Re: Linux viruses -- everything you need to know!

"100% they will get a virus" that may be your experience but as a windows user as far back as I can remember, I never knowingly got a virus, Malware or Trojan on my system by following the same very simple rules you have outlined, NEVER open any program from an unknown source, and the same applies to e-mails and the like. Never run your primary login in as Administrator and have an uptodate AV program installed but like you I had many friends and relatives who did. But 100% no 99.999% maybe
That said I have recently converted to Kubuntu and look forward to a system where I don't have to check AV definitions are uptodate and that "something" hasn't crept in the back door whilst I was not looking by running antimalware software and a whole raft of preventative measures.

Ok, guys, and especially GreyGeek, I have a question for you, I saw a video on one of the many Linux YouTube channels that I subscribe to. The guy is knowledgeable & is also a network security analyst for his day job.

In this video, he explains in detail (during screencast, with many screenshots etc) how his Ubuntu machine got infected by a drive by browser exploit which exploited the flash player plugin and managed to get his machine 'beaconing out' to a Polish IP address. It was quite a serious infection, as he explains and he had to go through some pretty deep analysis to get to the bottom of it. Needless to say, he was very shocked by this.

So, this made me think that you don't need any kind of 'executable .exe' or standard piece of malware or anything else that requires root or whatever when a browser exploit can be so successful. It didn't appear to be just for one browser session btw. he noticed a day or so after that his Ubuntu pc was slowing down considerably.

I am no expert at all, in fact I'm comparatively new to Linux, and so, would be very interested to hear your opinions about this as I have also been under the impression that Linux is 'so very secure' etc.

Here is a link to the vid
http://www.youtube.com/watch?v=94QsgdXnsmU

is anyone still following this thread?

Sounds like what happened to him was he got hit with a Flash exploit. The thing with Flash is that, somewhat like Java, it is an OS-independent framework for running code. So, an exploit that affects Flash will be able to work on any OS platform that has Flash installed. Linux is secure by design (however, no OS is completely impervious), but installing things like the Flash and Java browser plugins is akin to replacing a section of a castle's wall with a screen door.

I have to admit that I'm a little surprised that someone who is "knowledgeable about security" would run Firefox without such addons as Ghostery and NoScript, either of which would have prevented him from being infected in such a manner. (Ghostery can be configured to prompt the user when encountering website redirection, and NoScript by default will block scripts and plugins from non-whitelisted domains).

Yes, the first thing I do when setting up new system or upgrade, is to install Adblock+ and NoScript. Actually, I left a comment on the guys video channel about not forgetting 'NoScript'.

I havent tried Ghostery yet though, I'll take a look at that.

Regardless, it does show that for all those guys going on about how secure Linux is, it can be quite seriously exploited in this manner. So, for me, it begs the question, which is better for a home users perspective (someone who likes to browse the web with full multimedia/video viewing capabilty),

1) a windows 7 machine fully updated with one of the good paid for security suites, BitDefender, Kaspersky, TrendMicro, all of which fully integrate into the browser and would catch exploits like this almost everytime (I have on a few occasions had the instantaneous 'the page you're about to visit has been blocked due to hosting malware' , or 'script object blocked' etc)

2) a linux OS with no protection against Firefox + Adobe Flash exploits such as seen in the vid above.

So it would seem that without the excellent addon 'NoScript' which I have used for years btw (there is also a decent similar version for Chrome now), Linux isn't very secure at all (from the browser exploit point of view). I would not want to view the web these days without being able to watch flash video, so which is best?

Oh and finally, yes I was also surprised that the guy with the Youtube channel didn't use 'NoScript' hence my leaving a message in the comments section about it, but the way you use quotes for "knowledgeable about security" seems that you have some issue of some sort, it was only my opinion that he is quite 'knowledgeable'

I guess you missed the analogy about the castle. No matter how secure an OS is, if the user deliberately pokes a hole through that security (for example, by installing the Flash browser plugin, and not mitigating that risk by also using browser add-ons such as NoScript), how is that the OS's fault?

As I said, this was a Flash exploit that lets the bad guy inside the outer wall. Once inside (thanks to a weakness in Flash's security - not Linux's), the bad guy would next want to somehow escalate his system privilege level from that of the user running the browser, to superuser privilege level. Without doing that, the bad guy's ability to do mischief is limited, thanks to Linux's refusal to allow regular users access to the core OS without first entering the superuser password. I wouldn't describe what happened to the guy in the video as a serious Linux exploit unless privilege escalation occurred, and I didn't see anything in his video that indicated that it had.

A quick aside on Windows security suites - many of the paid ones are bloated messes that are as likely to cause system slowdowns, or even instability, as they are to block malware threats. One of the most well-regarded solutions is actually one of the free ones (Microsoft Security Essentials).

My use of quotes was just to express my low opinion of people who like to give the impression that they are security experts, despite their not following best practices themselves. When they get stung by their own failure to follow best practices, I call that a bug in their wetware, not their software. It's like a doctor giving health advice while puffing away on a cigarette, with an open bottle of cheap vodka on his desk alongside a half eaten burrito. If having a low opinion of such people is an issue of mine, than it's one I'm quite content to have.

I do agree about the security suites being truly awful bloat and yes they do certainly slow down machines considerably, no doubt about that, but they do have their seriously good points, in this particular example, any of the good ones NOT MSE would easily stop such a browser exploit. You are categorically wrong about MSE (Microsoft Security Essentials), I guess you have been away from (or never been near in the 1st place) the windows world for a long time. It is the worst ever security software, never scoring above 60% detection rates with any of the professional AV testing organisations. In fact it is laughed at & targeted by the worlds malware writers. It also has no browser plugins and no proper two way firewall.

Anyway, my post was not about that. Look at your attitude, lol, absolutely typical of the majority of Linux users, shalll I explain what I mean for you here?

You take any remark or point of view as some kind of insult to your precious OS, "oh, it's not Linux's fault mummy", "it's not the fault of the OS" etc etc, pathetic. My original point is one of a newcomer to Linux wondering about security issues. As I clearly said in my op, I know that Linux is great when it comes to not running an actual .exe file or any standard piece of malware written for the Windows platform, so good. What I have pointed out here is a fairly good example of a Linux OS (Ubuntu recent version) getting bitch slapped by a browser/adobe flash exploit, which should be a concern for anyone, no?

Why are you acting so threatened by one of millions of guys on YouTube who I pointed out was a network security analyst?, what's the matter with you?

I only know about this because he said it in one of his other videos during which he commented about it having taken several years to get the job he had and how he had to pass the exams to get his GIAC Intrusion Analyst certification. I am not in the field of IT but I gather that the GIAC stuff is pretty damn difficult to get, so I would guess, and hence come to the conclusion that he is reasonably knowledgeable, probably a damn sight more so than your good self (even though, he got caught not using NoScript, but in fairness to the bloke, he did laugh at himself a bit).

I have no interest in the guy that made the video, I don't know him personally, I made a comment on the video comments section asking him about using 'NoScript' as I previously explained, my OP is self explanatory, what bothers me here is how I have noticed that you can't have a reasonable conversation with anyone in the linux community without them taking offence or generally being stupid enough to be offended on behalf of linux itself.

If anyone on this community forum wants to add a reasonable point to what I hoped would be a debate and discussion about security on Linux and in particular, the point I raised about browser + flash exploitation, I would be delighted to read your opinions, I guess, I really just want to re-assured about linux being the safer platform for regular web browsing usage.

None of my reads of what HalationEffect wrote would indicate he feels threatened by anyone. For you, KDEnewbie, to interpret his responses as indiciative of threats, is simply wrong. HalationEffect correctly characterized the attack as having nothing to do with Linux, and his tone suggests no offense (yours, however, is unnecessarily strident). The attack succeeded because of a vulnerability present in a (cross-platform) browser add-on. The exact same attack would work on a Windows computer, too.

The claim that "Linux is more secure than Windows" is these days not an absolute truth. A properly installed and configured Windows machine is perfectly capable of defending itself naked on the Internet. I have a few of my own. They remain healthy.They rely on: automatic updates, the Windows firewall (unidirectional is all you need), and Microsoft Security Essentials. And, crucially, users don't log on as administrators. This is one weakness which I wish Microsoft would fix. In Linux, since users always log on with reduced privileges, a drive-by exploit such as the one under discussion here has practically no ability to damage the operating system. Out of the box, Linux protects itself better from applications in this one dimension. In Windows, if a user is logged on as an administrator (the default), drive-by exploits can cause more damage. Owners of Windows machines must switch to standard accounts.

Both platforms still benefit from additional tools to strengthen browser and plug-in security. These have little to do with robustness of the underlying operating system itself. I sense, KDEnewbie, that this is perhaps where your uncertainty lies. The need to use something like NoScript for blocking certain drive-by attacks is necessary on both platforms. If you use it on Windows, drive-by exploits fail. If you use it on Linux, drive-by exploits fail. If you don't use it on Windows, drive-by exploits succeed, and assume all the privileges of the logged on user (admin be default unless you change your account). If you don't use it Linux, drive-by exploits succeed, and assume all the privileges of the logged on user (standard by default).

Self-proclaimed credentials on YouTube shouldn't be given much weight. Neither should possession of a certification. I have a GIAC incident handling certificaiton, which expired 10 years ago. It wasn't all that difficult to obtain. If this guy were able to demonstrate publications (such as a book, or a chapter in a book here and there, or a series of articles), then I'd be more willing to evaluate his actual skill set, based on evidence.

Why would anyone in any community want to have a so-called "reasonable conversation" with someone who attacks a respondent who simply offered an alternate opinion? A reasonable conversation requires all parties be reasonable and your last response was anything but reasonable. A "debate" infers disagreement, something it appears you're not comfortable with. I see no evidence of HalationEffect acting "threatened" as you claimed. On the other hand, your response seems very defensive and unwarrentedly so.

Additionally, this forum's users and mods take a dim view of rude generalizations;
or personal attacks on it members. Do you actually think you're going to get a reasonable conversation started by insulting every member of this forum? Besides, if the linux community is so easily offended and as generally stupid as you claim, then I would ask why you are posting questions here in the first place? Clearly, you would be better served elsewhere.

Good Luck.

@KDEnewbie

Threatened? No. Defensive? No. Weary of correcting common misconceptions? Ding ding ding! We have a winner!

At this point I don't even believe you are posting in good faith. For someone who claims to want a reasonable discussion, you sure are good at throwing out ad hominem attacks and straw man arguments (and for good measure you also used an appeal to authority, another logical fallacy), which almost guarantees that you won't get reasonable discourse in response.

You know what kind of people use such tactics? Trolls. If you dislike that label, then my advice is to quit behaving like one.

Anyhoo, unless you can demonstrate the ability to post in a non-trollish manner, I'm done replying to you.

Thanks for your answers, some good replies and I guess that either platform is equally vulnerable, but I think that the video I linked to does show that a Linux OS can still get problems with such an attack/exploitation. Not everyone would want to bother with NoScript because it is initially a pain to go through sites adding to whitelist etc.especially payment sites where you have to allow half a dozen 3rd, 4th parties etc

Regarding my comments to HalationEffect, I stand by them because he spent more time & effort looking down his nose at the guy in the video, with stupid & pointless comments like "anyone who says they are knowledgeable" and to quote him here..

"My use of quotes was just to express my low opinion of people who like to give the impression that they are security experts, despite their not following best practices themselves. When they get stung by their own failure to follow best practices, I call that a bug in their wetware, not their software. It's like a doctor giving health advice while puffing away on a cigarette, with an open bottle of cheap vodka on his desk alongside a half eaten burrito. If having a low opinion of such people is an issue of mine, than it's one I'm quite content to have."

Sorry, but if that's not pathetic then what is it? The guy never said anything about being an expert, he never made any claims about himself except to laugh at himself for being caught out, it was me who simply added the explanation about him, purely because i have watched many of his videos over the last couple of years, so I simply thought that I would add the details about the guy so as to explain it was a YT channel run by a linux enthusiast who also knows about security as it is his job

The reaction by HalationEffect is one of either being threatened in some way (maybe I'm wrong on this) or simply an unpleasant attitude, sneering & looking down as though he is so much better, in short an unpleasant arrogance, the type of which is common on linux forums, this is a perfect example, you say something very slight about someone actually knowing something and the reactions/answers are like his, ie. everyone knows better," that guy or this guy doesn't know anything", "we know so much better"

Time to inject some order into this thread.

No one here denies this. Each platform has its own strengths and weaknessess. In the aggregate, modern versions of both are safe platforms for daily use, when properly protected.

If one wishes to derive the benefits of NoScript, benefits which neither operating system offers on its own, then one must take the time to set it up. Applies equally to Linux and Windows.

In yet another re-read of HalationEffect's comments, I come away with still no nose-downlooking. In post post #79, he analyzed the attack (a Flash exploit) and touched on the vulnerability (the exploit leaves a wide opening that can bypass parts of the operating system's internal controls). HalationEffect also observed that it was curious for a person with self-proclaimed security skills to omit an important procedure for improving overall protection.

I, too, find myself wondering about his credibility. Consider his short review of port numbers starting at 3:50. He forgets the meaning of "SSL," and then guesses at "secure link for web traffic." Wrong, and too narrow. He states that any port number above 1024 is "ephemeral," which for Linux is incorrect. The range is 32768..61000, as defined by /proc/sys/net/ipv4/ip_local_port_range. His characterization that "ports below 1024 have a specific purpose" follows from the earlier misunderstanding. The IANA maintains the definitive list of reserved port numbers, many of which are greater than 1024. And port 23: "That's a bad one, that's telnet. An old DOS command prompt into your system." Uh, what? Originally defined in 1969, telnet predates DOS by 12 years. Eventually he gives up, claiming that "it would confuse everyone" if he continued. Clearly, he's already confused himself. He prattles on about ports being "open," which is an incorrect way to describe how a port on a host behaves ("open" is a firewall state). I'll continue piling on: he describes ephemeral ports as "going to web sites," which exhibits a fundamental misunderstanding of the purpose of such ports and how TCP connections are established. Ports don't "go to" anything.

In light of the above, HalationEffect's criticism is warranted.

In post #80, KDEnewbie begins with a proper assessment of the differences between a Windows machine with the appropriate additional protections and a Linux machine lacking such protections. The post then asks a question about which platform is more secure for browsing, but only after making a general statement about Linux's lack of security. The crux of the argument begins here, I believe. While HalationEffect had already clarified that the issue is unrelated to the platform and instead involves a vulnerability in a cross-platform add-on, KDEnewbie wants to bring the argument back to the platform.

Also in post #80, KDEnewbie appears irritated about HalationEffect's use of quotes. The dismissive use of quotes is indeed warranted, because the person in the video displays some basic misunderstandings. I doubt HalationEffect intended to slag KDEnewbie, but KDEnewbie chose to interpret it that way. And in post #81, HalationEffect confirmed the purpose of the quotes.

In post #82, the tone turns ugly, with KDEnewbie's redirection of the conversation away from exploits, vulnerabilities, and cross-platform attacks. The conversation now begins impugning HalationEffect's attitude. Which is unfortunate because, up to this point, the only attitude expressed in the writing is some mild criticism against a self-proclaimed expert who displays a consistent misunderstanding of the basics. I will not reiterate everything here, but I would recommend that KDEnewbie re-read what he/she wrote, and determine whether HalationEffect exhibited any signs of feeling insulted or threatened. I would also encourage KDEnewbie to evaluate whether the statement "probably a damn sight more so than your good self" adds anything constructive. To make such a claim, I think, would require a certain degree of knowledge about the person.

Post #82 ends with a sweeping generalization about the impossibility of having reasonable conversations in the Linux community without members taking offense. I would place this fine forum as a prime example of a source of such offense-free conversations. We indeed carry on these kinds of reasonable conversations every day. The only person displaying offense here is, in my analysis, KDEnewbie.

The person in the video indeed claims to speak from authority, and even discusses a paper he wrote. KDEnewbie did let us know that, elsewhere, the person mentions possession of GIAC certification. This is useful extra information that further informs HalationEffect's (and my) criticism of the person in the video. Neither of us is criticizing KDEnewbie in this regard, but again, KDEnewbie appears to interpret the criticism as if it were directed toward him/herself. And it is this exhibition of self-victimization that has angered a number of participants in the thread.

Your summary is incorrect.

Yes, you are.

Other than you, no participant in this conversation has written such things.

Steve Riley, I think you made a really great and very informative post.

Perhaps I should explain that until you explained in detail where the guy in the video (who I have been 'sticking up for' so far) showed a lack of clarity/knowledge/skill, I really simply just didn't know enough about it to recognise such a situation, I was under the impression that the guy knew his stuff or at least knew the basics, that's all. I thought it might be a reasonable video to link to simply because of the explanations given with fairly clear screenshots etc..in relation to the subject of this thread & my own curiosity about Linux & particularly security in linux vs other platforms.

I do think that some of what I have stated regarding comments by HalationEffect are not too unjustified, by this I mean, do you really think that it is necessary to say things like

"just to express my low opinion of people who like to give the impression that they are security experts, despite their not following best practices themselves. When they get stung by their own failure to follow best practices, I call that a bug in their wetware, not their software. It's like a doctor giving health advice while puffing away on a cigarette, with an open bottle of cheap vodka on his desk alongside a half eaten burrito. If having a low opinion of such people is an issue of mine" etc.

Perhaps I owe everyone an apology for taking things the wrong way, but I do see the above quote as

1) Unecessary
2) Mildly unpleasant
3) Off topic
4) Sneering & looking down on someone in a video who is NOT the topic here, I have explained why I linked to that vid, I haven't really come across other vids that show a security exploit occuring with reasonably detailed explanations. Whether the guy is skilled or not is absolutely not the issue (to my mind). I just wanted opinions on the exploit & whether Linux is better for this type of attack than, say, a fully protected windows 7 box with good security suite fully updated, scanning in real-time + with a set of browser extensions.

Perhaps I react this way because I have over the last couple of years seen a pretty unpleasant attitude on several Linux forums, where many seem to think they know better than everyone else, look down on newbies and often insult them, act pathetically as soon as anyone talks in what they perceive as being against Linux in anyway whatsoever, not unlike religious fundamentalists.

Anyway, sorry to annoy anyone, I have a lot to learn and I seem to be developing a considerable interest in IT security these days, hence my original questions.

Thanks for your answers and especially Steve Riley, your explanations have got me googling already

Thank you. Disagreements inevitably arise from time to time; it's always useful to analyze the core (not the periphery) of such contention and attempt to come to a resolution. That doesn't always happen, unfortunatey. In this case, it appears we are close to reaching one.

The video is indeed worthy of discussion. Let me explain a couple reasons why. First, even though the video itself isn't the actual subject of the thread, it is part of the thread's contents. Kubuntu Forums imposes very little in the way of structure, and that's for a reason. We're small in comparison to some other Linux forums. Many of us here have known each other for years. We are mostly a very welcoming bunch, and wish to encourage others to feel comfortable participating. Items introduced into a thread may indeed take the conversation in various and unpredictable directions. That is OK here.

Second, the original concerns KDEnewbie raised had been adequately dealt with. Conversation persisted about the remaining items that had been unresolved: the purpose of the video itself and the raising temperatures of the participants. I sense that, now, both these issues have reached a point of settlement.

Now about the act of criticism. KDEnewbie, I have worked in information security for nearly 20 years. I, too, take a dim view of people who don't strive to be correct when they endeavor to tutor others. This is not to say that I ridicule all mistakes; hell, I've made plenty of my own. But this particular person in the video is far from an expert, and seems unaware of that (or just doesn't care, I really don't know). The IT industry is littered with bad security advice, so bad that it creates actual economic loss in many cases. Bad security advice must be called out as such. So while you may not have intended for the post to move into discussion about the video, the act of introducing the video into the thread means that the video now becomes part of the conversation. It's the natural course of how we roll at KFN.

Finally, I encourage you to pursue your interest in information security. We don't have enough smart, innovative thinkers in this industry. Keep honing those Google skills. Learn the basics. Then begin formulating your own ideas and find ways to get published. Eventually, you just might transition from one doing the searching to one being searched for.

...Steve

In fairness, I confess that I could have been more diplomatic in my second reply to KDEnewbie. It was definitely coloured by KDEnewbie's confrontational tone in the post that my second reply was aimed at. Having said that, I should add that I feel no obligation to turn the other cheek when someone jumps down my throat.

However - my first reply to him was written in an entirely neutral frame of mind, and I assert that any perception of an emotional subtext in that post is entirely in the mind of the reader. Let's just say that reading between the lines is a *very* inexact science, which is prone to result in jumping to incorrect conclusions.

I suspect that the misunderstanding happened because I've grown accustomed to the relaxed attitudes here, and have learned to expect that if there is any uncertainty as to whether a post is snarky, that the benefit of the doubt will usually be given.