Infected Files Found on Mozilla Site (Korean Linux binaries infected - oh, my!)

Viruslist.com ^ | September 20, 2005 | Viruslist.com

[general_re]

Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example. Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b

This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.

The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.

[general_re]

Per Slapdash. I predict great fun from this, so none of that reasoned discourse nonsense from you people ;)

[general_re]

FYI.

[Dan Nunn]

Right after the Linux manifesivos stuck foot in mouth over Symantec's study!

[proxy_user]

A tripwire daemon would catch the changed size of the executables, right?

[Tennessee_Bob]

CP/M - The only way to go.

[freebilly]

This is as I predicted here on FR last year (and got thoroughly trashed as being a complete ignoramus). I love Firefox. I'm using it right now, but Mozilla used to benefit from its relative anonymity. Why go after it when you could screw up the day of millions of Windows' users.

Well, boys and girls, success has now made Mozilla a target....

[general_re]

I'm not sure how it would do so. On the client end, how does your machine know the proper filesize the first time it's downloaded? On the server end, how does the server know the proper filesize the first time it's uploaded?

After that, if the file is modified, then a Tripwire-type solution should catch it, I would think. In the mean time, everyone's checking those MD5 sums, right?

[Red Badger]

CP/M - The only way to go.

There's probably only about ten people on FR that get that statement!.............LOL!!!!.....

[general_re]

I am having vaguely queasy memories of ddt... ;)

[fr_freak]

Well, boys and girls, success has now made Mozilla a target....

You're right - eventually Mozilla will be more of a target, but in this case, technically, this is not a Mozilla exploit, it's a Linux virus which happens to have infected Mozilla install files, probably because the download server is running Linux and got infected.

[MineralMan]

Yup. Time to dust off the old Kaypro and get back to REAL computing, eh?

[ArrogantBustard]

CP/M - The only way to go.

Long Live the 8-inch Floppy!

You know, I really don't trust those double-sided, double density discs ...

[Tennessee_Bob]

Started in CP/M on my old Commodore 128. Back in the day of the true power machine.

[Sensei Ern]

You know, I really don't trust those double-sided, double density discs ...

You gotta be careful with them as data could bleed through from the other side.

I never had to deal with viruses when I programmed on my breadboard.

[lilylangtree]

Thanks for alerting us.

[Moral Hazard]

"You gotta be careful with them as data could bleed through from the other side."

Especially if you used a hole-puncher to turn a single-sided disc into a double-sided one.

[no-s]

Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.

Another important step is get the package signatures (MD5, SHA, PGP, etc) from a different service and compare to the signature of the downloaded package. Some folks download the source and compile to produce just the signatures as a public service.

I don't see this mentioned anywhere on the mozilla page, btw. However it's mentioned in the developer side. Other open source binaries (e.g. Apache, OpenOffice, etc) usually are distributed with signatures.

[no-s]

probably because the download server is running Linux and got infected.

yah, good point. Furthermore:

http://mozilla.or.kr/
This is not official site of Mozilla Foundation and maintained by volunteers of by Mozilla Korean Communuty.

[duckhead]

Sometimes, it's important to dig a little deeper. In this case, it was not mozilla.org that had the infected binaries, but rather a Mozilla fan site in Korea. This should not need repeating, but it's probably not safe to donwload programs from arbitrary servers on the Internet.

You can continue to safely download files from mozilla.org

[general_re]

Yes, the writeup was not clear on that point.