Skip to comments.Infected Files Found on Mozilla Site (Korean Linux binaries infected - oh, my!)
Posted on 09/21/2005 7:57:22 AM PDT by general_re
Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example. Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b
This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.
The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.
A tripwire daemon would catch the changed size of the executables, right?
CP/M - The only way to go.
This is as I predicted here on FR last year (and got thoroughly trashed as being a complete ignoramus). I love Firefox. I'm using it right now, but Mozilla used to benefit from its relative anonymity. Why go after it when you could screw up the day of millions of Windows' users.
Well, boys and girls, success has now made Mozilla a target....
After that, if the file is modified, then a Tripwire-type solution should catch it, I would think. In the mean time, everyone's checking those MD5 sums, right?
There's probably only about ten people on FR that get that statement!.............LOL!!!!.....
Yup. Time to dust off the old Kaypro and get back to REAL computing, eh?
Long Live the 8-inch Floppy!
You know, I really don't trust those double-sided, double density discs ...
Started in CP/M on my old Commodore 128. Back in the day of the true power machine.
You gotta be careful with them as data could bleed through from the other side.
I never had to deal with viruses when I programmed on my breadboard.
Thanks for alerting us.
Another important step is get the package signatures (MD5, SHA, PGP, etc) from a different service and compare to the signature of the downloaded package. Some folks download the source and compile to produce just the signatures as a public service.
I don't see this mentioned anywhere on the mozilla page, btw. However it's mentioned in the developer side. Other open source binaries (e.g. Apache, OpenOffice, etc) usually are distributed with signatures.
yah, good point. Furthermore:
This is not official site of Mozilla Foundation and maintained by volunteers of by Mozilla Korean Communuty.
Sometimes, it's important to dig a little deeper. In this case, it was not mozilla.org that had the infected binaries, but rather a Mozilla fan site in Korea. This should not need repeating, but it's probably not safe to donwload programs from arbitrary servers on the Internet.
You can continue to safely download files from mozilla.org
Yes, the writeup was not clear on that point.
Maybe on Linspire - a Linux for newbies that logs users on as root (like WinderzXP). Not on my Debian box.
The tripwire daemon should be monitoring the size of the executables in /bin, not the downloaded file. Those are the normal targets, all the regular Unix commands that are run frequently.
Assuming you're not running as a privileged user, sure. Of course, it'll still try to touch every file it can - run one as root later on, and you're hosed ;)
Ah, sorry - I thought you were asking about the moz/TB binaries. In that case, Tripwire would presumably sound the alarm if files started changing.
Surely it's not that simple.
You would normally su to root to install the software. While unzipping and untarring the executables wouldn't do anything, they probably contain executables will be owned by root and can therefore run as root if the suid bit is turned on.
So even if you're browsing the web as Joe Blow, you might not be safe.
Of course, most savvy Unix SAs install things like web servers under an account like 'nobody' that is deliberately designed to have no privileges at all. But many would unthinkingly su to root to install client software on workstation machines.
Things like this happen when you let just anyone view your source code.
Seems to be a recurring problems for these Mozilla guys.
ten or 10 in binary, which is a few less? :)
Shoot, I always favored my Radio Shack 2k TRS-80.
There's 10 kinds of people who understand binary... Those who do, and those who don't. :)
Just think. If IBM had chosen CP/M instead of MSDOS, Bill Gates would be just another computer geek..............
i=sqrt(-1)............. Very imaginative! :)
He says to the Bartender,"I just lost and electron!"
Bartender says,"Are you sure?"
Atom replies,"I'm positive!".......
Trash-80. OS in ROM. No viruses.
Since I'm a Suse user, not Debian, I had to check what 'apt' is, but probably yes. Certainly Yast only runs as root.
That's why these automatic installers are so dangerous. They run as root so they can update the startup/shutdown scripts, but this makes them vulnerable to attacks like this.
apt runs as sudo (when you install) but programs can't invoke root on their own.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.