PDA

View Full Version : [all variants] Tibetan Hacking Attacks - Targeted Malware on Ubuntu



thewanderer
April 28th, 2008, 11:30 PM
Hello,

For those who are unaware over the past two months there have been a significant number of targeted Hacker attacks against Pro-Tibetan human rights organisations and individuals. These attacks are covered in the paper that can be found here - http://www.ironcove.net/archives/82

The paper recommends the use of Ubuntu on the Desktop for these organisations as none of the recent malware attacks would have had any effect on an Ubuntu Desktop.

My question to the forum is what arguments can be made against the often stated argument that there is no malware for Linux / Ubuntu because the user base is low? If Desktop Linux became popular then malware would be developed and the situation would be the same?

I have some ideas, but would like to put this out and get some ideas from the Ubuntu community.


Thanks
Peter

scorp123
April 29th, 2008, 12:47 AM
My question to the forum is what arguments can be made against the often stated argument that there is no malware for Linux / Ubuntu because the user base is low? If Desktop Linux became popular then malware would be developed and the situation would be the same? For starters, Linux is not Windows. And the user base has nothing to do with this. I have been hearing this nonsense about "one day there will be Linux viruses!" since I started using Linux back in 1996 .... and guess what? I haven't seen any until now. It's just FUD.

The designs, concepts and ideas behind Linux are borrowed from UNIX and are thus radically different from Windows: UNIX (and therefore Linux too) was designed from start as being a multi-tasking and multi-user system with strict priviledge separations and security mechanisms in place to keep users and processes apart. Windows started as a clumsy, messy and badly written rip-off of some early GUI-research XEROX did in their research center in Palo Alto (see here (http://en.wikipedia.org/wiki/Graphical_user_interface#PARC_User_Interface) and here (http://en.wikipedia.org/wiki/Xerox_Star#Legacy)) and to add to the mess: it was running on top of a 8-bit operating system: MS-DOS ... and MS-DOS had no idea whatsoever about being multi-user and truly multi-tasking capable, let alone any idea of the finer mechanisms such as priviledge separation, process security, task queueing, priority management, and so on and so on.

We have Windows Vista now. But deep down, even if now all the code is 32-bit, many aspects of Windows are still written with being single-task + single-user in mind (just like MS-DOS ~27 years ago), e.g. certain processes still needing full control over the hardware, giving the user full control over everything (way too much control!)

It's those aspects that Windows malware is exploiting, up to this day.

UNIX (and therefore Linux) on the other hand was designed with being network oriented, multiple users running multiple processes around the clock ... The mechanisms involved here and the underlying design are radically different from Windows and malware as you see it on Windows does not have any of the typical attack vectors that are present on Windows.

This is not to say that UNIX-type OS are "perfectly safe". That would be rubbish. They have their own fair share of security problems of course, e.g. unnecessarily open network services or network ports that a human hacker could exploit for their own dark agenda ... But malware and viruses? Nope. And not anytime soon.

"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it"
http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

damis648
April 29th, 2008, 12:50 AM
whoa i couldnt have said it better myself :D

lemming465
April 29th, 2008, 01:14 AM
In general the security of any given platform depends on how carefully it is administered, not which platform you chose. That said, I generally find security features in Linux to be about 3 years ahead of Microsoft.

A typical Ubuntu box doesn't offer any outside services. If it does, they usually are designed with separate processes to sandbox priviliged operations, reduced privileges for the real work, address randomization, and non-executable stack protections, etc. Maybe SeLinux too if you are paranoid and running Fedora.
Compared to windows where any process can send any other process messages, lots of stuff runs with administrative privileges, and the attack surface is larger, the real underlying risks on windows are larger than on Linux or Mac OS-X.

However, at this point the real problems are mostly social engineering on the one hand, and rogue javascript served from malicious ads or compromised servers on the other. Ubuntu won't protect you from social engineering. Firefox with noscript helps protect you from rogue scripts on any platform; on Windows "DropMyRights" can reduce the escalation risks if something leaks through.

fcorourke
April 29th, 2008, 01:54 AM
Hi, I might be a little dense, Know I know very little about Linux. But I thought that Mac & windows based on Linux or Unix originally. I started with an Apple -- original. And that and some of the other systems out there were like command line Linux. Many of these commands I miss, & do not know nearly enough yet about linux to be comfortable with the command line to any degree. Maybe it will come in time. But I mean if you run flash -- in windows can take the whole shooting match at the wrong site [flash files are not safe] -- You belong to them totally from one flash file. Are you saying it is impossible? I have trouble believing anything is totally impossible, as Linux & Mac [which is a linux shell] get more Windows like or at least seem to be trying -- why can nothing be written to wipe or as they would want take your machine. Most hackers [so I have been told] operate from linux -- so they would know it better. -- possibly know it well enough to know that they could not do it & not care :-) .............., because part of being a hacker is your humility about systems and the safeguard's in them.

Fred

devsen
April 29th, 2008, 12:33 PM
Hi, I might be a little dense, Know I know very little about Linux. But I thought that Mac & windows based on Linux or Unix originally. I started with an Apple -- original. And that and some of the other systems out there were like command line Linux. Many of these commands I miss, & do not know nearly enough yet about linux to be comfortable with the command line to any degree. Maybe it will come in time. But I mean if you run flash -- in windows can take the whole shooting match at the wrong site [flash files are not safe] -- You belong to them totally from one flash file. Are you saying it is impossible? I have trouble believing anything is totally impossible, as Linux & Mac [which is a linux shell] get more Windows like or at least seem to be trying -- why can nothing be written to wipe or as they would want take your machine. Most hackers [so I have been told] operate from linux -- so they would know it better. -- possibly know it well enough to know that they could not do it & not care :-) .............., because part of being a hacker is your humility about systems and the safeguard's in them.

Fred

Nope Windows is a totally different design philosophy. Windows does not separate out actions according to privileges. Typically a user on a Windows desktop can do almost anything and thus any process running on behalf of the user can also cause havoc. Windows ships with many open ports and default process that are in effect running as servers and listening in these ports and will respond if that port is probed. Try the port scan test from www.grc.com on Window machine with no firewall and on a Linux machine with no firewall. For best security a computer should not respond to probes that are from outside its security zone. When you download a file in Windows if it can be executed then it can be executed without any further intervention In Linux by default all downloaded files have to explicitly made executable and then only to the privilege allowed to the user. And so on and on. Thus in your example the "flash" program will only manage to affect the user who is browsing the PC and not the entire system. Having said that it is always important to be vigilent and refrain from visiting suspect sites.

Best Wishes - Dev, Suffolk, England

hyper_ch
April 29th, 2008, 01:13 PM
if you can own one process in Windows, you normally can own the whole machien and you have your zombie...

if you can own one process in Linxu, you normally own just this one process...

Now what is appealing more to you (from a hacker's point of view)?

ivze
April 29th, 2008, 01:30 PM
Apart from all the security features in Linux (which are definitely true), Linux has some faults. One of them is an awkward right managing system with only user/group/other file attributes. In windowsXP more fine permission schemes can be implemented.
The problem is solved by SELinuix and ACL-s, but those are not istalled by default (in Ubuntu).

hyper_ch
April 29th, 2008, 01:48 PM
just because they are not installed by default it doesn't mean they cannot be installed... for most needs the current proven RWX Owner/Group/Worlds rights are sufficient.

cdenley
April 29th, 2008, 01:48 PM
But I thought that Mac & windows based on Linux or Unix originally. I started with an Apple -- original. And that and some of the other systems out there were like command line Linux.

Windows isn't and never has been derived from Unix or Linux. They may both have command shells, but that doesn't mean the kernels have anything in common. Mac OSX uses an open-source kernel called Darwin BSD. Darwin BSD and Linux are both Unix derivatives. Mac versions before OSX were not. I'm not sure how secure the Darwin BSD kernel is, but I think most security vulnerabilities in Mac OSX come from their non-free software.

scorp123
April 29th, 2008, 05:22 PM
One of them is an awkward right managing system with only user/group/other file attributes. That's so not true. You can use finer and highly more complex access control lists. It's been in the kernel since the mid-90's. And yes, I know places where they use those extended attributes. It's just that you and me as home users most likely don't need it and can live perfectly with the simpler traditional "user/group/other" permissions in 99% of all cases. If you still need it and if you know what you do it's no big deal to implement this on your system. You just need to modify one mount option inside /etc/fstab and you need to have the tools (e.g. "getfacl", and "setfacl" and many others) to deal with those extra permissions, and that's it.

thewanderer
April 29th, 2008, 05:32 PM
Excellent input guys.

One of the keys regarding this discussion is that intended users are likely not highly technical and have minimal tech support resources - but do take security seriously. I am working on a guide that will make it easy to get an initial secure desktop configuration and then by following a few simple rules the user can have a relatively secure system that requires minimal ongoing maintenance.

The guide will be aimed at those who want a decent level of security, but not the ultra paranoid. As we all know absolute security is very difficult to achieve especially when your adversary has significant resources. The ultra paranoid would need access to more specialist security knowledge - encryption of all data both stored and in transit, anonymous networks like tor and locked down local systems / networks.

The points regarding malware infection are excellent and are a strong part of the argument for using Ubuntu on the desktop for these types of organisations and users (even though exploitation of user environment is possible, installation of system wide rootkits via exploited application or plugin is much more difficult when compared to windows).

Recent trends have shown that many targeted malware exploitation vectors (on windows) are third party plugins and applications within the Windows environment. Quicktime, Real Player, Flash, Adobe etc. On a windows desktop this means ensuring all those little apps are kept up to date, while on Ubuntu as long as you stick to the official repositories apt-get upgrade is all it takes.

Does anyone know of "in the wild" examples where a web based script was able to exploit a Linux users environment sufficiently to grab files or implement a key logger for that user?

jakupl
May 2nd, 2008, 01:05 AM
Does anyone know of "in the wild" examples where a web based script was able to exploit a Linux users environment sufficiently to grab files or implement a key logger for that user?

yes. they exist, but as someone said, " to catch a virus in ubuntu, you have to work for it. To catch a virus in Windows, you just have to work on it.
This is quite funny :=) (http://www.gnu.org/fun/jokes/evilmalware.html)

to catch virus in ubuntu, and make it do any harm, you have to manually run it as root.

I would make a user that has no administrative rights, and i would always use this user, except when you need to install a program.
and ONLY install programs through the repositories.

This way, no virus could be installed with the needed rights to perform actual damage... Well... i suppose a keylogger would need root to work right?? someone correct me if i am wrong.

AAAnd read this if you haven't already. Ubuntu Security (http://ubuntuforums.org/showthread.php?t=765421) It is a great thread written by LaRoza.

MacUntu
May 2nd, 2008, 08:57 AM
I would make a user that has no administrative rights, and i would always use this user, except when you need to install a program.

It's not like you can't do this on Windows, but who really uses his home computer that way? Do you use a restricted user account? I don't and so do many.

The security design of an OS is worthless, if the user is an idiot. People that open "britney_nude.exe" attachments of emails will be clever enough to do an "sudo sh britney_nude.sh".

jakupl
May 2nd, 2008, 01:19 PM
It's not like you can't do this on Windows, but who really uses his home computer that way? Do you use a restricted user account? I don't and so do many.

Very true. but Windows is full of vulnerabilities, doing so in Windows doesn't guarantee anything. ;)


The security design of an OS is worthless, if the user is an idiot. People that open "britney_nude.exe" attachments of emails will be clever enough to do an "sudo sh britney_nude.sh".

This would be why you need an account without sudo abilities=administrative rights.

Chayak
May 2nd, 2008, 09:13 PM
It would be foolish to assume that Linux has perfect security and that no malware will ever be able to elevate it's privileges. That doesn't mean that it's easy. It'll take a lot of work an research to pull it of but it is in the realm of possibility.

If the user won't execute it at the privilege level then consider that it is quite possible to crack a linux server. It's happened before and it'll happen again. The cream of the hacking crop would be to compromise a repository and inject your own code into a commonly installed package. Will it be easy... absolutely not. Is it possible, yes as no security system is perfect. The result... every installed Ubuntu machine that updates is then compromised..

That of course is simply a worst case scenario which is never likely to happen as the number of people capable of doing it can probably be counted on one's hands and then they're probably not the types to do it.

Then again consider what's been in the news about the Chinese getting into DoD computers. What would happen if Tibet suddenly announced they were going with Ubuntu and then China turning it's eyes on Ubuntu's servers?

I'm not intending to ruffle any feathers, just tossing out items for thought.

stmurray
May 2nd, 2008, 09:15 PM
I just read this post and I have been an Info Sec professional for about quite a few years and i can't resist throwing in my two cents:
1) Most attacks these days are for profit. If people find they can exploit something in linux (or Mac OS for that matter) that will make them some illegal money (probably by grabbing credit card numbers or passwords), then you can expect to see them. For a great report on these trends see Symantec's report http://www.symantec.com/business/theme.jsp?themeid=threatreport -- Just keep a skeptic mind and remember that Symantec themselves make money by selling "security"......)
2) You don't need to be root to install malware that would be beneficial to the attacker. There are plenty ways to kick off a process when a user logs in (with the user's rights) that would be of use to the attacker. There is no reason a bot needs to run with root privileges and although it has been 15 years since I have programmed in X-Windows, as I recall, getting X to capture key strokes is very straight forward.
3) The best thing to do is keep yourself patched. This is because to get malware on your machine, the bad guy has to run some code on your machine:

A) This started out by taking advantage of vulnerable services running on your machine that can be exploited to run code. As several pointed out this is much less of an issue on Ubuntu as it doesn't have many open IP ports (It is incorrect to say that is has no open ports. Hardy has at least 2 open UDP ports on my installations-- avahi and dhclient3. Therefore, I run a firewall, because the benefits (more protection) outweigh the drawbacks (a little processing overhead, installation and configuration time, etc).
B) As firewalls came into use, the attackers realized the email was a much better vector to get some malicious code running on someone's machine. As was pointed out, it is much easier to get an executable running on Windows than Linux, but if a vulnerability can be found in your email client, then all bets are off.
C) The latest trend is finding vulnerable legitimate web sites, putting the code on them that takes advantage of known issues in browsers (Internet Explorer, generally, but there have been some ugly issues in FireFox as well) and the browser plug-ins (Flash, Adobe, etc) that install the malware. (See http://www.us-cert.gov/current/index.html#compromised_websites_hosting_malicious_ javascript ) In my opinion, running NoScript in Firefox is the best thing you can do these days to keep yourself safe.
4) Anti-virus isn't a bad idea, even on Linux. Again the benefits (extra protection) outwiegh the drawbacks (a little processing overhead, a little installation and configuration time, etc)

In my mind, there is no doubt that a default install of Ubuntu is much more secure that a default installation of any Windows product, both because the default Ubuntu installation is much more secure (for the reasons pointed out in this thread), and the threat is less (as most attackers are targeting windows).

But having said that, the threats are out there, so I would urge everyone not to feel to smug-- Keep everything up to date (Update Manager is your best friend.....) and add the additional security with a firewall (firestarter), anti-virus (clam-av), and NoScript

jakupl
May 2nd, 2008, 09:31 PM
I just read this post and I have been an Info Sec professional for about quite a few years and i can't resist throwing in my two cents:
1) Most attacks these days are for profit. If people find they can exploit something in linux (or Mac OS for that matter) that will make them some illegal money (probably by grabbing credit card numbers or passwords), then you can expect to see them. For a great report on these trends see Symantec's report http://www.symantec.com/business/theme.jsp?themeid=threatreport -- Just keep a skeptic mind and remember that Symantec themselves make money by selling "security"......)
2) You don't need to be root to install malware that would be beneficial to the attacker. There are plenty ways to kick off a process when a user logs in (with the user's rights) that would be of use to the attacker. There is no reason a bot needs to run with root privileges and although it has been 15 years since I have programmed in X-Windows, as I recall, getting X to capture key strokes is very straight forward.
3) The best thing to do is keep yourself patched. This is because to get malware on your machine, the bad guy has to run some code on your machine:

A) This started out by taking advantage of vulnerable services running on your machine that can be exploited to run code. As several pointed out this is much less of an issue on Ubuntu as it doesn't have many open IP ports (It is incorrect to say that is has no open ports. Hardy has at least 2 open UDP ports on my installations-- avahi and dhclient3. Therefore, I run a firewall, because the benefits (more protection) outweigh the drawbacks (a little processing overhead, installation and configuration time, etc).
B) As firewalls came into use, the attackers realized the email was a much better vector to get some malicious code running on someone's machine. As was pointed out, it is much easier to get an executable running on Windows than Linux, but if a vulnerability can be found in your email client, then all bets are off.
C) The latest trend is finding vulnerable legitimate web sites, putting the code on them that takes advantage of known issues in browsers (Internet Explorer, generally, but there have been some ugly issues in FireFox as well) and the browser plug-ins (Flash, Adobe, etc) that install the malware. (See http://www.us-cert.gov/current/index.html#compromised_websites_hosting_malicious_ javascript ) In my opinion, running NoScript in Firefox is the best thing you can do these days to keep yourself safe.
4) Anti-virus isn't a bad idea, even on Linux. Again the benefits (extra protection) outwiegh the drawbacks (a little processing overhead, a little installation and configuration time, etc)

In my mind, there is no doubt that a default install of Ubuntu is much more secure that a default installation of any Windows product, both because the default Ubuntu installation is much more secure (for the reasons pointed out in this thread), and the threat is less (as most attackers are targeting windows).


=D>

SyL
June 4th, 2008, 12:18 PM
This kind of attack targeting pro-Tibetan organization is a reality. Our association was actually attacked around a month ago (hopefully, at this time the website was partially close because was on beta version).

In 5 hours up to 12000 http hits were send from an IP address in Italy. This was a kind of robot executing all the time the same script (browsing web site and adding item into the cart) I guess that was a kind of small DoS attack.
I don't really get the point of such attack against our website which is quite small for the moment.

Since then no more such attack but i can still notice time to time strange exceptions in the logs caused by malformed requests.


Now our website is open and i'm thinking to put in place a CAPTCHA system.