The other day, we discussed a little bit the recent issue discovered in the the UnrealIRCd server where someone had compromised the source distribution to insert a nasty rootkit.  It’s an interesting event, and there’s still plenty of shakeup about it.

This morning, I came across someone asking the question of how much more of this type of activity might be out there that we just haven’t found yet.  A good question, if a bit scary to consider.   It comes down to something I’ve thought for a while now, which is: if you crowdsource a process, you have to weigh very carefully the impact of what happens if the crowd doesn’t respond.  In the case of collaborative development – such as an open source project – when you crowdsource security audit of the code, you have to also consider what happens if the crowd doesn’t deliver.

It’s a useful question to consider – I don’t mean to be a FUDmonger about this, but I think there could be more of these on the horizon.  I guess time will tell.

Apparently the folks who maintain the UnrealIRC [it's an IRC server - Internet Relay Chat - for gabbing it up with your friends] just noticed that they’ve had remote control software included in the distribution since 2009 and didn’t notice until just now.  Whoops.Apparently the infected software got picked up by at least one major distribution for inclusion in the default package sets.  Double-whoops.

So, it’s a Trojan that sits there and lets as-yet-unidentified bad guys transmit commands to servers running the daemon – those commands get executed in the context of the user running the server.  If you want the technical nitty-gritty, you’ll find it here, but the mechanics of it really aren’t really all that interesting.

What is interesting to me is the impact.   Some folks are suggesting that a false sense of security resulting from using Linux caused it to run undetected for so long.   I’m not sure I entirely agree – I think there are a few factors that contribute to this situation being worse than a malware event on other platforms.

Why?  Well, first of all, because some folks have advocated that anti-malware software is completely unnecessary in a Linux usage scenario.  If you subscribe to this view fully, you’re relying on the ability of the user to appropriately configure and run the platform appropriately – i.e. in a secure fashion.  But when you’re also encouraging the platform as a viable desktop alternative, you have to  understand that there are going to be folks who aren’t tech savvy who are going to run it.  In my opinion, it is irresponsible to on the one hand put technically non-savvy users at the helm and on the other hand tell them not to worry about malware.  It sets them up to fail should something like this occur.

Secondly, as we talked about last week, just because there are “more [potential] eyes on the code” in an opensource scenario, doesn’t mean that someone is actually looking at that code and auditing it.  So, some interesting food for thought here.  There are some lessons to be learned I think about the true nature of malware on the Linux platform.  It’s true that malware authors target it less – but the lack of preparedness that comes about from users not being used to dealing with this type of issue is something that I think we need to learn from.

A recently discovered piece of malware that infects both Windows and Linux systems has been analyzed by Kaspersky. The media is all fired up about this, giving it international coverage and even inspiring commentary from SANS.

Given the attention, it begs the question, “how likely is it that a cross-platform worm or virus will actually survive and prosper?” Despite what some other folks are saying, I think it’s pretty unlikely. Why is that, you ask? Because a tremendous number of folks outside of the virus-writing world are working on maximizing portability and to-date we don’t have native code that runs on multiple platforms. That’s why we have Java, .NET, and virtualization. Trying to do anything other than very simple tasks increases the overhead requried for portability tremendously. This particular piece of malware, for example, is extremely rudimentary – it manipulates files to replicate and it relies only on the most basic of operating system services. Trying to do anything more complex: opening a socket, embedding itself in the OS, stealth techniques, etc. are all orders of magnitude more complex than basic file manipulation.

So, my advice is not to panic about this. Not that cross-platform malware can’t be created (it can – take the iis/sadmind worm), but it’s unlikely that this proof-of-concept heralds a new breed of malware as some sources are saying.

This article from BetaDot came across my inbox this morning. When I saw the title, “Linux Vs. Windows Security: How About The Truth?”, I was very interested. I think there’s an opportunity here for someone to “crack the nut open.” There are two camps out there: the “Linux is more secure” and the “Windows is more secure.” Both are vocal, both have “independent analysis” to back their position (both paid and unpaid,) and both have reasoned and considered arguments. I, for one, would like to see a definitive analysis on this topic. This article is not it.

This article claims to be about “the truth”, but the content doesn’t live up. In short, we don’t have any “truth” – just opinion. There’s no case built describing why one security model is better than the other, no facts, no tests, no analysis. Take this paragraph for example:

The general design of Linux gives it an inherited security boost. Where Windows looks like it was a little hacked together, a bunch of different ideas stacked on top of each other in attempt to make something that