Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430122
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

what does this have to do with Linux/*BSD/etc?


Not a lot.

UnrealIRCd is an open source, multi-platform, relatively obscure (on Linux) IRC server program.

http://en.wikipedia.org/wiki/UnrealIRCd

Someone found out that the distribution method for the Linux version of this particular program was the same as for other platforms ... it is distributed for Linux via an unsigned binary file.

Someone decided to attach a trojan to the binary file and replace the original Linux distribution file with the trojan-infected file for Linux on some of the UnrealIRCd mirrors, where it went undetected for a lengthy period.

As anyone knows, distributing unchecked binary files is a perfect vehicle for disseminating trojans. It was apparently on someone's agenda to illustrate that this is just as true for a Linux version of an application as it is for any other OS.

Edited 2010-06-15 13:23 UTC

Reply Parent Score: 2

ba1l Member since:
2007-09-08

Yeah, this can (and does) happen with Windows software as well. It's really a problem with the "run random files downloaded off the Internet" distribution model, rather than any particular OS.

This is yet another reason we shouldn't trust this way of distributing applications. Too dangerous.

Obviously, anyone distributing source code should sign the packages, to make sure they haven't been tampered with. Most end-users won't check them, but package maintainers certainly will. That'd at least prevent a trojaned version of an application from getting into a distribution's repository.

The more interesting question is this - is there some way to safely run random applications downloaded off the 'net?

Sticking purely to a distribution's package collection is (normally - see above) much safer, since all packages in most distributions are signed. It's just sometimes not enough.

Ubuntu's PPAs go some of the way towards fixing this. As long as you install the package signing key correctly, you can be sure that the packages haven't been modified. Doesn't protect you from deliberate attacks though - PPAs can contain just about anything, and how do you know if you can trust the PPA owner?

What you really need is some way to restrict what a PPA can do, and to sandbox all of the applications inside it. Lock them down (Linux already has all the infrastructure required to do this), isolate them from each other, and come up with a way to add permissions if required, ideally in a way that's transparent to the end user (so if it needs filesystem access, you can see that and decide for yourself if you trust it).

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

Yeah, this can (and does) happen with Windows software as well. It's really a problem with the "run random files downloaded off the Internet" distribution model, rather than any particular OS.

This is yet another reason we shouldn't trust this way of distributing applications. Too dangerous.


Exactly so. The problem here isn't Linux, or Windows, or any other OS. The real problem is the distribution of unsigned binary packages as a means of distributing applications.

Obviously, anyone distributing source code should sign the packages, to make sure they haven't been tampered with.


The word "source" here is redundant. Signing of packages is as valid for binary packages as it is for source code.

Most end-users won't check them, but package maintainers certainly will.


This is not primarily the reason for signing packages. Signing packages merely ensures that the file you downloaded was originated by the person holding the key that it was signed with. Local package manager programs (such as apt-get) have a copy of the distribution's public key, and they therefore can check that the downloaded package really came, unmodified, from the distribution's repository. This is done automatically by the package manager program, it is not at all dependent on user's doing anything. This has nothing at all to do with binary versus source code packages ... it works just as well for either one.

That'd at least prevent a trojaned version of an application from getting into a distribution's repository.


Yes, that indeed is the result, in any event.

The more interesting question is this - is there some way to safely run random applications downloaded off the 'net?


Unsigned? No.

Sticking purely to a distribution's package collection is (normally - see above) much safer, since all packages in most distributions are signed.


Correct.

It's just sometimes not enough.


A matter of opinion, surely. There are 25000 of the most popular open source packages in Ubuntu's repositories. For 90%+ of users, this will cover more than enough applications.

Ubuntu's PPAs go some of the way towards fixing this. As long as you install the package signing key correctly, you can be sure that the packages haven't been modified. Doesn't protect you from deliberate attacks though - PPAs can contain just about anything, and how do you know if you can trust the PPA owner?


Check the number of downloads. If there have been many thousands of downloads and no complaints, and the PPA is still up and running after a reasonable time, then it probably contains no malware. This is especially true if the PPA offers both source and binary versions of the code, so that it is possible for recipients to compile the source to verify the binary for themselves. A small number of recipiens might actually do this. In any event, if there have been a significant number of problem-free downloads over a decent period of time, the PPA keyholder can be trusted, one would surmise.

What you really need is some way to restrict what a PPA can do, and to sandbox all of the applications inside it. Lock them down (Linux already has all the infrastructure required to do this), isolate them from each other, and come up with a way to add permissions if required, ideally in a way that's transparent to the end user (so if it needs filesystem access, you can see that and decide for yourself if you trust it).


This would simply restrict what one could actually include in a PPA. It would make PPA's useless for developing and testing of native applications ... which is what PPAs are actually meant for.

Edited 2010-06-15 14:36 UTC

Reply Parent Score: 2