[vox-tech] Installing Java

Thu Dec 30 10:15:49 PST 2004

Quoting Jay Strauss (me at heyjay.com):

> >If you're stuck, read my EBLUG-talk slides on
> >http://linuxmafia.com/presentations/ , and note the lessons drawn from
> >the tcp-wrappers-7.6.tar.gz trojaning in 1999, for one reason.   ;->
> 
> I'm gonna read it tonight
> Thanks

You're welcome, but I feel a bit bad that, being just slides, a lot of
that's going to seem cryptic.  (Actually, this being the first set of
presentation slides I've ever created in my life, I screwed them up by
making them too verbose by about a factor of three, but they'll still be 
cryptic, anyway.  :(  )

Essentially, having finished back in November cataloguing and
analysing[1] all of the highly diverse stuff claimed, here and there, to
be Linux malware, I sat down and gave the subject a good mulling over:
Most of the "attack threats" were pretty laughable, or were not attacks 
per se but rather post-attack tools used by bad guys who broke into your
system by other means entirely.  However, I stopped and thought:  That
bit aside, if I were one of the bad guys, how and where would I deploy
Linux malware (especially trojans) to actually affect systems?  Moreover, 
has it ever been thus deployed with even partial success, and where?

Moreover^2, to the extent that such deployments have never taken off,
what mechanisms, social or technical, have prevented that?

One of the things I examined was the site compromise and trojaning of
several ftp/Web sites over the years.  Those sites were ones offering
public download of source tarballs, of both security-sensitive packages
(e.g., tcp-wrappers, util-linux, the Linux kernel as offered on the
BK-CVS gateway host, network tools on monkey.org) and less so (e.g., the
irssi IRC client).  I noticed that all of these were compromises of
source code at the "upstream" maintainer sites, i.e., that distros'
packages were _not_ compromised.  That turned out to be significant --
and no accident.

Weise Venema's TCP Wrappers package got trojaned in 1999 on what was
then its main source hosting site, a well-known public ftp server at
Eindhoven University in the Netherlands (ftp.win.tue.nl).  Someone
covertly root-compromised the host, and then posted a trojaned, phoney
tcp-wrappers-7.6.tar.gz in the ftp directory.  

About fifty people downloaded that file in the first few hours after
its "release", suspected nothing, and presumably wrecked their systems
(installing a backdoor for the bad guy).  Approximately the fifty-first
was Andrew Brown of Crossbar Security, who was alert enough to say to
himself "Hey, how come _this_ release of TCP Wrappers isn't PGP-signed?"
He raised the alarm, and the fifty-odd prior downloaders were notified
by mail.

One of the things that downstream package maintainers for distros do for
you, if they're on the ball at all, is to be at least as alert and
constructively paranoid and Andrew Brown was.  They're an additional
check against _both_ quality problems and security compromise, between
you and various sorts of harm.  You should make use of that protection
(and other advantages, such as distro-specific patches) preferentially, 
and be aware of the need to perform personally the same sort of checks
(e.g., meaningfully verifying PGP signatures and md5sums) and
distro-specific adjustments, whenever you elect to go outside the
package system.

So, that's about two of my slides out of the 34 total that should now be
a little less cryptic.  ;->

[1] http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5

-- 
Cheers,                                      Hardware:  The part you kick.
Rick Moen                                    Software:  The part you boot.
rick at linuxmafia.com