l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Dec 30 11:13

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Installing Java
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Installing Java

Quoting Jay Strauss (me@heyjay.com):

> >If you're stuck, read my EBLUG-talk slides on
> >http://linuxmafia.com/presentations/ , and note the lessons drawn from
> >the tcp-wrappers-7.6.tar.gz trojaning in 1999, for one reason.   ;->
> I'm gonna read it tonight
> Thanks

You're welcome, but I feel a bit bad that, being just slides, a lot of
that's going to seem cryptic.  (Actually, this being the first set of
presentation slides I've ever created in my life, I screwed them up by
making them too verbose by about a factor of three, but they'll still be 
cryptic, anyway.  :(  )

Essentially, having finished back in November cataloguing and
analysing[1] all of the highly diverse stuff claimed, here and there, to
be Linux malware, I sat down and gave the subject a good mulling over:
Most of the "attack threats" were pretty laughable, or were not attacks 
per se but rather post-attack tools used by bad guys who broke into your
system by other means entirely.  However, I stopped and thought:  That
bit aside, if I were one of the bad guys, how and where would I deploy
Linux malware (especially trojans) to actually affect systems?  Moreover, 
has it ever been thus deployed with even partial success, and where?

Moreover^2, to the extent that such deployments have never taken off,
what mechanisms, social or technical, have prevented that?

One of the things I examined was the site compromise and trojaning of
several ftp/Web sites over the years.  Those sites were ones offering
public download of source tarballs, of both security-sensitive packages
(e.g., tcp-wrappers, util-linux, the Linux kernel as offered on the
BK-CVS gateway host, network tools on monkey.org) and less so (e.g., the
irssi IRC client).  I noticed that all of these were compromises of
source code at the "upstream" maintainer sites, i.e., that distros'
packages were _not_ compromised.  That turned out to be significant --
and no accident.

Weise Venema's TCP Wrappers package got trojaned in 1999 on what was
then its main source hosting site, a well-known public ftp server at
Eindhoven University in the Netherlands (ftp.win.tue.nl).  Someone
covertly root-compromised the host, and then posted a trojaned, phoney
tcp-wrappers-7.6.tar.gz in the ftp directory.  

About fifty people downloaded that file in the first few hours after
its "release", suspected nothing, and presumably wrecked their systems
(installing a backdoor for the bad guy).  Approximately the fifty-first
was Andrew Brown of Crossbar Security, who was alert enough to say to
himself "Hey, how come _this_ release of TCP Wrappers isn't PGP-signed?"
He raised the alarm, and the fifty-odd prior downloaders were notified
by mail.

One of the things that downstream package maintainers for distros do for
you, if they're on the ball at all, is to be at least as alert and
constructively paranoid and Andrew Brown was.  They're an additional
check against _both_ quality problems and security compromise, between
you and various sorts of harm.  You should make use of that protection
(and other advantages, such as distro-specific patches) preferentially, 
and be aware of the need to perform personally the same sort of checks
(e.g., meaningfully verifying PGP signatures and md5sums) and
distro-specific adjustments, whenever you elect to go outside the
package system.

So, that's about two of my slides out of the 34 total that should now be
a little less cryptic.  ;->

[1] http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5

Cheers,                                      Hardware:  The part you kick.
Rick Moen                                    Software:  The part you boot.
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.