Hello All,
In Linux, I am trying to download InfraRecorder from sourceforge, a libre CD/DVD writer for different platforms. The file I want is an exe for the windows platform. However, when I directly save it to a mounted vfat partition, it is saved as abcd.exe.bin The .bin is added automatically so it cannot be double clicked and run. When I save it to a linux partition, it is saved as abcd.exe
During the day, I was working on a windows machine in a user's office and when I selected a particular software for download, immediately the system rebooted and the virus infection being deep, had to be finally removed with a clean install. At the end of the day I selected another file for download from download dot com, and just as I clicked on the download link, it went into reboot. It was the same infection, but this time I shut down the internet before it booted up again and could restore the system to an earlier date.
I want to know if all these things are connected and is there some major infection going around? Sourceforge could be using Linux servers, but I feel too scared to download anything for a week or two for windows, even if it is libre software.
On Saturday 01 December 2007 22:55, Rony wrote:
I want to know if all these things are connected and is there some major infection going around?
It's called antivirus. Welcome to the world of av trashware trashing everything which it cannot identify.
Sourceforge could be using Linux servers, but I feel too scared to download anything for a week or two for windows, even if it is libre software.
Whoever told you that libre software is going to protect doze machines from themselves. You cant secure anything above the underlying insecure-by-grand-design os layer. AV and similiar software is the finest con game invented. Particularly the concept of "cleaning". Once a machine is infected you dont know what it has changed. Most AV have a # file which can be easily edited. Hence a payload could be anywhere on that mc. Infact in a doze env it could be anywhere in your network! and that includes linux machines. While the linux machines will be unaffected all the doze box will be slammed to death.
Besides sourceforge and similiar repos dont care whats on the server. You have to do the verification by checking the sigs. Debian uses md5 hashes in a Release file and gpg for sigining the Release file. u can therfore be reasonably sure that what u download is ok. Similiar schemes should exist for other distros too.
jtd wrote:
Besides sourceforge and similiar repos dont care whats on the server. You have to do the verification by checking the sigs. Debian uses md5 hashes in a Release file and gpg for sigining the Release file. u can therfore be reasonably sure that what u download is ok. Similiar schemes should exist for other distros too.
This virus does not reach the stage of executing after download. As soon as you click on the download link, instead of the file download beginning, the system goes into a reboot. It has got infected. On reboot, it brings in the bigger payload which causes irreversible damage as it reboots everytime an admin command is run. If the net is shut off just before the system boots again, the bigger payload is kept away and the system can be restored to an earlier clean period. This is something very recent so I was wondering if there has been some major attack on the web servers.
Why does Linux save a .exe file as .exe.bin in the vfat partition when downloading directly from Firefox? Is that an indication of the attacks or is it normal?
On Dec 2, 2007 8:09 PM, Rony gnulinuxist@gmail.com wrote:
This virus does not reach the stage of executing after download. As soon as you click on the download link, instead of the file download beginning, the system goes into a reboot. It has got infected. On reboot, it brings in the bigger payload which causes irreversible damage as it reboots everytime an admin command is run. If the net is shut off just before the system boots again, the bigger payload is kept away and the system can be restored to an earlier clean period. This is something very recent so I was wondering if there has been some major attack on the web servers.
I don't think it's got anything to do with the web servers. I think replacing windows with Linux will solve the problem ;)
Why does Linux save a .exe file as .exe.bin in the vfat partition when downloading directly from Firefox? Is that an indication of the attacks or is it normal?
It's a bug:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/77788
Siddhesh Poyarekar wrote:
Why does Linux save a .exe file as .exe.bin in the vfat partition when downloading directly from Firefox? Is that an indication of the attacks or is it normal?
It's a bug:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/77788
Hmm.
On Sunday 02 December 2007 20:09, Rony wrote:
jtd wrote:
Besides sourceforge and similiar repos dont care whats on the server. You have to do the verification by checking the sigs. Debian uses md5 hashes in a Release file and gpg for sigining the Release file. u can therfore be reasonably sure that what u download is ok. Similiar schemes should exist for other distros too.
This virus does not reach the stage of executing after download. As soon as you click on the download link, instead of the file download beginning, the system goes into a reboot. It has got infected.
That IS execution.
On reboot, it brings in the bigger payload which causes irreversible damage as it reboots everytime an admin command is run.
That is a very poorly written virus. You want to have control rather than mindlessly rebooting the system, which will only make him paranoid. Maybe it's a side effect of preventing the av from execution as avs require admin privileges.
If the net is shut off just before the system boots again, the bigger payload is kept away and the system can be restored to an earlier clean period.
You are assuming that it is restored. Once infected you have got to format. You just dont know what has been compromised particularly in with closed software. Unless you have a previous known good offline disk dump to restore from. With opensystems too the task of restoring a compromised system can be a real pain and would be undertaken only for forensic purposes.You are mostly better off reinstalling and patching up before going online.
This is something very recent
It is not, just that this virus has exposed itself.
so I was wondering if there has been some major attack on the web servers.
You are mixing up things. Even if the linux (or some other os ) server is hosting malware, the servers are not under attack. The server simply stores whatever the user chooses to store and does not care about the intent of a particular piece of code. Infact even perfectly legit software can be trojaned. You therefore never want to install anything from anywhere without undergoing a painful verification process. with Debian sarge u had to do it manually unless you used backported apt and friends. However with etch the process has been automated (and a pain for somethings that i do).
BTW Debian servers were compromised too. But instead of hiding under the sheets and issuing stupid PR, a full disclosure was made and the servers taken offline. Afair they were offline for a month. There was also the case of some part of the kernel with a deliberately introduced vulnerability. Subsequently several procedures were put in place to permit traceability. No hiding under the sheets here either.
That is what finally make systems secure - public scrutiny, full disclosure and public contribution. No amount of AV pasted on top of crap is going to change that. Ofcourse the very hard decision to change underlying bad design criteria, which will break all compatibility will never be taken for doze -it's entire edifice is built on that falsehood.
jtd wrote:
On Sunday 02 December 2007 20:09, Rony wrote:
jtd wrote:
Besides sourceforge and similiar repos dont care whats on the server. You have to do the verification by checking the sigs. Debian uses md5 hashes in a Release file and gpg for sigining the Release file. u can therfore be reasonably sure that what u download is ok. Similiar schemes should exist for other distros too.
This virus does not reach the stage of executing after download. As soon as you click on the download link, instead of the file download beginning, the system goes into a reboot. It has got infected.
That IS execution.
True, but it happens only when clicking on download links for exe files. Otherwise net surfing and Java applications run fine.
On reboot, it brings in the bigger payload which causes irreversible damage as it reboots everytime an admin command is run.
That is a very poorly written virus. You want to have control rather than mindlessly rebooting the system, which will only make him paranoid. Maybe it's a side effect of preventing the av from execution as avs require admin privileges.
The AV cannot even detect the virus. 2 different updated ones tried.
If the net is shut off just before the system boots again, the bigger payload is kept away and the system can be restored to an earlier clean period.
You are assuming that it is restored. Once infected you have got to format. You just dont know what has been compromised particularly in with closed software. Unless you have a previous known good offline disk dump to restore from. With opensystems too the task of restoring a compromised system can be a real pain and would be undertaken only for forensic purposes.You are mostly better off reinstalling and patching up before going online.
The system was formated and reloaded. Just as I was leaving the place, I clicked on a download link for a software on download dot com and the same thing happened, but this time it could be recovered. The system is clean as I checked it with registry tools. The virus files are lying dormant, unused. Some were removed manually. They may get fully cleaned after a later AV update has its footprint.
This is something very recent
It is not, just that this virus has exposed itself.
Hmm.
That is what finally make systems secure - public scrutiny, full disclosure and public contribution. No amount of AV pasted on top of crap is going to change that. Ofcourse the very hard decision to change underlying bad design criteria, which will break all compatibility will never be taken for doze -it's entire edifice is built on that falsehood.
Very true.
The Government should make it mandatory to net based service providers like web portals, share trading sites, banks etc. to make their online services available cross platform so that subscribers are not forced to use only a particular OS. Those who charge for their online services should be forced to comply under the MRTP act or something similar.
On Dec 3, 2007 10:08 PM, Rony gnulinuxist@gmail.com wrote:
The system was formated and reloaded. Just as I was leaving the place, I clicked on a download link for a software on download dot com and the same thing happened, but this time it could be recovered. The system is clean as I checked it with registry tools. The virus files are lying dormant, unused. Some were removed manually. They may get fully cleaned after a later AV update has its footprint.
This is something very recent
It is not, just that this virus has exposed itself.
Hmm.
Can an infected proxy server do that?
The Government should make it mandatory to net based service providers like web portals, share trading sites, banks etc. to make their online services available cross platform so that subscribers are not forced to use only a particular OS. Those who charge for their online services should be forced to comply under the MRTP act or something similar.
Well said.
On Tuesday 04 December 2007 12:58, Nishit Dave wrote:
On Dec 3, 2007 10:08 PM, Rony gnulinuxist@gmail.com wrote:
The system was formated and reloaded. Just as I was leaving the place, I clicked on a download link for a software on download dot com and the same thing happened, but this time it could be recovered. The system is clean as I checked it with registry tools. The virus files are lying dormant, unused. Some were removed manually. They may get fully cleaned after a later AV update has its footprint.
This is something very recent
It is not, just that this virus has exposed itself.
Hmm.
Can an infected proxy server do that?
Very much if it's serving from cache. The linux proxy is not "infected" and will suffer no symptoms - just a carrier.
jtd wrote:
On Tuesday 04 December 2007 12:58, Nishit Dave wrote:
Can an infected proxy server do that?
Very much if it's serving from cache. The linux proxy is not "infected" and will suffer no symptoms - just a carrier.
How do linux servers get compromised? Someone manages to get admin rights to replace or paste extra (virus) files? Is it still vulnerable?
-
jtd -
Nishit Dave -
Rony -
Siddhesh Poyarekar