Linux Distributions after I decided to move away from Windows, and I can promise each and every one of you the same thing. The first thing I installed outside the OS was some type of AV software!
User avatar
Nexus
Level 2
Level 2
 
Posts: 83
Joined: Wed Mar 10, 2010 2:45 am

Re: A deb package claiming to be a screensaver is malicious

Postby rich_roast on Fri Apr 30, 2010 1:42 pm

While antivirus software is a good idea and certainly a courtesy to users of OS's more vulnerable to current day threats, it is not a preventative solution in itself in that it does not (to the best of my knowledge) actively prevent the execution of malware it can detect unless configured to scan everything upon execution (a significant drain on resources), and is also vulnerable to zero day attacks (malware it cannot yet detect). In a sense, by the time an av detector/quarantine/repair program has identified a threat, the payload has already been dropped. A user installing such software will already, no doubt, be aware of these issues, but it seemed worth pointing out.

It is certainly a very good idea to scan for malicious software and other users still will advocate using something like tripwire to monitor changes made to the file system, in addition to a firewall, but all the tools in the world are still much less powerful when not combined with good common sense and some understanding of how malware works and is propagated.

Further, attacks occurring server-side or by exploiting browser security holes might be harder to prevent by such measures, although there are add-ons for Firefox, at least, to help protect against these (e.g. noscript), and all browsers to my knowledge have the option to disable javascript completely. That said, this is again a somewhat unappealing solution since it sacrifices much of the browsing experience. Other tools like irc clients and perhaps even a microblogging client like Gwibber could also have similar issues (although it's hard to imagine 140 characters being sufficient to create malicious code that would actually execute...) Finally, of course, there is phising and social engineering, and while Google's and other spam filters are very good there is the occasional "foreign prince" or bogus bank that gets through, and there are known malicious sp/cammers operating in other avenues (e.g. on Twitter, Facebook) right now. Even if you are protected on your computer, you might not be on your mobile device. I have learned that it is possible in the UK, though has not apparently been exploited, to send text messages spoofing another mobile "number", such that it is possible to send mobile users fake balance updates from "banks" - you can probably see the idea at this point.

Thus it is worth emphasizing that in all matters of personal and data security, some common sense and alertness on the user's part remain the most efficient preventative, and ultimately it is a user's responsibility to employ these. I sometimes get the feeling that the gamut of security tools, while certainly helpful if not essential, also encourage an undesirable (and unintended) sense of complacency, in a similar way to the outlandish declarations of total safety that have been so rightly pointed out.

I hope that the presence of users logging in to X sessions as root is not a consequence.
User avatar
rich_roast
Level 6
Level 6
 
Posts: 1136
Joined: Sat Sep 05, 2009 4:37 pm

Re: A deb package claiming to be a screensaver is malicious

Postby security on Wed Jun 30, 2010 9:53 am

Hi all,

I am new to Mint.
Please correct me if I'm wrong.
1.) When I install a package I have to enter my root password to install weather I use package manager or Terminal.
They are the only places I install from.

2.) Is there a mint only area to install packages, I thought we shared the same server as Ubuntu?

Thank you
security
Level 1
Level 1
 
Posts: 2
Joined: Wed Jun 30, 2010 9:29 am

Re: A deb package claiming to be a screensaver is malicious

Postby Oscar799 on Wed Jun 30, 2010 10:23 am

Hello security,
Please start a new thread with your question,I would suggest posting this one to Newbie Questions.
Questions added to the end of old threads tend to get missed and can remain unanswered.
oscar799
Forum Moderator
Image
"Don't fix it if it ain't broken,don't break it if you can't fix it" Husse
Registered Linux User #511789
User avatar
Oscar799
Level 18
Level 18
 
Posts: 8701
Joined: Tue Aug 11, 2009 9:21 am
Location: United Kingdom

Re: A deb package claiming to be a screensaver is malicious

Postby JeremyinNC on Fri Jul 23, 2010 5:44 pm

Re: things that install software.

That's almost true, there are a few things that can prompt you unsolicited (like going to a website or of an app needs a codec). I'm not sure how locked down Mint is, I am still learning it, but if you are getting prompted and don't feel comfortable answer no.

It's easy to google the stuff but hard to clean your infected box.

I think the mint only stuff comes with the added repositories, you shouldn't need to do anything but enjoy what they maintain (and maybe help out).
JeremyinNC
Level 1
Level 1
 
Posts: 1
Joined: Tue Jul 20, 2010 6:51 pm

Re: A deb package claiming to be a screensaver is malicious

Postby eric.proctor on Wed Jul 28, 2010 8:26 am

markfiend wrote:
ikey wrote:A chain is only as strong as its weakest link, so they say. I think Linux users should still be aware that any system
is still fallible in some way or other. Just because Linux is fundamentally more secure, this does not mean that
users should throw all caution to the wind.

Or as the saying goes: the most common source of computer failure is between the keyboard and the chair...



PEBKAC error.
eric.proctor
Level 1
Level 1
 
Posts: 1
Joined: Wed Jul 28, 2010 8:21 am

Linux Mint is funded by ads and donations.
 
Previous

Return to Releases & Announcements

Who is online

Users browsing this forum: No registered users and 2 guests