Why an Ubuntu desktop is just as insecure as a Windows desktop

[undecim]

Since my previous thread was jailed quite some time ago, and I have yet to know its status, I'm starting this one, and leaving out the part that caused the last one to get jailed.

I'll start this post with a simple assertion that I will argue: In its current state, if Ubuntu (or Linux in general) were as popular as Windows and had a similar user base, more Ubuntu machines would have malware than Windows machines.

Allow me to explain.

Some time ago, while my internet connection was spotty and I had nothing better to do, I spent about 3 hours (2 of which was actually testing) writing, as a proof of concept, a small bash script. I won't reproduce it here, because that's what got my last thread jailed. I hosted the script on a website and crafted a few small seemingly innocent commands that would download and run the script, which would alias the sudo command. When run as sudo, the script runs itself as root, executes the command the user expects to run, creates the file "/etc/undecimwashere" (as proof of root access) and cleans up (i.e. fix the sudo alias and deleted itself)

That was just one man and a few hours of time. And most of that was just making sure it was impossible for the script to leave the sudo command broken.

The point I want to make with such a script is that desktop Linux distributions are NOT secure from malware. Right now malware isn't a problem only because:

1) most Linux users are smart enough to figure out what a command does before running it

2) Desktop Linux isn't very popular on the desktop yet.

However, we want reason #2 to change. And when that begins to change, so will reason #1. Hence, if we're lucky, Linux desktop security will soon become a problem.

The point that Linux separates the user from root means nothing.

First of all, most malware will not require root privileges on a Linux system. There is no need to gain privileges to open a port (above 1024), to use slowloris, or to attack an SSH server.

Second, even if a piece of malware did require root privileges (e.g. to be a more efficient node in a botnet), it is easy to acquire it when you are a user that has the ability to run commands as root, especially if the actual user has already been ignorant enough to download a trojan.

Moreover, since software on nearly every Linux distribution is open source, it is currently trivial to perfectly mimic something such as the upgrade dialogue. Personally (and I guarantee this will apply to most users, especially as Ubuntu gains popularity), I don't know any person who would think twice about entering their password to upgrade their Ubuntu system when prompted. Even if you use the CLI to upgrade, It would only take about 5 minutes to add an alias for apt-get to a trojan, or to prepend the PATH variable with with a directory full of malicious binaries.

Many of you at this point will note that most of this requires some degree of social engineering, and dismiss the problems as unsolvable because the human element will always be a security hole. However, it is because of this fact that individuals and groups who write malware for profit rely on social engineering. It's not a fool-proof method to attack a single target, but it does yield a high number of infections by targeting the most ignorant of an operating system's user base.

If Ubuntu will equal Windows in market share, it is necessary to protect these users from their own actions in order to both reduce the number of machines that will become infected in the future, and consequently make Linux malware creation less lucrative.

Windows (and available third-party applications) already implements many countermeasures to trojans, such as informing the user (e.g., the warning box that appears when you download a .exe file), blocking the most prevalent trojans with on-download virus scans, and forcing any useful malware to acquire system privileges (which is currently trivial on most Windows OSs and easy to do on any OS where the user is ignorant enough to have run a trojan in the first place)

Ubuntu does none of those things. As a Linux system, it has the potential to be secure, but as a Desktop distribution, it's ignoring the most prevalent security hole: user error.

How soon before this becomes a problem?

[hhh]

When run as sudo...

Well, your argument falls apart right there. The user has to enter a password to run your script. There are tons of Windows malware that install just because you navigated to a webpage.

[malspa]

How soon before this becomes a problem?

It isn't a problem right now, so I'm not worried.

[Munk3y]

The process you used in testing your proof of concept is flawed. You've bypassed at least two steps.

Example:

Step #1: Get malware onto computer
Step #2: Get system/user to run malware
Step #3: Trick user into compromising system

You started at step #3.

As far as your later point... Ubuntu has countermeasures against attacks, like UFW/AppArmor, etc, but I've always been of the opinion that every Operating System should include all protections (Including AntiVirus/AntiMalware software) by default.

[Enigmapond]

Well, your argument falls apart right there. The user has to enter a password to run your script. There are tons of Windows malware that install just because you navigated to a webpage.

I agree. Everything else following this is moot. You're argument is based on mis-information and not understanding exactly the difference between User and Root. Fail.

[3Miro]

A piece of software requires your password, if you then give the password then there is nothing the system can do. The only way to prevent you from doing damage with a sudo password is to restrict you on what you can and cannot do.

This is not "system malware" it is "social malware". There will always be people unsavvy enough to fall for the "social malware" and if Ubuntu were more popular then there would be more such crap floating around. The only defense to "social malware" is education and computer literacy.

The difference between Linux and Windows comes on the resistance to "system malware". That is if you do nothing wrong and still get infected. Without AV program, on Windows, you can get malware even without typing a password, just opening a .pdf for example, or just visiting a web-page. It is true that both systems have flaws, but the Unix architecture is build bottom up with top level of security in mind. It is generally much harder to crack as things are far more restrictive.

The BIGGEST difference between Linux and Windows is how security flaws are addressed. In an open community, as soon as a problem is found, it is fixed by a patch. Keep your Linux updated and you are safe. On the other hand, when it comes to fixing security issues, MS is useless. That is why people have to rely on third party AV software to patch the issues with Windows (issues that MS just wouldn't address).

[3Miro]

As far as your later point... Ubuntu has countermeasures against attacks, like UFW/AppArmor, etc, but I've always been of the opinion that every Operating System should include all protections (Including AntiVirus/AntiMalware software) by default.

Linux does not and will not ever need AV software. There is no AV software to catch "Ubuntu viruses" and there will never be such software. Only windows and windows viruses need AV software. See earlier post.

You already mentioned AppArmor in included as "Anti-Malware".

Here is something to read:

https://help.ubuntu.com/community/Antivirus

[Rinzwind]

When run as sudo, the script runs itself as root

Here you shall fail...

Thing is... you need to convince me and any other person to start your script with sudo. You may find 1, 2 of 3 people willing to do that. BUT you -will- run into a person that will scan you script, see what is wrong and post about it on these forums here education those people that did execute the script.

In the end you hacked into a couple of systems en need to start again with another script and another attempt to convince people to start you script.

We all learn using Linux by making mistakes (like running you script). If in the end people are educated about what your script does I say you are doing a GOOD job with that script.


With windows you do not even need to convince people. All you need is for them to visit your website and they are toast. Plus there is no-one telling them what they did wrong and how to avoid it next time. Since the only answer you get is: ah just re-install your windows system. Windows users are kept dumb because MS wants you to spent money. You having a perfect OS comes 2nd.


Malware is effective when it can be executed on large amounts of systems without interaction by the targets. This will never happen in a Linux system.
Even with the less secure 'root' method Fedora/SUSE uses.

[NightwishFan]

Create a non-admin user for day to day work. That works like a charm. You can always trick a user to break their system, however if a user knows to only trust the repository they will not install any random software.

Edit: + some clever Apparmor wizardry could make this even less of a problem.

[Rinzwind]

The process you used in testing your proof of concept is flawed. You've bypassed at least two steps.

Example:

Step #1: Get malware onto computer
Step #2: Get system/user to run malware
Step #3: Trick user into compromising system

You started at step #3.

Good explanation!

As far as your later point... Ubuntu has countermeasures against attacks, like UFW/AppArmor, etc, but I've always been of the opinion that every Operating System should include all protections (Including AntiVirus/AntiMalware software) by default.

But here you are wrong.
We need 2 things!
1. a router so you can keep people outside your system;
2. common sense.

There is only 1 need for AV software in Linux: if you need to scan incomming/outgoing data that is passed onto Windows(!) systems.