will the Linux Trojan have the same value as its Windows counterparts?
Given that the dacoits behind it seem to have provided a surefire way to avoid it - viz; run in a virtual machine - it can't be *that* valuable.
Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop. The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for …
"early sign of Linux becoming less secure as cybercrime migrates to the platform"
Linux has always been horrifically insecure. What they mean is that someone finally bothered to write some malware to target the tiny ~1% market share that it commands on the desktop...
I can't agree with that, the only issues I have ever had has been due to other programs running on the OS (Where by the program is not used how I would expect) or me being a plank when configuring something (I can equally configure something wrong on Windows like a plank as well). I think at least some examples should be provided to back your statement.
I've never concurred with the opinion that Linux was inherently safer than Windows in the sense of "you don't have to worry about it" which is too frequently the context in which the statement is used. It is in the sense that if you are security aware you CAN lock it down.
I'd also quibble over whether it is moving toward being less secure. Historically it has also been more secure in its default configuration. In the sense that the default configurations are becoming less secure it is true, but the ability to lock it down properly is still there. Also Windows has been asymptotically approaching Linux security in its ability to be locked down, but does look like it will always be asymptotically approaching approaching it.
Ultimately the security of any system rests in the hands of the people who administer them. Which can be a really scary thought in the consumer market.
"Please explain how."
Here are a few:
Extreme levels of vulnerabilities - well over 900 in the kernel alone.
Weak security model - no proper ACLs without using 'experimental' NFS 4.1 filesystem.
No constrained delegation - Reliance on weak security tools that must run with root privileges like SUDO.
Weak control model - hacks like SEL are required to provide control and lockdown.
If you look at a market where Linux is actually used like Webservers, you are much more likely to be hacked running Linux than Windows server.
> Extreme levels of vulnerabilities - well over 900 in the kernel alone.
I would like to see that.
Actually, if there are "900 vulnerabilities", there must have been a monster QA effort top actually find them in the first place. Hmmm...
> no proper ACLs without using 'experimental' NFS 4.1 filesystem.
What has NFS got to do with anything? Are you using NFS and pretending at security? Retarded much?
> No constrained delegation - Reliance on weak security tools that must run with root privileges like SUDO.
Never been a problem. Are you letting your users run wild on the machine? Are your stupid?
> Weak control model - hacks like SEL are required to provide control and lockdown.
About as much a "hack" as this. Anything else?
> If you look at a market where Linux is actually used like Webservers, you are much more likely to be hacked running Linux than Windows server.
Reality says no.
Most trojans rely on stupid users installing crap and clicking through permissions and warnings. If you're working in a GUI the steps are almost the same in Linux and Windows, whatever the fanboys of both sides want to say about it. Multiple zero days to get through all the various restrictions of the web browser and the OS kernel is a pretty rare attack indeed. It happens through public services more readily, but those aren't used by end users for purposes a banking trojan would care about.
The problem with this idea is pretty simple. If someone has bothered to install Linux, what are the odds they're going to blindly allow your trojan to install itself and execute? Double that since the culture of Linux isn't like Windows users who go online to find software anywhere, a Linux user is normally looking in their own repository or rolling packages from source.
Quite right. Basic Safe Surfing practice means you avoid the vast majority of malware. (I personally advise against antivirus software. It is more trouble than it's worth and tends to lull users into a false sense of security)
Mind you, there is a lot of malware that can get in via javascript exploits in browsers, and there are quite a few privelege escalation exploits running around.
Javascript remote code execution exploit + privelege escalation + rootkit = one pwned box, with no permission boxes to click through.
The most effective defence per unit of user inconvenience, IMO, is to turn off javascript by default (only for selected domains), using something like NoScript (or NotScripts in Chrome). It has an added bonus of blocking almost all adverts and invasive trackers, whilst leaving non-intrusive HTML-only adverts alone.
Your typical Linux user is probably wise to this. But what about all the Linux users who like to boast about how they installed Linux for their mum/gran, and how they were able to use it despite being a computer ignoramus?
And what about businesses who decide they will make all the receptionists and so on use Linux to save on costs?
Such people are just as clueless whichever OS they run.
Regarding mum's and receptionists machines:
I've read a lot of comments around the web and know some people who do that. If they give the user su privileges, then said user may be suckered into installing something. However, JDX, do you know of any company that gives it's users su privileges?
Linux is quite suited to the corporate desktop - it's much more simple and customise and lock down.
Have a nice troll!
I can't completely agree - Linux sysadmins generally take security stuff seriously, but I know lots of programmers working on linux boxes who do not.
As well, given distros like Ubuntu that are very easy to install for non-experts, and which pop up that "enter your password" dialog a lot, a trojan will probably succeed.
Back in 2007 the phalanx (phalanx2 ?) rootkit was used very successfully to penetrate a large percentage of thewestern world's linux academic research networks. Those networks were operated by people who understood something about *NIX safety and security... how well do you think the average joe Linux user will fare?
I don't think I'm unique in that understanding my wife and kids are going to shop and try to do banking on line, I've set up a PC with Linux for them to use for those purposes. Criminals are probably seeing that trend, as well, and are simply responding to it. When asked why he robbed banks famed criminal John Dillinger reportedly answered, "Because that's where the money is." Don't read more into it than there is.
They're probably testing the market here. I guess if there's no takers, or if the people who buy it find that it doesn't pay them back then it will stop being developed.
If this relies on user intervention to install software (which involves typing an admin password on virtually all linux installs) then I'd be surprised if it's very successful, unless people running linux really do believe that they're bulletproof. I think that's less likely to be true than for example OS X users, who are (massive generalisation here) less tech savvy and more prone to believe the "this OS is secure" hype.
You can install software on Linux without the admin password, so long as you bypass the package manager and simply copy your files to ~/.mypron. Modify .bash_profile to start your software and you're golden. OK, this is not very sophisticated and its easy to spot if you know where to look, but plenty of folks won't know where to look or even bother (when was that last time you checked your .bash_profile?). I'm sure smarter folk than I can come up with ways to obfuscate all this to the extent that a casual perusal won't reveal anything amiss.
"You can install software on Linux without the admin password"
Well of course you can, you can also compile your own and run it from within your own account - but you can't readily allow global execution. Neither of these is a subtle introduction of malicious code to a machine
"The Linux Desktop now has all the classes of applications that the Windows & OS/X refusenix require for their daily desktop experience."
Yes - but this has been true for years. The snag is, users don't require "classes of applications", they require specific applications. Whilst Libre Office is great (I use it every day), it is not an exact replacement for MS Office. While you can open Office documents in LO, the more complicated stuff doesn't work properly e.g. Excel macros - and you can bet that Microsoft will make sure that compatibility with MS Office remains a moving target.
Eadon has been erased. It is as if he never existed. Every single one of his 2761 posts have been permanently deleted.
"early sign of Linux becoming less secure as cybercrime migrates to the platform"
Linux is as secure or unsecure as ever it has been. Obscurity != Security. Whilst it would be interesting to see a ratio of code complexity vs security bugs, just because more people are trying to exploit a platform, that does not make it less secure, just more financially viable to attack.
"early sign of Linux becoming less secure as cybercrime migrates to the platform" is a particularly silly statement, isn't it? As you've said, more financially viable to attack != less secure, that statement is just an attempt to get publicity.
Sadly it seems to have worked.
"... since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector."
So conventional sanitary practise should apply.
"early sign of Linux becoming less secure as cybercrime migrates to the platform"
This statement is nonsense, since even the vendors of the malware confirm that there are no vulnerabilities for it to exploit. This malware is installed by conning users into doing something stupid. In that sense, it is in no way platform specific.
At the risk of being severely flamed, I would suggest that Linux probably has a smaller percentage of stupid users than any other desktop OS.
This complacence, that Linux users/installers are cleverer, more suspicious, more careful or that, because it is (mainly) open source, some first class programmer spends his free time patching (what a give away, "patching") a hole.
The smoother the various distributors make installation, the less likely that the installer needs knowledge, any more than for Windows or OSX, not that it was ever as difficult as people appear to believe. What was and is in some respects still awkward, is finding and evaluating the various bits and pieces needed for this and that package, media player or security.
As for quick patches: what guarantee that the patch, or the patcher, are any good? What guarantee that all the users of all the distributions will know about it or install it? Who tested and validated the patch, for all variants of the OS?
In point of fact, in my experience, the easiest people to con are those who think they are experts, especially those in the make-believe land of known, safe Linux distribution sites and no others. Have you ever looked at the various Linux "expert" sites at code examples in, say, shell code? Then at the paeans of praise for "saving my life"? The actually examined the code by the clever bod? 9 times out of 10, even if it is any use, it needs to be rewritten to make it safe, reliable, portable or even do what it claims. Yes, been there, done that. I can assure you that much of the binary code source is not much better.
These people justify Apple's IOS policy more than ever and even that is not foolproof; but at least security and other patches are done by professional engineers and available to all users of IOS (if on a network) at the same time without expecting some sort of special training or experience.
I have worked, a lot, with Linux distributions, from installation, building, patching to simple end user, including versions where one really had to "build" the system (not just "make depend....").
I mean on Windows you google for the name of your software package + "free download" and download from the first hit. On Android you have some semi trustworthy store, or do the same as on Windows.
On most Linux distributions however, you don't get software that way. You have a package manager. You search for what you want in it, and install it. Distributions have people who have proven to be competent and trustworthy who download the code, check/modify it and get it compiled and signed. If something goes wrong, they will know and quickly update or remove that package.
The big point which makes your typical Linux distribution so much more secure than your typical Windows installation is the way of how you distribute your software. Virtually nobody downloads a binary and executes it. It's not something your browser offers to do for you. (actually it does when you have wine installed, that's a bug)
A nifty side effect of this is that updates are available via one central mechanism.
Agreed but what happens if the repository is compromised as has happened recently with ProFTPd?
http://www.theregister.co.uk/2010/12/02/proftpd_backdoored/
Then the simple act of updating your system from a supposedly trusted source can infect your system.
Don't get me wrong, I much prefer the centralised Linux way of updating software but we are placing a lot of trust in the repos
The hack of ProFTPd sounds like it compromised their servers, but it isn't clear that their signing keys were compromised. Since a package manager will check that the packages are properly signed (assuming you haven't done something stupid and turned off the check), it might have downloaded a bad image, but the signature would be off and so it wouldn't install it.
The real worry is a situation like Fedora had a few years back where their signing keys were compromised. THAT was a real problem. Fortunately the Fedora team handled it well with full disclosure.
> actually it does when you have wine installed, that's a bug
I tried it in Chromium just now. If you navigate to a .exe file, it automatically downloads it for you, then one click on an unlabelled "open" icon at the bottom of the window is all it takes to execute arbitrary code. There were no warnings.
Only install software from your own distribution's package repository, and update when advised. Those two pieces of advice alone should keep you about as safe as anything. (A few years ago I'd have added "Don't be root for a second longer than you have to"
If you really have to install a package from outside of your distribution's repository, get the Source Code from a reputable site (such as SourceForge or GitHub) and build it on your own machine. If the Source Code is not available (which should raise a huge red flag. After all, they aren't earning out of it; so if they have nothing to hide, then they should have nothing to fear), run it inside a chroot with its own /home and a minimal /dev -- or preferrably, use something else.
Criminal types are always going to exploit what they can for gain.
That does not mean they will be successful.
I am pleased to see most of the users of this forum get it straight.
...The developers of Linux are always trying to upgrade the protections that they create to protect against known or speculated attacks.
... Hundreds of different Linux distributions, all a little different or a lot different.
... Inherently good design.
... Security conscious repository’s on as secure servers monitored closely.
... Mostly smarter users at the end point.
... Most distributions limit root access to the local system (most not all)
Even if an exploit can be put into the wild it can't really survive and propagation is all but nonexistent in user space. And the odds of a server side Trojan or Malware really is low, at best.
While most linux users will be more savvy than the average, there will be the "I installed linux for the wife/girl friend/elderly parent" users. For them, safety will reside in how careful they are at clinking links, downloading attachments, and saying yes. Until now most of those risks involved Windows exploits from which they've been immune. This development does open possibilities, however small.
Yes, but the "more savvy than the average Linux installing person" will create a restricted account for mom to use, so she cannot install anything -- even if she knew what "install" means, which I'm pretty sure my mom doesn't.
I'm sure it's not 100% tight, but better than leaving administrator access open. Now, the question is: how many friendly Linux installing people are doing this, specially at the risk of being even more in support duty over the phone later? :-)
Social engineering to encourage users to install malware will always stand a chance of succeeding and the prospect of a Trojan appearing in the Repositories is not too far-fetched (but you still have to manually find it and install it from the 41,440 already there.)
But I expect the 'non-Linux' users/experts/fanbois are salivating over this (somewhere).
However, in the event of a malware moment, the Linux user has a disc/usb stick with the OS on it and can re-install a clean system in about an hour or so, depending on the spec of the computer. The Linux user has probably also separated his/her data from the OS into a separate partition.
In the event of needing a working computer immediately, the Linux user can use that Live Cd or USB to get up and running at once...
Can the Windows users say the same? For the majority of Win users out there I guess that the answer to that is, 'No'...
10 years ago...
http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/
and it's an old one, I know..
http://www.gnu.org/fun/jokes/evilmalware.html
and the long read..
http://linuxmafia.com/~rick/faq/index.php?page=virus
... all we can do is remain paranoid and vigilant...
"I do not know any Linux desktop users who have any money to steal."
Well I'm sitting here in my Swiss apartment reading this on my Linux desktop, with a Linux netbook nearby and connected by fish: to my Linux server in UK. When we go home I'll process my holiday videos/photos on one of the Linux workstations and then go on holiday again in our motorhome . Rich ? not by Gates' standard but pretty well off after a lifetimes work and saving and investment.
Linux by choice - it does all that I want
How are holidays on Vogsphere ?