Viruses in PUPPY Linux, YES, "Viruses in Linux"

For discussions about security.
Message
Author
gcmartin

Viruses in PUPPY Linux, YES, "Viruses in Linux"

#1 Post by gcmartin »

This thread is a discussion thread. It is NOT posted to annoy or distract in discussson.

Preface
As a past systems engineer, I have always considered it misleading in Linux to say "not vulnerable to viruses", yet, point to Windows and brand it "vulnerable to viruses" without ever articulating WHY???

Discussion
How many of us, have followed the line and never thought/asked why is one vulnerable and not the other? Most of my colleagues over the years, in the industry, have NOT asked this question and have blindly accepted this to be the case.

Here's some ideas:
If one can exploit a OS via a browser, would this apply if I attacked Linux filesystems instead of M$ filesystems?
If one can exploit a system by placing a keylogger in a running desktop, does it matter which OS I do that as long as I "look" to see which OS I going to monitor?
If a trojan is dropped on a system, and it is designed to operate on a particular OS, does it matter whether its M$ or if its Linux?

These are not just random examples (and, I can think of many more examples), but, moreover, all of these, by definition, fall under the umbrella of viruses?

If we take a practical view and define "exploiting an OS, to do something that devastates it or something that monitors-captures data unsuspectingly, as a virus", then we have a whole new viewpoint where all OSs are vulnerable in many of the same ways as long as I can have a transport mechanism to get it to its hosts for spreading.

OS/X as many of us know, is a derivative of Linux. Apple, most recently acknowledged this. Its a "virus", everyone.

So what makes us accept the fact that Linux does not have vulnerabilities while M$ (and now Apple) does??? (Dislike for M$ does NOT change the problem...."viruses"!

Looking at it from this perspective, do you have any ideas that can help us all (and is there something about Linux that insulates it from exploitation)? (Please, no one use the "root" user argument. Its an invalid argument that I'd rather NOT cover in this thread. There are lots of other threads which address the "root user" topic.)

Thanks in advance for ideas on this discussion topic. And be sure to Google "Apple OSX virus announcement 2011"

User avatar
Moose On The Loose
Posts: 965
Joined: Thu 24 Feb 2011, 14:54

Re: Viruses in PUPPY Linux, YES, "Viruses in Linux"

#2 Post by Moose On The Loose »

gcmartin wrote:This thread is a discussion thread. It is NOT posted to annoy or distract in discussson.
(..snip..)
Here's some ideas:
If one can exploit a OS via a browser, would this apply if I attacked Linux filesystems instead of M$ filesystems?
To make something that will run on a linux platform, you need to get over one extra hurdle. You need to set the permissions. This means that the exploit must do more than let you place a file somewhere.
If one can exploit a system by placing a keylogger in a running desktop, does it matter which OS I do that as long as I "look" to see which OS I going to monitor?
If the key logger is a program you have to get it in place on the machine. A keylogger that used perhaps a bug in the browser would not survive a reboot. Since Linux systems are rarely rebooted, this would mean it would get to go for quite a while. Assuming no bug in the browser that allows the keylogger directly, this path is closed off.
If a trojan is dropped on a system, and it is designed to operate on a particular OS, does it matter whether its M$ or if its Linux?
Because a Linux box have levels of permissions, a trojan that got in would have less access on a Linux that was not a "run as root" machine like puppy. Puppy is a lot less likely to gather a trojans because it doesn't constantly pop up messages asking you to allow things to happen. This makes the message of the attempt to put the trojan in stand out.
These are not just random examples (and, I can think of many more examples), but, moreover, all of these, by definition, fall under the umbrella of viruses?

If we take a practical view and define "exploiting an OS, to do something that devastates it or something that monitors-captures data unsuspectingly, as a virus", then we have a whole new viewpoint where all OSs are vulnerable in many of the same ways as long as I can have a transport mechanism to get it to its hosts for spreading.
There is no such thing as no risk. I am at risk right now of being run over by a lumber truck. I am in the computer room of my house but a lumber truck could crash the wall and get me. If I wondered aimlessly around a construction site, I my risk would be higher. We need to keep the risks in perspective.
OS/X as many of us know, is a derivative of Linux. Apple, most recently acknowledged this. Its a "virus", everyone.
No, OS/X is not a derivative of Linux. Apple started with BSD. The "as many of us know" is a bit of an odd thing given that it was just before a mistake like that.

postfs1

#3 Post by postfs1 »

To reedit up to date.
Last edited by postfs1 on Mon 28 Mar 2016, 00:47, edited 1 time in total.

Bruce B

Re: Viruses in PUPPY Linux, YES, "Viruses in Linux"

#4 Post by Bruce B »

gcmartin wrote:OS/X as many of us know, is a derivative of Linux. Apple, most recently acknowledged this. Its a "virus", everyone.
It is not a derivate of Linux. Linux is GPL licensed

~~~

Rick James - Super Freak (3:22)

~~~

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

Re: Viruses in PUPPY Linux, YES, "Viruses in Linux"

#5 Post by dejan555 »

Uh, I'm sure there are bunch of discussions around the web on same topic, and since I don't know how specific virus types function on each system maybe I'm not quite right person to discuss but:

Saying that there are no absolutely viruses for linux is wrong, but compared to quantity of viruses written for other OS it's clear that there's a HUGE difference
The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.
Quote taken from
http://en.wikipedia.org/wiki/Linux_malware

Compared to number of viruses for windows I think you can state that Windows as OS is more vulnerable then linux and that it's usually target OS for viruses.

Also we know that bugs were reported in kernel itself that could be used to exploit linux system. Luckily one more advantage of linux is that it's constantly progressing and making patches quickly as bugs are noticed.

Also, other differences that you should bear in mind are that
1) Linux doesn't hide running processes, it's harder to automatically launch some malware on linux startup and then not make it visible in task managers and such. Linux doesn't have registry.
2) Linux user rights management are generally better then in Windows
gcmartin wrote: Here's some ideas:
If one can exploit a OS via a browser, would this apply if I attacked Linux filesystems instead of M$ filesystems?
I'm not really sure about this as I don't know if tools and executables created for these attacks have to be written/compiled for specific platform but if not then yeah there are probably numbers of exploits that could harm linux systems via browsers.
gcmartin wrote: If one can exploit a system by placing a keylogger in a running desktop, does it matter which OS I do that as long as I "look" to see which OS I going to monitor?
Well software keyloggers would have to be compiled for platform that they need to run on so yes I guess it does make diference.
gcmartin wrote: If a trojan is dropped on a system, and it is designed to operate on a particular OS, does it matter whether its M$ or if its Linux?
Yes, same as above, .exe can't run on linux. (Well, I guess yes in wine, but even if it ran in wine it wouldn't damage the actual linux filesystem)

Also, the differences I mentioned and binaries running on platforms also differ not only between windows and linux but also between linux distros - I will use puppy here as example

Puppy Linux, differently from all distros I know use /root/Startup for automatic apps running on startup, other distros and other desktop enviroments maybe use $HOME/.kde/Autostart or something else, where malware binary that would usually be placed in other distros won't work on puppy.

Binary compiled on other distro might not work in puppy due to different library versions and other stuff, not only between other distro and puppy, but also between puppy versions -> newer programs won't run on older puppy versions and vice versa.

Also, I'll use puppy again as example:
I use dpup485 version of puppy - puplet or wooflet or whatever you want to call it.
I remastered it to create customized version for personal use.
When I boot it I use it without savefile - I already have programs and settings that I need in my remastered sfs that is read only.
So I boot it and shutdown without saving sessions - any changes to system or potential malware that would run on startup would be gone on next boot.

There are probably bad points to be made too but when you consider the stuff I mentioned I believe that you CAN state that my system is less likely to catch a virus then windows one.
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#6 Post by nooby »

Moose OTL wrote that
Since Linux systems are rarely rebooted,
That is only true to particular users. All of us that sleep in same room as the computer power off each night and power on each morning. And many power off when doing something else like taking a walk to buy food whatever.

I trust that the only reason that Puppy are a bit less often often targeted is that them go for where the money is.

Apple machines are usually very expensive machines so the criminals reason that Apple owners are wealthy enough to be a good catch.

Puppy users using old machines them found in the dumpster not so practical to get money from them? :)

If you run CD or DVD that seems more safe than using frugal on NTFS does it not?

So I am happy you started this thread.

The only thing I worry about now is that those that really got virus don't bother to report on it in the forum. I hope people would report but maybe them would feel embarrassed and a lot of "know it all" would blame them for not being as savvy as the know it all are. "Why did you not set it up like I do?" Well good you tell that now when it is too late.


I come to think of seaside and his SFS-Exec and to use that one and not have any savefile? That way the virus would go away when one power down. and not be there next morning. That would make an attack a one day wonder and each time one do Banking one use a one time boot and then shut down and that would make it safer?
I use Google Search on Puppy Forum
not an ideal solution though

Bruce B

#7 Post by Bruce B »

I don't have any malware past or present. From a practical perspective, there is nothing I can do. I don't know what to protect the computer from in the future. If something happens, I'll do as good a postmortem as possible and communicate the details and fix.

~~~
Randy Newman - I Love LA (3:52)
~~~

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#8 Post by Sylvander »

1. Had something happen recently that may have been malicious.
The FIRST TIME anything suspect has happened in a Puppy OS.
Clicked on a link given in the Puppy forum, to stream a video from the web.
Working within Lupu-525.
Part way through the video strange things began to happen.
Is this due to an exploitable vulnerability with Adobe Flash Player? Since then I've installed the latest update.
-----------------------------------------------------------------------
(a) Optical Drive drawer opened and closed.
Then the filesystem on the live Puppy CD was automounted.
A ROX window then opened and displayed the files on the CD.
(b) I unmounted the Puppy filesystem, closed the ROX window, opened the optical drive drawer, removed the CD.
(c) Multiple attempts were made to access the Puppy files on the now non-accessible Puppy CD.
(d) I closed the session without saving the session.
(e) Discovered that in order to eliminate this nasty, it was necessary to restore a recent backup copy of the lupusave file.
Does that mean it had managed to save itself to the lupusave file that was in use at the time of the original event?
-----------------------------------------------------------------------
(f) I'm rather impressed that my working arrangement of Lupu-525 allowed me to deal effectively with this.
No sign of any problems since then.

Bruce B

#9 Post by Bruce B »

If anyone is interested, this is exactly how Lupu 5.20 identifies itself when running the version of Firefox indicated below.

Remote sites cannot know you are running Puppy

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15

~

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#10 Post by nooby »

Sylvander that was a scary thing that happen. I have no CD drive so I will not notice it that way then if it happen on my computer.
I use Google Search on Puppy Forum
not an ideal solution though

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#11 Post by Sylvander »

One of the advantages of running from a live optical disk rather than an internal HDD for example, is that the contents of the optical disk cannot be altered [so I believe].

Dread to think what would have happened if I was running a "full" install [on an internal HDD].

gcmartin

Correction:

#12 Post by gcmartin »

I stand corrected on the basis of OSX. Sorry for the misrepresentation. OSX is "UNIX-like" (not Linux) might have been a better statement.

See BSD here.

Not to confuse....sorry.

And, very good accurate information is being shared here. I opened this thread not just because of the Apple announcement, but because I had friend who was testing a PUP version report something similar to @Sylvander. At first, I commented to him, "nah"; but after the announcement, its got me wondering a little deeper about what can occur and if has viral behavior .... is it a virus?

We may be on the virge of creating a definition for things that behave like "viruses" in the Puppy Linux community.

Great information is pouring in from this community.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#13 Post by nooby »

gcmartin it would be handy to get a bit more details. Which pup version and during what operation did it happen?

Was he surfing and had he Flash player activated and looking at youtube or something. Using a Tabloid newspaper and some ad that flashed and then the peculiar behavior did happen?

We need to collect details so we see different part of the patterns.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#14 Post by Lobster »

1. Had something happen recently that may have been malicious.
The FIRST TIME anything suspect has happened in a Puppy OS.
Clicked on a link given in the Puppy forum, to stream a video from the web.
Working within Lupu-525.
Part way through the video strange things began to happen.
Is this due to an exploitable vulnerability with Adobe Flash Player? Since then I've installed the latest update.
At first I thought this must be a Flash hijack
Flash contains a programming capacity and it is being targeted by the black hats as it enables them to provide services such as web jacks (moving you to a site they want seen or displaying a site they wish you to believe is real perhaps for data-mining)
http://www.spywarevoid.com/how-to-recog ... ue-website

These are known attacks that will operate from a rogue or compromised site
across operating systems. I have seen such behaviour on my Puppy machine. It may have been Flash, it may have been javascript.

However it sounds like Puppy Lucid was trying to do something on your system, possibly run a media player? It would be great if you could tell us the web site or repeat the behaviour. :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#15 Post by nooby »

Sylvander when you write this
Clicked on a link given in the Puppy forum, to stream a video from the web.

Could it be this thread?

http://murga-linux.com/puppy/viewtopic.php?t=68118
Watching French TV online in FF stopped working (Lucid 525)

that is what I remember now had a link to something that behaved a bit odd. Bert could not see it but I could but only after some hoops and tricks so maybe that is the link that goes wrong and me found the orginal program and the link maybe go to something else?

Was it some other link. Would be nice to know which link so somebody having a good knowledge could look if it is still there?



I come to think of the French program about politics and critics?
I don't remember but I was active in that thread.

How far back in time did this happen? Should be able to find it again using the link in my Signature. Those who have knowledge in the forum may look through the java code and see it if try to do things that should not be there?
the guy needed help to test if we could see it.
no it was not user name oui but maybe he also wrote in that thread.

but you maybe talk about something else way back in time?
Last edited by nooby on Sat 25 Jun 2011, 07:03, edited 1 time in total.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Moose On The Loose
Posts: 965
Joined: Thu 24 Feb 2011, 14:54

#16 Post by Moose On The Loose »

nooby wrote:Moose OTL wrote that
Since Linux systems are rarely rebooted,
That is only true to particular users. All of us that sleep in same room as the computer power off each night and power on each morning. And many power off when doing something else like taking a walk to buy food whatever.

Code: Select all

# uptime
 07:12:46 up 14 days, 17:23, load average: 0.26, 0.20, 0.17
# 
I tend to leave mine on. Part of the reason is that I share files off this machine that my wife wants to get to while I am at work. Part is that I just got in the habit (perhaps an admitted bad one) years back when booting took a long time.

In the heat of the summer, I am more likely to power it down so I don't force the airconditioner to work to cool it.
I trust that the only reason that Puppy are a bit less often often targeted is that them go for where the money is.
There is also the fact that people outright hate Windows. Hate can be a strong motivation.
Apple machines are usually very expensive machines so the criminals reason that Apple owners are wealthy enough to be a good catch.
Apple machines are only "expensive" not "very expensive". At the time I bought this machine I paid as much for it as an Apple machine. I got a lot more disk and processor for the price.
Puppy users using old machines them found in the dumpster not so practical to get money from them? :)
Not this puppy user; To some peoples point of view I am a rich person using an expensive machine. I don't drive an expensive car but I do drive one that works very well for the purpose. The desk it is sitting on is very solidly made from wood. My house has earthquake bracing and storm shutters. I use puppy not because it costs less but rather because very simply it is better.
If you run CD or DVD that seems more safe than using frugal on NTFS does it not?
There are no NTFS partitions on this machine. There is one on my wifes. What can I say, I love her dearly, but NTFS whats up with that!
So I am happy you started this thread.
I will gladly take the credit, thank you thank you, .. no wait I didn't start it.
The only thing I worry about now is that those that really got virus don't bother to report on it in the forum.
If there are any please speak up. Think of the blackbox on an aircraft. They all have them even though it doesn't save the life of those on the ones that gather the really important information.

Bruce B

#17 Post by Bruce B »

When I start Firefox from the CLI I get this error frequently. The site blocked in hosts.

The point is why is Firefox trying to make a secure connection to a text file?

Let alone any connection at all on startup.

FAIL download from https://s3.amazonaws.com/fvd-suite/ad_signs.txt
FAIL DOWNLOAD FROM https://s3.amazonaws.com/fvd-suite/sites.txt


I'll keep this updated as I learn more.

UPDATE

This is the content of one file it is trying get from the secure connection:

speed.pointroll.com
ad-g.doubleclick.net
naked.com
exoclick.com
pointroll.com
edgesuite.net
mtvnservices.com
gfrevenge.com
71i.de
contentabc.com
telemetryverification.net
nbcuni.com
2mdn.net
filesonic.com
pop6.com
daredorm.com
adrocketmedia.com
moviebox.com
amateurmatch.com



UPDATE

If I block s3.amazonaws.com I get the error message

If I don't - no error message.

127.0.0.1 s3.amazonaws.com

SOLVED

A Firefox extension is getting the (2) files.

I discovered the site was being contacted earlier by reviewing the log files, but didn't know why it was being contacted, so I blocked it, that's why the error message later.

~

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#18 Post by Makoto »

Create a new user (profile) in Firefox (you can delete the additional user later, if you want). Don't add any extensions. Do the problems persist?

Which version of Firefox are you using? I've heard that's what one or more of the new security/anti-phishing options in Firefox 3 and up does - connect to a remote (non-Mozilla) server to download a list of sites to act upon. You might try turning off the anti-phishing/secure browsing/secure site/whatever options (sorry, I'm not at one of my systems with FF3.6 or 4.01 installed, so I don't remember offhand what all of the options you might want to disable are :oops: ) and see if the behavior continues.
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

Bruce B

#19 Post by Bruce B »

Makoto,

I'll leave the troubleshooting notes up. At first something didn't appear right. Then after running it down, I found it was OK.

Using Hiawatha I made a duplicate directory and put the files in it. Now Hiawatha will serve the files and give an error code of 200, which means success.

The idea here is pay attention.

For example, how many people pull the urls out of the proprietary flash plugin and block them?

How many people are told not to click on hyperlinks in the flash media?

How many people shut down suspicious pages and popup with Ctrl+F4 or Ctrl+W rather than click the mouse?

There is a lot the user can do to keep his browsing clean.

Bruce

~

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#20 Post by Makoto »

Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill' the window, just to be safe. :) (IMHO, of course.)
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

Post Reply