Hypothetical virus for Ubuntu

[IYY]

A user (who uses su or sudo, but is not root) downloads an executable program and runs it. The program creates a directory ~/.virus and adds it in the beginning of the path in his .bashrc. Now, the virus copies all (or just some of the most commonly used) programs that are often used with sudo to ~/.virus and modifies them (injection of binary code or adding something to the source and compiling a new binary) to record the sudo password. At this point, the password can be sent home to the attacker, or used by the virus automatically to do ... anything to the system.

My question: is this possible? Have I missed something?

[nalmeth]

Sure, though I don't think the author of the virus would be so conspicuous to leave ~/.virus

The problem is the users use of su/sudo, as long as he/she is tricked into giving up the password, a cracker wouldn't have to be so clever to cause great harm.

On a somewhat related note, wasn't there a bug in Breezy where the users password was stored in a file viewable by anyone? I'll post the link if I find it

[IYY]

Well, the point here is that the user will not actually enter the sudo password when running the untrusted program. (and .virus is just an example. It could be hidden deep inside .themes or something) Instead, he will run a program as a regular user, thinking that it's perfectly safe, and the program will later steal the sudo password.

[aysiu]

Here's that link, Nalmeth.

I don't know all the technical details, but my feeling is that if you're running random executables from untrusted sources, your computer is going to be compromised sooner or later.

[GeneralZod]

I see nothing wrong with your analysis, and it's a pretty hard vector to guard against. In fact, the only thing I can think of is that sudo be modified to check your current $PATH to make sure that "common" root-only executables (e.g. apt-get) are not "hidden" by identically-named executables that reside in a path writable by non-root users, and to issue a warning if such a "shadow" executable is found. This is far from elegant/ foolproof, though.

[DoctorMO]

hmmm, we basicly have a list of known safe software and all the files involved in those programs. if someone where to come up with a stupid user computer checker that could be run on computers via a cron job just to check for things such a .bashrc modifications, cron modifications and files which don't belong to any packages and are executable.

That wouldn't stop damage being done by a virus but it would stop one from remaining in the system. the biggest threat is when it goes into the cron because those system crons run as root unlike .bashrc which runs as the user and they'd have to type in their password all the time to allow the virus to do more harm or send more spam.

Obviously the programs outlines above wouldn't be useful to a technical user whos compiling things but they should know better.

[nalmeth]

I see, I misunderstood the sentence.

Here is that thread, stickied in the Security & Servers section:
http://ubuntuforums.org/showthread.php?t=143334

I don't quite understand how this virus would work though, can you explain in greater detail?

[IYY]

Well, the virus can work in two ways once it's set up:

1. have its own version of, say, gnome-terminal which grabs the password when it is typed.

2. have its own versions of commands commonly run with sudo (things as simple as apt-get) and add to them viral code that will be executed as root as soon as the user tried to run these programs.

[DoctorMO]

nah, I'd just alias sudo in .bashrc then you just capture the password from the command line.

but then thats going to be limited to advanced users anyway.

[argie]

Quote:

Originally Posted by IYY Well, the virus can work in two ways once it's set up: 1. have its own version of, say, gnome-terminal which grabs the password when it is typed. 2. have its own versions of commands commonly run with sudo (things as simple as apt-get) and add to them viral code that will be executed as root as soon as the user tried to run these programs.

Neither of these should work, in my opinion.

1. When the user opens the terminal, he'll be running /usr/bin/gnome-terminal, and the virus won't have permissions to modify that until it has the sudo password.

2. As above.

I can think of a third way though. It modifies the script that runs at startup (which is in the home directory?) to run another part of itself which logs all keys entered (a normal keylogger), then poof?

Fortunately, the way package management is in ubuntu (and I guess other debian based OSes), you have trusted repositories. So you use the trusted repositories