Linux malware festering since 2009: reviewing the impact

Apparently the folks who maintain the UnrealIRC [it's an IRC server - Internet Relay Chat - for gabbing it up with your friends] just noticed that they’ve had remote control software included in the distribution since 2009 and didn’t notice until just now.  Whoops.Apparently the infected software got picked up by at least one major distribution for inclusion in the default package sets.  Double-whoops.

So, it’s a Trojan that sits there and lets as-yet-unidentified bad guys transmit commands to servers running the daemon – those commands get executed in the context of the user running the server.  If you want the technical nitty-gritty, you’ll find it here, but the mechanics of it really aren’t really all that interesting.

What is interesting to me is the impact.   Some folks are suggesting that a false sense of security resulting from using Linux caused it to run undetected for so long.   I’m not sure I entirely agree – I think there are a few factors that contribute to this situation being worse than a malware event on other platforms.

Why?  Well, first of all, because some folks have advocated that anti-malware software is completely unnecessary in a Linux usage scenario.  If you subscribe to this view fully, you’re relying on the ability of the user to appropriately configure and run the platform appropriately – i.e. in a secure fashion.  But when you’re also encouraging the platform as a viable desktop alternative, you have to  understand that there are going to be folks who aren’t tech savvy who are going to run it.  In my opinion, it is irresponsible to on the one hand put technically non-savvy users at the helm and on the other hand tell them not to worry about malware.  It sets them up to fail should something like this occur.

Secondly, as we talked about last week, just because there are “more [potential] eyes on the code” in an opensource scenario, doesn’t mean that someone is actually looking at that code and auditing it.  So, some interesting food for thought here.  There are some lessons to be learned I think about the true nature of malware on the Linux platform.  It’s true that malware authors target it less – but the lack of preparedness that comes about from users not being used to dealing with this type of issue is something that I think we need to learn from.