Developer Ponders Release of Linux Malware

A developer who claims he is tired of the “Linux is secure” argument has set out to develop a “package of malware for Unix/Linux” in order to help ethical hackers demonstrate the vulnerability of the open source operating system.

“I was fed up with the general consensus that Linux is oh-so-secure and has no malware,” a developer going by the name of buchner.johannes wrote on Ask Slashdot, in posting filed by kdawson.

“After a week of work, I finished a package of malware for Unix/Linux,” Johannes wrote. “Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

Johannes said the malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads.

“I tested it to be injected by a PHP script (even circumventing safe mode), so that the web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files,” he said.

Johannes claimed the object of the exercise was to provide a payload so security people can ‘pwn’ systems to show security holes, without doing harm (such as deleting files or disrupting normal operation).

However he admitted to doubts over how ethical it would be to release the toolkit.

He has concerns that a genuine hacker would rip out the BOINC payload and put “in something really evil, could be turned into proper Linux malware.”

“On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary,” he said.

“Technically, it is a nice piece, but should I release it? I don’t want to turn the Linux desktop into Windows, hence I’m slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?” he asked.

There was a mix of opinions to Johannes’s debate over releasing the malware. One user by the name of Jeff321 said that he believed Johannes has already decided.

“There were two options,” Jeff321 wrote. “1. Release it anonymously and take no credit. 2. Write about it and get some credit (but then you can’t actually release it due to legal issues).”

“You can’t (and won’t) release it now,” he added. “If somebody gets attacked with your code, guess who they’re going to prosecute and/or sue.”

Another user, by the name of sopssa also waded in. “The summary says it doesn’t actually do anything malicious and it isn’t a worm. There is no legal reason why he couldn’t release the code and/or a paper about it,” said sopssa.

“The thing is, it’s stupid for people to keep thinking their systems are insanely secure,” he wrote. “Linux users fall for this all the time, because they’ve heard so from lots of other Linux users. It’s better to show people that it is actually possible, and maybe it leads to better secured systems too.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • My only question is, why Linux? I am, IMHO, an advanced Linux user (desktop and server) with over 10 years of experience and a security auditing background to boot. I am not, however, even in the slightest bit, dumbfounded that software such as this exists for the Linux platform... especially when you add "uneducated" end users into the equation, which appears to be the way this rootkit (if you can call it that) installs itself. I would argue that un-informed, click happy users account for 90-95% of the Windows platform infections and the other 5-10% are a result of unpatched software and/or operating systems. That being said, I personally always felt Apple would get "hit" first because Mac fan boys (and Apple themselves in advertisements) stated thousands of times "they" are 100% impervious to viruses/spyware whereas the only Linux users who would even remotely attempt to argue this fall back into my "uneducated" category. Just my two cents.

  • Distributions always stress out, you are at you own risk downloading third party package, so really he isn't the first to "ponder".

  • Is only as good as the administrator on any given system. Linux being more secure by default does not mean you can not install malware. Most malware, even in Windows gets there through user interaction, people downloading and installing it themselves. There is no patch for this. All we can do is educate people.

  • There has been "malware" available for Linux for a long time but it is different to Windows malware. Linux malware requires the intervention of a person and some people are just plain stupid and others are very gullible. How many offers for millions of dollars from Nigeria do you need to prove this?

    Windows has got much better but the relentless UAC permission requests in Vista have once again just got people used to clicking "Yes". If you have physical access to a computer it isn't secure, if that person runs programs with Administrator/root permissions then the system will be compromised. That is just the nature of the beast.

  • Nice to note it will only run under Wine. So if the user really dumps his Windows apps and just runs native Linux applications I guess it has not effect on the system.

    Am I correct?

    If so then this is windows Malware..

  • Security, or the lack of it, needs to be up front and out in the open. Microsoft and their security partners have somehow convinced the World that Microsoft's atrocious security is normal, it isn't. It only seems normal because nearly all of the World's computer users have never known any other computer/security relationship. I kind of get a little miffed when the Linux community are accused of declaring Linux as unsinkable. I do often see phrases like "Linux has no viruses" but only from non-Linux users assigning that nonsense to us. I can't remember seeing something like that from a real Linux user. So let me just say that GNU/Linux has security holes, known and unknown. But it is not, nor will ever be, the security disaster that is sold by Microsoft. Proving that Linux can be infected is not proving that 35,000 node BotNets will be common if it becomes the World's OS. Roughly 14 billion USDs are siphoned off of users and enterprises each year to pay for computer security or to clean up after it's failure. GNU/Linux represents a mortal threat to that industry. I expect to see a lot more of "Linux users say Linux is impervious to malware" followed by "hey look, Linux just got a virus, guess it's no better than Windows".

    Part of learning to use Linux is learning to rely on the Package Manager and the repositories instead of downloading willy nilly off the Web. That system has 98% of what 98% of the users need or want. If you are thinking of mentioning Photoshop don't bother unless you paid for it. Professional photographers use it and pay full price too. Using a pirated copy of PS to crop your family's vacation photos does not count as a must have application.

    Linux is not immune to malware, but then no software is. It was, however, designed from the first line of code to be safely connected to the rest of the World. Windows still has single-user legacy code deep down in its heart. If you really want to prove that Linux can get malware, here's a gem for you. http://www.geekzone.co.nz/foobar/6229

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

20 mins ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

4 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

20 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

22 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

23 hours ago