Should desktop users of Ubuntu (and other Linux distros) be concerned about the malware-infection drive described as "Operation Windigo"?
What threat does it pose to us immediately and are there any longer term ramifications?
malwareSecurityserver
Should desktop users of Ubuntu (and other Linux distros) be concerned about the malware-infection drive described as "Operation Windigo"?
What threat does it pose to us immediately and are there any longer term ramifications?
All of the official Ubuntu repositories (encompassing anything that you can find on archive.ubuntu.com
or its mirrors, as well as some others) are entirely curated. This means main
, restricted
, universe
, multiverse
, as well as -updates
and -security
. All packages in there have either come from Debian (and so have been uploaded by a Debian Developer) or have been uploaded by an Ubuntu developer; in both cases the package that is uploaded is authenticated by the gpg signature of the uploader.
You can therefore trust that every package in the official archives has been uploaded by either a Debian or Ubuntu developer. Furthermore, the packages you download can be verified by the gpg signatures on the files in the repository, so you can trust that each package you download has been built on the Ubuntu build farm from the source that was uploaded by an Ubuntu or Debian developer¹.
This makes outright malware unlikely - someone in a position of trust would need to upload it, and the upload would be easily tracable to them.
This leaves the question of more surreptitious nefariousness. Upstream developers could put backdoors into otherwise useful software and these could make it into the archive - in universe
or multiverse
, depending on the license. People do run security audits of the Debian archive, so if this software became popular it's likely that the backdoor would be discovered.
Packages in main
have some extra checking and get more love from the Ubuntu security team.
PPAs have almost none of this. The guarantee you get from a PPA is that the packages you download were built on the Ubuntu build infrastructure, and were uploaded by someone with access to one of the GPG keys of the Launchpad account of the listed uploader. There's no guarantee that the uploader is who they say they are - anyone could make a “Google Chrome PPA”. You need to determine trust in some other way for PPAs.
¹: This chain of trust could be broken by an extensive intrusion into the Ubuntu infrastructure, but that's true of any system. The compromise of a developer's gpg key would also allow a black-hat to upload packages to the archive, but since the archive emails the uploader of each package this should be noticed quickly.
Maybe it isn't designed to run in background.
Yes, it is. The wiki shows methods running it as a daemon and as a scanner:
Run ClamAV as a Daemon
Install clamav-daemon. You can then use clamdscan where you would previously have used clamscan. Lots of programs, especially e-mail servers, can connect to a ClamAV daemon. This speeds up virus scanning as the program is always in memory.
The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.
Let ClamAV listen for Incoming Scans
There are cases where you may want ClamAV daemon to act as a scanner for other systems, so you don't have to run everything locally on the system.
To do this, you simply have to modify the clamd.conf file and add TCPSocket PORTNUMBER and TCPAddr IPADDRESS arguments to the clamd.conf file and reload the daemon. The daemon will then accept connections to it via the IP address and Port combination you specify.
I just want good protection for my system.
Linux is fundamentally different from Windows so we did not inherit the problems Windows (still) faces. Our system has been set up as a multi-user system: more than 1 user at the same time is expected to use it. This means we have a security model built into our system since some users are not expected to see all the content or be able to do what they want on our systems. That also hinders malware to abuse your system.
Yes, it does not make Linux invulnerable. But as long as it is easier to infect millions of Windows system than to infect 1 Linux machine we win. Only if your machine is targeted specifically (when you run a game server for instance) you need to take precautions. But those are: create regular backups, use a good password, use a router, keeping an eye on the CVE tracker, keeping your system up to date and not installing software you do not need. All things you should do any way.
Yes (1st part: as a system admin for 30+ systems I have examined several virus scanners and root kit detectors and also made an assessment about threat risks when not using one) and no (2nd part). But the no is not because ClamAV is so good: it is as bad as any other virus scanner. Virus scanners all have such a low success rate that they are useless. When near 100% of all claims it claims to be a virus are false, I can't use it.
See for instance the "signatures.pdf" in the "doc" dir of ClamAV on how to upload extra virus signatures.
But this is only useful when you actually find a virus as the 1st person. The virus definition file gets updates pretty regularly so I doubt there is anything to improve.
This is a question on its own and has also no relation to virus scanners.
Important:
The protection of your system does not come from anti-virus software; it comes from how you treat your system. If you ever do find a virus you are too late: removing a virus is not enough as your system has been compromized and needs to be re-installed from a proven clean backup. You always have to assume they got your admin password.
Best Answer
Just reread the question. If you're on an install without SSH or your SSH server is not available online (eg it is blocked by a NAT router, et al), you have nothing to fear from this news. The whole attack requires SSH.
Additionally, if you're not running a webserver (and by extension you're not on an awesome internet connection), it seems unlikely —though, and importantly, not impossible— that Windigo is going to bother you, even if you do have an exposed SSH server.
That's not to say you're free from any risk. There is other malware and there will be even more as time goes on and Ubuntu gains users. It's also stupidly easy to manipulate people. I had a little rant a few years ago: Linux isn't invulnerable. Don't say it is.
Anyway, if you're still reading, I'm going to assume you're running a SSH server on the internet.
The ESET post and PDF writeup on "Operation Windigo" should tell you everything you need in order to tell if you're at risk or are currently infected. They have sample code that can be copied out and run to test your system.
The whole thing is certainly worth a read but this isn't the security apocalypse some might suggest. The primary route by which these servers became infected was human idiocy:
So for all the fanfare, this is a very basic infection technique. They're either cracking passwords (dictionary-attacks most likely) or they're stealing SSH keys off client computers, backups, etc. I'd like to think it's the first.
There is nothing clever or new about this. Everybody running a SSH server faces those risks and they're really easy to protect against. Just practise basic SSH security and you'll be fine: use password protected keys and not passwords, run
sshd
on a high port, fail2ban, no root user. If you ignore these basics and run a SSH server where you're allowing root logins with a password, you'll get hacked.And just because this wasn't an exploit-based infection doesn't mean the next one won't be. Staying up to date with security-release packages is vital. Make it automatic. Making sure your PHP (et al) scripts are updated is vital, subscribe to your authors' RSS feeds.
The significance of Windigo is the sophistication and portability of the rootkit that gets installed on the servers. There is network resilience through dynamic DNS, not static IPs, multiple httpd configurations to maximise success rates, the lack of dependencies in this whole stack that makes it almost certain to run in all scenarios (even on ARM)... and by all accounts the payloads (the spam, and infection kits for client computers) are very effective. 1% success is epic when you're talking about 500K a day.
The "this is happening on Linux so Linux is insecure" inference I can see in some quarters is nonsense. This could happen on any platform and frankly, it already does. What is special here is that this has been pulled together by competent developers. Thankfully the ingress point is pretty much as simple as a burglar finding the spare key under the doormat.
The Too Long; Didn't Read version...
It seems the hacked servers were run by idiots with weak security but don't be complacent. Check to see if your servers are infected and check to see you're not making the same stupid mistakes as the people who are currently infected.