Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Apple Businesses

LinuxPPC Autostart Worm 51

Posted by CmdrTaco from the gotta-hate-that dept.
JD Fant alerted us to an article appearing over at macintouch that claims that the new R5 of LinuxPPC was released with a benign worm on it. Apparently it can't spread, but it is there (the page has comments from Jason Haas)
This discussion has been archived. No new comments can be posted.

LinuxPPC Autostart Worm More

LinuxPPC Autostart Worm

Comments Filter:
  • "t is a worm a very well know/common one. How ever it infected a cdrom it can't get out of. When they mastered the CDROM they turned off the autorun flag which is aparently part of the mechanism of infection."

    They didn't purposely turn off the flag, it is off by default under Linux when burning a MkHybrid CD.

    The worm failed to turn on the Autorun flag, since it doesn't run on Linux, since it is a Mac OS binary.
  • I don't know of a Mac user that doesn't know of the autostart worm. It is easy to let your guard down with the Mac, we are not the target of the crackers who are out to prove themselves or get revenge against the empire.That's one nice thing about being a niche market, sure beats the hell out of worrying everytime you boot up.

    What's important is that we were told of it's existence. I cannot be critical of the coders, they are human(an assumption), and they have busted butt on this. Remember this is *not* Micro$oft, they will tell you there is a problem before they have a fix in place.

    Kudos for the LinuxPPC team!
  • Use of the RedHat installer is Free. Everything that RedHat writes is GPLed. Which means you could use anypart of it in anyother distro with out and fear of redhat as long as you make the source available and give them credit. I'm not sure why linux PPC would put a Large redhat in there release other then maybe to gain some acceptance with the people who think RedHat := linux

    Sorry for the worth notation I just took a CS final today and had to write psudo code in worthiam style.


    "There is no spoon" - Neo, The Matrix
    "SPOOOOOOOOON!" - The Tick, The Tick
  • It is a worm a very well know/common one. How ever it infected a cdrom it can't get out of. When they mastered the CDROM they turned off the autorun flag which is aparently part of the mechanism of infection.
    "There is no spoon" - Neo, The Matrix
    "SPOOOOOOOOON!" - The Tick, The Tick
  • If this is the same autostart worm we got on all of our macs about 6 months ago. It is a pain to clean up. It propagates using quicktime. I slows macs down alot and crashes them. It also just about killed our nt sever with macintosh shares.(at the time we did not have a any linux server). I would cause a pause on all the macs in the plant every 10 minutes or so. If you watched the little lights on the nt server they would be hammered and it would bsod more that usual.
    --
    Joshua Curtis
    Lancaster Co. Linux Users Group
  • Huh? You still have finals at this time of the year? I would like to think that you folks in the valley should be working in the fields by now.:-)

    Thanks for your info on the gpl and redhat; I should have known that. Perhaps, it may be that RedHat==Linux, so that LinuxPPC used this to gain acceptance. However, I keep thinking that this was an arrangement so that RedHat would maintain/update their installer for the PowerPC chip. Note: the mac end installer for R5 is entirely different than the RedHat installer. The new LinuxPPC Linux installer is okay, but it doesn't seem to have the same level of fine-tuning control that the RedHat installer has.

    This is a dangerous post as I am still working on this new release. Perhaps I should keep my ignorant mouth shut until I am more informed about this. However, this is /. I'll swallow my pride for more info (this is more like Ask Slashdot).

  • I think it speaks to the power of open source software that this was caught

    Dare I dispute the Awesome Magical Force of OSS and ask how OSS had anything to do with the catching of this worm?

    The virus is a Macintosh virus; it was detected by Macintosh virus detectors. Last time I checked, none of them were in any sort of open-source licensing agreement. I'm sure the people who caught it were using one of the numerous AppleScripts I've seen, or a freeware app, or maybe even something commercial like Virex. But again, not open source stuff AFAIK.

    OSS really has nothing to do with this, guys. I like OSS as much as the next guy, but just because someone caught a Mac virus on a Mac Linux distribution CD doesn't mean we should (as we always seem to do) go running in the streets shouting the praises of OSS.

    But what do I know, I'm just a Mac user.

  • Um, I think you are showing your ignorance here.

    Autostart is a Macintosh-ONLY work that propagates by taking advantage of the fact that most Macs are set to automatically execute certain 'flagged' applications on a CD when it is inserted into a drive. Autostart is about the only halfway dangerous virus/worm-like activity the Mac platform has had in about 5 years or so (it was a Big Deal on all of the Mac sites a year or so ago).

    Anyhow, since this worm got burnt on the Linux side of things, it is apparently not available on the standard HFS Mac parition - ergo, it cannot run or do any damage. It is dead before it ever had the opportunity to cause damage. This isn't a macro virus, folks, it can't do anything just by being there. It has to execute code like any other self respecting virus.

    Now, the fact that they didn't notice it for a while may be cause for concern, but it's not exactly that big of a deal. If you make a Linux distribution, how often do you scan for Windows or Mac virii?

    - Darchmare
    - Axis Mutatis, http://www.axismutatis.net
  • I believe it is far more interesting that the R5 spread the word as quickly as they did where as Microsoft wasn't even going to mention anything about their IIS 5.0 'problem' until they had a fix.

    1. It's IIS 4.0, not 5.0.
    2. The problem with IIS 4.0 is nothing to do with viruses or worms.
    3. Microsoft posted a workaround to all members of its security mailing list about 5 hours ago; NTBugTraq posted the same message shortly afterwards. Every NT sysadmin who's anyone has plugged this hole by now.

    Please stop spreading FUD, it does you a disservice.

    Cheers
    Alastair
  • I realize this is somewhat off topic, but is anyone else having problems installing R5? I've tried both the X installer and the redhat one, and it likes to lock up my system about fifteen percent into installing the packages...is this just me? any help would be greatly appreciated.

  • so, if on a CD there happen to be both open source software and a virus, and you find that virus, that shows something about the power of open source?

  • You'd be running OpenBSD, an OS with total code review. Anyhow, contrary to some of the other comments here, I think that this detracts from the credibility of the open-source movement - and from that of collaborative, loose-knit development processes. This really needs to be kept from happening again if the suits are to take us seriously.

    -lx
  • No MS bug was ever handled as quickly as OSS does its hiccups
  • Actually that first would most likely be considered an exploit.

  • Autostart Information (Score:3)

    by blukens ( 27693 ) on Tuesday June 15, 1999 @09:08PM (#1848956)
    A few people asked how it can be a worm if it doesn't actually spread.

    First some background, way back when (sometime in '95) Apple introduced a new autostart feature to QuickTime. If you've used win95 you probably know how this works, you pop in a CD and it automatically launches an application for you.

    According to http://developer.apple.com/qa/qtpc/qtpc12.html, Apple's implimentation works like this: the developer puts the autostart application's file name in a magic place in the first few blocks of the drive. When the drive is mounted and the AutoStart feature is enabled (its a simple check-on, check-off feature) the application launches.

    The Worm is simply an autostart application that copies itself to the startup drive so that it is launched at every boot, and then procedes to copy itself to every mounted partition (hard drives, zip drives, network drives, etc.) about every 30 minutes and enables the autostart blocks on those volumes. After infecting the other volumes, it goes about your system overwriting various files with random data.

    Anyway, I believe the Linux PPC CD contains the AutoStart Worm application but the CD doesn't contain the blocks that actually tell QuickTime to launch it. You also can't accidentally launch it because the file is hidden, meaning you have to use a seperate utility, not the Finder, to even see that it's there.

    There are 3 names that the various strains of the Worm use for the autostart application filename. This is what the antivirus software looks for, and what they find.

    Well, that's about all I know on the issue. Perhaps more than any of you wanted, but I find this kinda thing interesting. I am kinda curious why we havent seen a similar worm taking advantage of the Windows 95 autostart feature...
  • ...excuse me, sir. There appears to be a worm
    in my apple.
  • "You'd be running OpenBSD, an OS with total code review."

    What's that all about??? There's no need to belittle Linux on this thread like that. Especially since:

    1. This is a worm for MacOS, not linux (I am going to use linux but I guess I really mean any Open Source OS, so I'm an OS bigot =).

    2. Any amount of "code review" isn't gonna stop someone from writing a worm. Code reviews will stop people from putting malicious code in the kernel itself tho. And I really don't think that you can say that linux doesn't have any code review. Besides that, a worm or virus doesn't need to run in kernel space to be effective. (As should be obvious since we don't have the source to MacOS, so you couldn't put a worm in the kernel, and this is a worm FOR MacOS).

    3. I personally think that comments like yours which promotes fighting within the Open Source community are a MUCH bigger problem than a slip up like this. This worm isn't causing one bit of a problem. Yet all of the flame bait like what you wrote is yet another thread of conversation that can be used against the open source community.

    Just my $0.02

    rhavyn
  • I'm not trying to belittle linux, I'm just saying that generally, it's not the OS for the most security-conscious people. Not only do the open folks review the kernel, they've done quite extensive security audits of the entire system, not that this is particularly relevant to the discussion. It was just a little joking plug. The main thrust of the comment is the part below just the first sentence.

    I did misunderstand that the worm is for MacOS, not linux(which makes a little more sense :), but mainly what I'm trying to say is that incidents like this look extremely bad, more a lament than a flame. To outsiders(e.g. L.A.M.E.), the looseness of the development process looks more like a security flaw than an advantage.

    It's unfortunate, that's all.

    -lx

  • Like many in the BSD world, you are confused about how Linux operates. NetBSD, FreeBSD, and OpenBSD are distributions, and are therefore properly compared to Debian, Red Hat, or SUSE, not Linux. Different distributions will have better or worse security policies.

    Your claim that this incident is an argument in favor of OpenBSD's "total code review", however, is utter crap: OpenBSD's code review would not necessarily have saved an OpenBSD distributor from making a mistake like this. The bug could have been introduced at the last minute by whoever pressed the CD-ROMs. The worm was not present as source code in the original distribution, so there is nothing to catch by doing a review. And the OpenBSD people are good, but they are not perfect.

    The Linux vendors definitely need to improve their security reviews. However, even with the way it is now, it's far better than what we used to get from commercial Unix vendors (who would typically ship with critical files world-writable, with programs setuid that were never designed that way).

  • Thank God they caught it in time; this would be
    really embaressing if it blew up with all the
    rippin' on Microsoft we've been doing lately =)

    Seriously, though; I think it speaks to the power
    of open source software that this was caught
    before it spread to badly...

    ----

  • Ugh (Score:1)

    by NII Link ( 45533 )
    It took them so long to get R5 working, and they ship it with a worm? That's gotta hurt.

    Anyway, I hope it was caught before too many people were exposed (although it appears to be dormant).

  • what has this to do with open source??
  • Macintouch also reported that no user has been infected with the strain. The worm was also present on a Marilyn Manson interactive CD, but it was the "dead" form, incapable of spreading, even though it sets Agax and Early Bird off.

    J.

  • Update on AutoStart bug on R5 discs (Score:3)

    by Anonymous Coward on Tuesday June 15, 1999 @04:36PM (#1848965)
    This was posted not long ago
    start"

    Subject: Update on AutoStart bug on R5 discs
    Date: Tue, 15 Jun 1999 15:24:39 -0400
    From: Jason Haas
    Organization:LinuxPPC Inc.
    Newsgroups: comp.os.linux.powerpc

    We have concluded that the AutoStart worm cannot spread from R5 CDs tousers. No one has reported being infected by the discs, and several people have reported that having the disc in the machine does not cause their machine to become infected.

    When we burned the master CD, we used the Linux program mkhybrid, and did not activate the auto-start option. We believe this prevents the worm from spreading to new machines from the disc.

    We will have a new pressing of the disc available in about two weeks for users who would like to receive a new, clean copy of the disc.

    Jason Haas,
    LinuxPPC Inc.

    end"

    cheers,
    mitch
  • "It took them so long to get R5 working, and they ship it with a worm? That's gotta hurt."

    I think it helped the Yellow Dog People, but...

    "Anyway, I hope it was caught before too many people were exposed (although it appears to be dormant)."

    It's nothing to lose sleep over. It *can not*, I repeat, *can not* spread or cause problems, since the activator flag on the CD-ROM wasn't activated. (The flag is -autostart=DB, the worm only works if the CD was burned on a Mac OS based machine, since it was burned under LinuxPPC, the autostart flag was off).

    The worst thing this worm (on the CD) can do is set off antivirus software (all 3 mac users that own anti-virus software).

    If you are parnianoid, turn of "Quicktime CD-ROM AutoStart". *Very* few CD's use this feature, and since the Autostart Virus for the Mac OS came out last year, it has been common advice for *all* Mac Users to disable this.

    I won't comment on CD's not already shipped, where they will be repressed or not, according to MacFixit, with request they will send you a new CD. (For those really parnoid people, the same group that continues to work on bomb shelters or are building humgous store houses of 2yk supplies).

  • Then again, if you've never used the distribution before, or don't use Macs, it might seem novel and worth reporting about. Macintouch pretty much laid it out earlier, however: the worm is dead and harmless.

    It could have also been used as FUD against LinuxPPC.

    J.
  • Since this worm can't spread,
    does this mean it's dead?
  • "Seriously, though; I think it speaks to the power
    of open source software that this was caught before it spread to badly..."

    Umm... I don't think it was caught too soon. This worm has literally been on the CD image since Memorial Day Weekend (when the master was made with the worm). They had completely shipped it, and a user discovered this when they blunked the CD in their drive and Virex presented this warning: "Warning: This CD is infected with the AutoStart Virus". Some of the people at LinuxPPC had been using this CD for weeks (Jason claims to have had it mounted in the Mac OS for 3 or so weeks).

    Anyways the CD was burned in Linux, so that made the virus unspreadable (luckly!). Linux doesn't understand virus when it was being written, so it didn't install the autostart part of the worm. That basically ended the worm's sexuality, it could not spread anymore (take away the antostart part of autostart virus, and you just have two extra files on the disk). No real biggy.

    I can not believe nobody did a ls on the CD in Linux, at /mnt/cdrom; that would have shown the autostart virus with 2 files called this (the worm):

    DB
    Desktop Spooler

    I guess nobody really thought about it before sending out the CDs.

    Anyways, it's nothing to worry about. The worm is broken due to the Linux CD writing program, so it will not spread.
  • Sorry, but I believe we are talking about two separate things. I am addressing the
    privacy issue that has cropped up with IIS 5.0 as seen on Wired.com. I am aware
    of the security bug that has appeared in IIS 4, and was aware that a fix was
    forthcoming.

    As far as virii versus bugs, if they are included with a shipping product, they are both
    issues with a particular package that need to be addressed. A problem included
    with a piece of software that is being shipped is something that needs to be taken
    seriously by a software manufacturer. I believe that Microsoft's plan of attack where
    this is concerned leaves much to be desired. In the case of the recent IIS 4 security
    hole, even a period of two days can cause a world of damage. If something like this
    appears, it is Microsoft's responsibility to notify sites immediately that this issue
    exists, not wait for a hotfix, which has become so popular.

    I have to remember that when I post something like this to a forum like Slashdot,
    vagueness is not the best trait to have :-).

    As far as this being FUD, I did not know that personal opinion could be considered
    so damaging. It seems that any personal opinion is taken as slander against
    something else. Makes a person afraid to raise a voice......

    As I said, though, this is probably all a misunderstanding.

    Bryan R.
  • "Umm... I don't think it was caught too soon. This worm has literally been on the CD image since Memorial Day Weekend (when the master was made with the worm)." That is still a better track record then some corp like Microsoft, or other commercial offerings out there. I believe it is far more interesting that the R5 spread the word as quickly as they did where as Microsoft wasn't even going to mention anything about their IIS 5.0 'problem' until they had a fix. Who knows when that will be. I guess in Microsoft time, the period of eight months to a year for a bugfix is just a few days after release for the big M. My favorite bug right now is the Win98 SE Suspend issue (take a gander at Microsoft's Windows bugfix has own bug [news.com] at News.com). How do you miss something like that?! Or, even better, the problems with Microsoft's Fortran Powerstation before it was sold to Digital. We have a program where I work that the compiled Fortran code was slowly sucking away memory. A call to some dark dank Microsoft dungeon (after getting transfered multiple times to find out the info was deep in one of their newsgroups) was the only way that we could get a bug fix that stopped a terrible memory leak in Fortran. It still is posted where it is not readily available. I guess I could go on and on, but won't.... I think, in the terms of shipping out products with some sort of problem, this is pretty tame.

    Bryan R.
  • so, ftp installs are cool, yes? seems a trivial problem to make an issue about..
    wtf is up with option clicks with single button mice under this distro?
    that's the only flakiness complaint i have. otherwise very solid.
  • I realize this is somewhat off topic, but is anyone else having problems installing R5? I've tried both the X installer and the redhat one, and it likes to lock up my system about fifteen percent into installing the packages...is this just me? any help would be greatly appreciated. The most common cause is that the installer doesn't check to make sure that you have enough space on each of your partitions before installing (at least this was the case with R4/4.1 and Yellow Dog 1.0). So it will merrily go on until it runs out of room and then lock up. The only solution is to either reduce the software to be installed (you can, for example, turn off many things you most likely won't need, like DNS/named, etc.) or to combine or rearrange your partitions to make enough room. You especially need to make sure that /opt and /usr get enough room if you install a lot of stuff. If you really aren't sure how big to make your partitions, but do know what software you want, just make one big root partition (naturally along with /swap). That's the easiest way to go. Check out my website at http://linux.macnews.de/ [macnews.de] for other tips and news about Linux for Macs. It ain't much, but I try. :-) click and be happy [surf.to]
  • Autostart 9805-A. I was not too please when a Virex scan gave me this message when I loaded my R5 CD yesterday. I'm almost speechless in describing what I feel about this.

    I don't care if this thing won't spread. It is highly unprofessional to send out a CD with a virus on it (or something that will flagged by a virus scan). There are also some minor "glitches" with the distro. For instance, in one of the readme files, this instruction is given.

    Where is the old RedHat installer?
    a) Just pass redhat as an arguement to the

    To the ?? If you have used BootX before, you would probably realized that this is a parameter to pass to the kernel arguments. They might also wish to spell argument correctly. Note: I am not blaming these nitpicking mistakes to original author of the doc. Remember, this is Linux. Have other ppl review the source.

    Nonetheless, I have installed R5 and it looks pretty good. Serious testing starts tomorrow. As a side note: I just realized that I am a totally pathetic (but extremely loyal) Apple/Linux supporter whom is willing to overlook glitches.:-)

    I just have one last bitch. I start up LinuxPPC at runlevel 5 and eventually get greeted with the login screen. Off in the upper left hand corner is a fairly obnoxious and rather large RedHat logo. I was wondering, is this the result of some agreement between LinuxPPC and RedHat for the use of the RedHat installer?

    Don't flame me if I made mistakes in spelling or grammar in this post (since I nitpick on this issue). I don't have another pair of eyes reviewing my post.
  • "If this is the same autostart worm we got on all of our macs about 6 months ago. It is a pain to clean up. It propagates using quicktime. I slows macs down alot and crashes them."

    Depends on the strain. From the reports so far, it's the Autostart Worm type "A", the least harmful of them, compared to F, which could over write the Desktop Database, making the disks unusable.

    "It also just about killed our nt sever with macintosh shares.(at the time we did not have a any linux server). I would cause a pause on all the macs in the plant every 10 minutes or so. If you watched the little lights on the nt server they would be hammered and it would bsod more that usual."

    Yes, it can cause excess network access.

    Forently, this *can not* happen on the version included with LinuxPPC R5, since the CD has Autostart completely disabled (they disabled autostart when burning the CD in LinuxPPC).

    IF you are paranoid, turn off Quicktime Control Panel -> Autostart CD-ROM (The option does little on Macs, besides work for worms).
  • Oi, check the reply up higher - why did everyone react to the BSD part? That's not the part that matters. I don't claim the incident is a point in favor of OpenBSD, that was just an offhand comment - like I said earlier, the main thrust is that I would think this looks rather bad to the suits - it's not very professional. I would think that if I were a rather ignorant businessman instead of a rather ignorant student, that something like this would make me look at Linux in a negative light, although, admittedly, this has happened with commercial products in the past.

    -lx
  • *sigh* Unfortunatly, you took me the wrong way. I know that no virus is truely dead because it is relatively trivial to re-activate (eg burn a cdrom with the autoexecute bit set and this worm present). What I was referring to was the question of if a worm cannot spread, is it a worm? As I was typing my comment, when I finished the `can't spread' bit, I got an attack of poetitis and wound up turning it into a semi inaccurate rhyme. What I had been intending to finish with was `is it still a worm'.

    I don't like virii either and I take them seriously (though I haven't had to be as paranoid since I left dos/windows behind, though since my home network is no longer behind a firewall, I'll have to up my paranoia again). Actually, I do worry about these things: everything I get from the net always comes as source (yes, I know, not bullet proof) as I have never fully trusted binaries (though djgpp programs are relatively safe, or at least self announcing).

  • "how can it be a worm if it cant spread?"

    It normally spreads from disk to disk via. CD-ROM burned under the Mac OS, which the worm.

    But the worm program, didn't expect for it to burned under LinuxPPC, (using a program that does MkHybrid and PreP boot blocks). This automatically disabled it, because J. Carr didn't enable the autostart part of the virus.

    Since the worm in an invisable part of the Mac OS (you can not see/copy it from the Finder, and it contains a Resource Fork,so copying from Linux won't work), their is no way even possible that it could be enabled.

Slashdot Top Deals

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Close