Linux Trojan Avoids Detection for Almost a Year



+ Add a Comment


This is a inaccurate "issue" exagerated by an uninformed media.  This is like saying Windows is an insecure platform because Energizer's USB software had a trojan in it.

It's not Microsoft's fault Energizer is incompetent, just like it's not Linux's fault that the UnrealIRCd developers are incompentent.  There has never been any question that Linux is susceptible to malware and viruses, especialy when it's introduced by a piece of software considered safe.  It's just always been the assumption/conclusion that Linux is "safer" by design, and harder to crack by external attackers.



Didn't see that one coming. 


Electronically charged



Let's see, November 2009 - June 2010 = about 7 months.  I'm all for rounding up when the situation warrants, but I don't think you used the right number of significant digits in your equation.



If I can't scan for malware and what not, I don't use it. I do think Linux is designed to be more secure, but I also think that it can be broken.



Linux’s greatest security measure is that it has a very small market share, and within that market share there are dozens if not hundreds of companies making distinct OSs, and within each company they have several different releases or OSs.  What goes against Linux is that many a servers are running it, now if I had to choose between hacking a single server of a Fortune 500 company or a single end user’s computer I am going to choose the serer.  So how long will Linux be free, that depends on adoption rate more than anything, as Apple is starting to find out.


Neon Samurai

Here, we're seeing a video game with limited third party developer review and non-distribution sources. It's not the same as a good server distribution with much wider used software components and trusted repositories. Get malware into Debian Stable, RHEL or similar major server distributions and then it'll be news. One also needs to look at patch times which I'd again refer to Debian for since they run a fully transparent shop from initial report through to updated package delivery. They vett software modifications and patch submissions. Packages are run through nightly automatic builds.

Let's say it all together; Obscurity is not security. I only provides a false sense of security to those who don't know much about the topic. With the development model currently in place, there is no reason not to believe that major distributions and projects will easily keep up with growing popularity as a target for blanket attacks (all platforms are already "equal opertunity" for targeted attacks).

In this case; a video game with a small user base and provided from limited distribution sources got maliciously modified. That shouldn't be news. What this more importantly demonstrates is that peer review and tighter package monitoring would have caught this as it already catches undesirable code in other projects. The reality check for this is looking at how many distributions include the video game, how they prepare it within there package management and if they are affected by the backdoor. That would actually be interesting and informative (but not sensationalized so it won't spread about the mass media like this initial bit of information-harpies.)

Good on them for being open about the breach also. Many other companies, especially game companies, probably would have switched directly into CYA mode. These folk where honest and said "wow are we embarrassed.. ok.. here's the problem we found.."

(sorry, entire comment isn't directed at you personally. One last bit.)

As for the mass media going into "told you so" mode; it'll amuse the 14 year olds and fanboys for a while but it's the same spin the used to fuel screen clicks and eyeballs after the Pwn2own. All the kiddies jumped up and down going "XYZ OS was first to be broken at Pwn2own so that demonstrates that it sucks" while ignoring inconvenient details like the pwn2own rules, where the vulnerability actually was and how fast it was addressed after being reported.


Neon Samurai

It was IRC server software rather than the *nix build of Unreal. Still an issue with a bit of software that runs on top of several different platforms but not being a video game does increase the effect. I'm honest enough to admit error though. So, what distributions include this IRC software and of those, what ones where effected by the backdoor code?

"The contaminated source files have also found their way into the Gentoo Linux distributions repositories. The Gentoo package has already been updated with a non infected version (unrealircd- ebuild) and is available"

Looks like the system works and effected distributions are maintaining the usual short patch times.



If anything it was probably just lack of oversight.  Group produces their program, group checks it over and finds it clean, group puts files out on their server for download, and then group moves on to producing the next version of their program.  They have no reason to think that their server is going to get 0wned and their source replaced with source that has a backdoor in it, so they have no reason to go back and check their old code on the server.  I read the article linked above and quite honetly I wanted to reach through my computer screen and slap the writer over at ZD.  His crowing about how the Windows pre-compiled binaries weren't infected and wouldn't have lasted more than a few days in the wild if they were infected is complete Bravo-Sierra.  Of course the pre-compiled binaries weren't affected, because that would have required the attackers to recompile the darned things and replace them on the server handing the files out to the public.  As for virus scanners catching them on a Windows platform, I'd like to know what mythical virus scanner he's using.  Sure, scanning heuristics have improved and scanners these days are more likely than ever to catch known infections, but you're lucky if even a third of the commercial-grade scanners out there can catch an infection with an unknown signature.

Regardless of that, this strikes me as much ado about nothing.  The people running this IRC server will wipe their boxes and reinstall, and life will go on.  One backdoor infection in a third-party program does not an epidemic of OS security holes make.



Wow... When I first read this headline, my immediate thought was that I was going to have to spend the next few hours checking over all the machines I'm responsible for to see if they have been exploited...

However, it turns out that the vulnerability in question was in fact with a piece of open source software that could be installed on any number of platforms. At the risk of sounding like one of the "arrogant" open source proponents mentioned in the article, I don't think this shows that the Linux platform is particularly vulnerable. I guess this does serve as a wake up call to all system admins though: check package signatures before installing software off the internet, even if it's from a trusted source! :)

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.