I understand that no Operating System is 100% safe. Although this backdoor is likely only affects certain Linux desktop users, particularly those running unstable Debian or testing builds of Fedora (like versions 40 or 41), **Could this be a sign that antivirus software should be more widely used on Linux desktops? ** ( I know this time is a zero-day attack)
What if, malicious code like this isn’t discovered until after it’s released to the public? For example, imagine it was included in the initial release of Fedora 40 in April. What if other malware is already widespread and affects more than just SSH, unlike this specific case?
My point is,
- Many people believe that Linux desktops don’t require antivirus software.
- Antivirus can at least stop malware once it’s discovered.
- Open-source software is protected by many parties, but a backdoor like this one, which reportedly took 2 years to plan and execute, raises my concern about being more cautious when choosing project code maintainers.
- Linux desktops will likely be targeted by more attacks as they become more popular.
IMO, antivirus does not save stupid people(who blindly disable antivirus // grant root permission) but it does save some lazy people.
OS rely heavily on users practicing caution and up-to-date(both knowledge and the system). While many users don’t follow tech news, they could unknowingly be running (this/any) malware without ever knowing. They might also neglect system updates, despite recommendations from distro maintainers.
This is where antivirus software can be useful. In such cases, users might be somewhat protected once the backdoor signature is added to the antivirus database.
Thankfully, the Linux community and Andres Freund responded quickly to this incident.
No, av would not stop this kind of attack….
ClamAV is used widely though on inbound SFTP shares though in a corporate environment
Nope. In Linux the typical action is to immediately get a fix out ASAP and be done with it.
Plus it’s unlikely that AntiVirus would actually make any difference. Even in Windows many things go undetected. All it does is bog down your system
By the way, all Fedora packages are scanned with ClamAV as part of bodhi tests. Here’s the test matrix where xz 5.6.0 passed the scan, and would have allowed the exploit in for the F40 beta if it wasn’t obsoleted by another build where the vulnerability’s mechanism was disabled because it triggered valgrind failures in other software.
Sure, there’s more sophisticated AV software out there, but at the end of the day, the F40 beta was temporarily saved because of luck, the beta freeze period, and valgrind. The ecosystem as a whole was saved because “Jia Tan” wasn’t aware that making Postgres run slightly slower immediately raises alarm bells.
What? Use a bloatware that consumes a lot of resources, slows down the whole system and increases the attack surface instead of regular updates? Are you kidding?
That’s not how antimalware software works. They can do nothing against backdoors.
I dont think av would help with a backdoor, only things like malware, miners, ect. I feel most people that use linux can figure out not to run lil-uzi_leaked-song.mp3.exe
Music.exe, ahhh the good ol’ limewire days of being too young and novice to not know better.
Antivirus doesnt work. It would need to monitor the whole system all the time, making it like twice as slow. How do you “stop” such a malware? You cant even uninstall xz without borking systemd.
Using SELinux especially for user programs, downloading only from trusted repos, having home non-executable apart from that and using a nonwheel user is the best you can do. Apart from using a hardened base Distro, like Secureblue, QubesOS or Tails.
So, I got malware that seemed to create an hidden proxy or VPN or something when I was online, without me having to install anything. I was on Fedora using Firefox in private mode with Ublock Origin and some script blocker. Ghostery, or Privacy Badger, or something. Fedora has it’s firewall enabled and blocking inbound connections, and SELinux was running. It would occasionally report small things like VLC or Clam AV wanting access to something.
It took me a little bit to realize something was wrong.
I realized it after Google started demanding repeated captcha attempts for everything, I started seeing unsuccessful attempts to sign into my Microsoft account from around the world, and some websites started blocking my IP for abuse. A few times, the blocking page (usually Cloudflare) showed that my public IP was over 240.0.0.0, in the unassigned block. My modem logs showed my machine making outbound connections to these random or impossible IPs at times that roughly lined up with my connection issues.
But if I simply hit refresh on those pages when they blocked me, the websites suddenly returned my correct residential IP address and started working again. I was slow to catch on. Hell, I hadn’t even used my Microsoft account for years, and I assumed Fedora with SELinux would alert me if anything strange was going on. It didn’t. My machine started acting weird, but I couldn’t place my finger on exactly how. I tried tools like Clam AV, or any number of intrusion detection solutions to assuage my growing paranoia. Problem is that they require some knowledge and you have to set them up before things go wrong.
Besides a terminal tool to unhide running processes, which inconsistently returned zero to dozens of unknown short-lived programs with increasingly high PIDs, nothing was detected. I later ran that unhide tool on a live USB of Fedora, and it did the same thing, so I assumed it was a false positive.
Ultimately, it was my fault, I know. I just went on a shady website to watch a TV show. Stupid, but not uncommon. My android phone also started acting strangely around the same time. I assume because I visited the same site to finish some season in bed using Firefox mobile. It’s been replaced entirely now.
But the point is that SELinux didn’t stop anything, I didn’t have to explicitly download or install anything to my machine, and it was some kind of drive-by infection that somehow added my machine to a kind of botnet, I think. Hard to tell just from the various logs I gathered from my machine and modem.
I don’t know what it was doing, but when I finally put all the pieces together, I completely wiped the drive in that machine, including a long dd operation on the drives with /dev/random. Still not sure what I’m going to do with it.
I’m also not sure if the infection was limited to Firefox itself, or if my entire machine was compromised. I may never know for sure.
While I was being stupid, I wasn’t being completely reckless and just running untrusted code from strange places. I watched TV in Firefox’s embedded video player. All it took was going to a website that I found by other people recommending it on social media. I should have known better, but I’m human.
If I can’t even visit a webpage without getting invisible botnet malware that escapes professionally configured tools like SELinux on Fedora, then how are complete newbies, or kids, or grandparents, or “know just enough to be dangerous nerds” (like me) supposed to be safe?
I agree that the user is the single biggest point of failure in security, and should be mindful. But when you’re not installing random Github packages, or turning off your firewall, or enabling SSH, and your machine can still get so easily pwned, what then?
That’s the value of anti-virus software. Yeah, it’s not perfect, but neither is your list of rules to follow. There is no single perfect approach, and people are lazy, impulsive, and sometimes drunkenly want to watch Breaking Bad. I don’t know what the solution is, but outright denying everyday antivirus seems… unwise, I guess?
Even if if takes a month for the vendor to be able to detect it, that’s still protection for anyone who comes after. It doesn’t have to be perfect to make a positive difference.
And, no: For anyone curious, I’m not going into more detail about the website.
In this xz scenario an antivirus wouldn’t do shit. it’s better to find and fix vulnerabilities rather than bog your system down with malware
Realistically, I think vendors will be trying to push their crap using this attack as leverage. They did it with Heartbleed, Shellshock and the Log4j issue. Their software won’t/wouldn’t accomplish anything, just like it didn’t with those issues, but they’re sure as hell gonna try to make it seem like it does.
In the specific case of xz-utils, many lazy people would never have been at risk because the issue is limited to xz-utils 5.6.x (a quite recent version). Not updating provided (unusually) a mitigation in this case.
I think you got the response we all expected you’d get.
I wonder why we don’t hear about open source anti-virus even though I think there are a couple of them out there.
deleted by creator
Real exploiters go bug hunting for zero days. The XZ thing was a humorous clown dancing a jig in a minefield. The clown spent 5 years on the sideline, then stepped on a mine immediately upon entry.
I like your last statement.
I agree that users should take responsibility for their system, I myself learned to fully encrypt my Linux with luks2 and things about secure boot, tpm2 or so.
That’s why I’m making assumption of the need for non-tech savvy users, like most Windows users if they come to Linux world.
I find all this “bog down your system” answers to be a crock of shit. Go run ESET nod32 and put it in interactive mode. Yes, you’ll get a lot of prompts but damn you’ll learn so much about what’s going on in your computer and the networks it’s reaching out to. If you’re on windows run glass wire or OSX run little snitch. I used to know a Linux alternative for those but the point stands that you should have tools that you can use in a desktop setting to really understand what is running, and what it’s connecting to. You should have a program running that can check against a database of hashes of files for signature matches. It seems though like there’s not strong enough AV. And I suspect that’s on purpose so state actors can easily get into our systems in all nations.
If you’re on windows run glass wire or OSX run little snitch. I used to know a Linux alternative for those
Would you happen to know the name of a similar tool for Linux? I was just yesterday searching myself but I couldn’t find anything
Try portmaster it’s open source. It might not be perfect in UI but I believe that’s what I used last time on Linux.
The port of Little Snitch to Linux is called OpenSnitch. I’ve never used Glass Wire, so I have no idea if that’s what you’re looking for.
Thank you! That’s exactly what I was looking for. I am familiar with Little Snitch for macOS, so this looks perfect.
For anyone interested: https://github.com/evilsocket/opensnitch
These are good questions. I hope as a community we can challenge if our assumptions around security are still true without being dogmatic.
