Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Infected Files Found on Mozilla Site (Korean Linux binaries infected - oh, my!)
Viruslist.com ^ | September 20, 2005 | Viruslist.com

Posted on 09/21/2005 7:57:22 AM PDT by general_re

Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example. Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b

This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.

The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.


TOPICS: Business/Economy; Crime/Corruption; Culture/Society; Miscellaneous; News/Current Events; Technical
KEYWORDS: linosandtigersohmy; linux; lionsandtigersohmy; mozilla; opensource; thunderbird; virus
Per Slapdash. I predict great fun from this, so none of that reasoned discourse nonsense from you people ;)
1 posted on 09/21/2005 7:57:23 AM PDT by general_re
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

FYI.


2 posted on 09/21/2005 8:00:26 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re
Right after the Linux manifesivos stuck foot in mouth over Symantec's study!
3 posted on 09/21/2005 8:00:27 AM PDT by Dan Nunn
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

A tripwire daemon would catch the changed size of the executables, right?


4 posted on 09/21/2005 8:01:30 AM PDT by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

CP/M - The only way to go.


5 posted on 09/21/2005 8:03:56 AM PDT by Tennessee_Bob ("Nac Mac Feegle! The Wee Free Men! Nae king! Nae quin! Nae laird! We willna be fooled again!")
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

This is as I predicted here on FR last year (and got thoroughly trashed as being a complete ignoramus). I love Firefox. I'm using it right now, but Mozilla used to benefit from its relative anonymity. Why go after it when you could screw up the day of millions of Windows' users.

Well, boys and girls, success has now made Mozilla a target....


6 posted on 09/21/2005 8:04:27 AM PDT by freebilly (Go USF Baseball!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user
I'm not sure how it would do so. On the client end, how does your machine know the proper filesize the first time it's downloaded? On the server end, how does the server know the proper filesize the first time it's uploaded?

After that, if the file is modified, then a Tripwire-type solution should catch it, I would think. In the mean time, everyone's checking those MD5 sums, right?

7 posted on 09/21/2005 8:04:29 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Tennessee_Bob
CP/M - The only way to go.

There's probably only about ten people on FR that get that statement!.............LOL!!!!.....

8 posted on 09/21/2005 8:07:55 AM PDT by Red Badger (I was born in poverty. I didn't like it, so I left.............)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Tennessee_Bob; Red Badger
I am having vaguely queasy memories of ddt... ;)
9 posted on 09/21/2005 8:10:27 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 5 | View Replies]

To: freebilly
Well, boys and girls, success has now made Mozilla a target....

You're right - eventually Mozilla will be more of a target, but in this case, technically, this is not a Mozilla exploit, it's a Linux virus which happens to have infected Mozilla install files, probably because the download server is running Linux and got infected.
10 posted on 09/21/2005 8:13:24 AM PDT by fr_freak
[ Post Reply | Private Reply | To 6 | View Replies]

To: Tennessee_Bob

Yup. Time to dust off the old Kaypro and get back to REAL computing, eh?


11 posted on 09/21/2005 8:14:08 AM PDT by MineralMan (godless atheist)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Tennessee_Bob
CP/M - The only way to go.

Long Live the 8-inch Floppy!

You know, I really don't trust those double-sided, double density discs ...

12 posted on 09/21/2005 8:15:48 AM PDT by ArrogantBustard (Western Civilisation is aborting, buggering, and contracepting itself out of existence.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: MineralMan

Started in CP/M on my old Commodore 128. Back in the day of the true power machine.


13 posted on 09/21/2005 8:20:47 AM PDT by Tennessee_Bob ("Nac Mac Feegle! The Wee Free Men! Nae king! Nae quin! Nae laird! We willna be fooled again!")
[ Post Reply | Private Reply | To 11 | View Replies]

To: ArrogantBustard
You know, I really don't trust those double-sided, double density discs ...

You gotta be careful with them as data could bleed through from the other side.

I never had to deal with viruses when I programmed on my breadboard.

14 posted on 09/21/2005 8:26:20 AM PDT by Sensei Ern (Christian, Comedian, Husband,Opa, Dog Owner, former Cat Co-dweller, and all around good guy.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: general_re

Thanks for alerting us.


15 posted on 09/21/2005 8:30:44 AM PDT by lilylangtree
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sensei Ern
"You gotta be careful with them as data could bleed through from the other side."

Especially if you used a hole-puncher to turn a single-sided disc into a double-sided one.
16 posted on 09/21/2005 8:31:08 AM PDT by Moral Hazard ("Now therefore kill every male among the little ones" - Numbers 31:17)
[ Post Reply | Private Reply | To 14 | View Replies]

To: general_re
Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.

Another important step is get the package signatures (MD5, SHA, PGP, etc) from a different service and compare to the signature of the downloaded package. Some folks download the source and compile to produce just the signatures as a public service.

I don't see this mentioned anywhere on the mozilla page, btw. However it's mentioned in the developer side. Other open source binaries (e.g. Apache, OpenOffice, etc) usually are distributed with signatures.

17 posted on 09/21/2005 8:34:07 AM PDT by no-s
[ Post Reply | Private Reply | To 1 | View Replies]

To: fr_freak; freebilly
probably because the download server is running Linux and got infected.

yah, good point. Furthermore:

http://mozilla.or.kr/
This is not official site of Mozilla Foundation and maintained by volunteers of by Mozilla Korean Communuty.

18 posted on 09/21/2005 8:39:29 AM PDT by no-s
[ Post Reply | Private Reply | To 10 | View Replies]

To: general_re

Sometimes, it's important to dig a little deeper. In this case, it was not mozilla.org that had the infected binaries, but rather a Mozilla fan site in Korea. This should not need repeating, but it's probably not safe to donwload programs from arbitrary servers on the Internet.

You can continue to safely download files from mozilla.org


19 posted on 09/21/2005 8:41:55 AM PDT by duckhead
[ Post Reply | Private Reply | To 1 | View Replies]

To: duckhead

Yes, the writeup was not clear on that point.


20 posted on 09/21/2005 8:50:18 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 19 | View Replies]

To: general_re
"This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell."

Maybe on Linspire - a Linux for newbies that logs users on as root (like WinderzXP). Not on my Debian box.

21 posted on 09/21/2005 8:50:25 AM PDT by PokeyJoe (There are 10 kinds of people in the world. Those who understand binary, and those that don't.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

The tripwire daemon should be monitoring the size of the executables in /bin, not the downloaded file. Those are the normal targets, all the regular Unix commands that are run frequently.


22 posted on 09/21/2005 8:59:06 AM PDT by proxy_user
[ Post Reply | Private Reply | To 7 | View Replies]

To: PokeyJoe

Assuming you're not running as a privileged user, sure. Of course, it'll still try to touch every file it can - run one as root later on, and you're hosed ;)


23 posted on 09/21/2005 9:01:34 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 21 | View Replies]

To: proxy_user

Ah, sorry - I thought you were asking about the moz/TB binaries. In that case, Tripwire would presumably sound the alarm if files started changing.


24 posted on 09/21/2005 9:04:19 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 22 | View Replies]

To: PokeyJoe

Surely it's not that simple.

You would normally su to root to install the software. While unzipping and untarring the executables wouldn't do anything, they probably contain executables will be owned by root and can therefore run as root if the suid bit is turned on.

So even if you're browsing the web as Joe Blow, you might not be safe.

Of course, most savvy Unix SAs install things like web servers under an account like 'nobody' that is deliberately designed to have no privileges at all. But many would unthinkingly su to root to install client software on workstation machines.


25 posted on 09/21/2005 9:08:22 AM PDT by proxy_user
[ Post Reply | Private Reply | To 21 | View Replies]

To: general_re
Not the first time the host servers from an open source vendor have been rooted. Remember these?

GNU Project's FTP Servers Hacked

Gentoo Linux Server Hacked

Debain Servers Hacked

Things like this happen when you let just anyone view your source code.

26 posted on 09/21/2005 9:52:07 AM PDT by Golden Eagle
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

Seems to be a recurring problems for these Mozilla guys.

http://www.mozillazine.org/talkback.html?article=6771

Nice blimp.


27 posted on 09/21/2005 9:56:45 AM PDT by Golden Eagle
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user; PokeyJoe
Correct me if I'm wrong, but doesn't apt normally run as root?
28 posted on 09/21/2005 10:22:36 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Red Badger

ten or 10 in binary, which is a few less? :)


29 posted on 09/21/2005 10:30:36 AM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: MineralMan
"Yup. Time to dust off the old Kaypro and get back to REAL computing, eh?"

Shoot, I always favored my Radio Shack 2k TRS-80.

30 posted on 09/21/2005 10:35:49 AM PDT by Mugwump
[ Post Reply | Private Reply | To 11 | View Replies]

To: adam_az

i...........


31 posted on 09/21/2005 10:36:27 AM PDT by Red Badger (I was born in poverty. I didn't like it, so I left.............)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Tennessee_Bob
CP/M lol that brings me back.
32 posted on 09/21/2005 10:39:01 AM PDT by ChadGore (VISUALIZE 62,041,268 Bush fans.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Red Badger

There's 10 kinds of people who understand binary... Those who do, and those who don't. :)


33 posted on 09/21/2005 10:42:35 AM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 31 | View Replies]

To: adam_az

i=sqrt(-1).............


34 posted on 09/21/2005 10:46:28 AM PDT by Red Badger (I was born in poverty. I didn't like it, so I left.............)
[ Post Reply | Private Reply | To 33 | View Replies]

To: ChadGore
CP/M lol that brings me back.

Just think. If IBM had chosen CP/M instead of MSDOS, Bill Gates would be just another computer geek..............

35 posted on 09/21/2005 10:48:18 AM PDT by Red Badger (I was born in poverty. I didn't like it, so I left.............)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Red Badger

i=sqrt(-1)............. Very imaginative! :)


36 posted on 09/21/2005 11:02:02 AM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 34 | View Replies]

To: adam_az
An Atom was sitting in a bar.

He says to the Bartender,"I just lost and electron!"

Bartender says,"Are you sure?"

Atom replies,"I'm positive!".......

37 posted on 09/21/2005 11:08:05 AM PDT by Red Badger (I was born in poverty. I didn't like it, so I left.............)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Tennessee_Bob

Trash-80. OS in ROM. No viruses.


38 posted on 09/21/2005 11:10:44 AM PDT by js1138 (Great is the power of steady misrepresentation.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: general_re

Since I'm a Suse user, not Debian, I had to check what 'apt' is, but probably yes. Certainly Yast only runs as root.

That's why these automatic installers are so dangerous. They run as root so they can update the startup/shutdown scripts, but this makes them vulnerable to attacks like this.


39 posted on 09/21/2005 1:33:50 PM PDT by proxy_user
[ Post Reply | Private Reply | To 28 | View Replies]

To: general_re

apt runs as sudo (when you install) but programs can't invoke root on their own.


40 posted on 09/21/2005 2:51:36 PM PDT by PokeyJoe (There are 10 kinds of people in the world. Those who understand binary, and those that don't.)
[ Post Reply | Private Reply | To 28 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson