On Tue, 17 Feb 2009 07:30:55 am Paul Crawford wrote:
> I just tried saving a suspect file of the avi.exe sort to see how
> it behaved under LINUX using Pan 0.132 and I found it used '755'
> permission settings thus rendering it (theoretically, at least)
> executable.
Oh boy. I've just confirmed this in the wild:
Newsgroups: alt.binaries.howard-stern
Subject: Re: REQ Repost Amelie video. - Private-Amelie-14-27.avi [1/1]
Date: Fri, 13 Feb 2009 18:41:22 -0000
Message-ID: <mpg.23ffce20e57626ba98a...@news.giganews.com>
This contains a trojan "Private-Amelie-14-27.avi.exe" which is saved
as executable under Linux using Pan 0.132. In contrast, other
attachments (e.g. JPEGs) are saved as non-executable.
Under Linux, files are created with default permission 644, which is
non-executable. This *strongly* suggests that Pan is deliberately
setting the executable bit on exe files (and others?).
Now, it's true that Windows executables are *mostly* harmless on
Linux. I say "mostly" because:
* There are rare viruses which will execute under both Linux and
Windows. E.g. the Simile/Etap virus, which infects both Portable
Executable (Windows) and 32bit ELF files (Linux) applications.
* Some people do run Wine, and have exe files configured to run in
Wine on a double-click. Wine is good enough at emulating Windows that
it can run viruses and trojans.
> OK, I know this is a Windows virus file, but it seems very bad
> practice as no doubt someone could post a shell script of malicious
> program for LINUX as well.
Absolutely.
> Should it not default to '644' under *all* cases, and at least
> force the user to use chmod if they REALLY do want to execute some
> downloaded attachment?
Yes yes oh gods yes!
If I'm right that Pan is specifically setting the executable
permission based on the file name, and I can't imagine how it could
not be, I have to ask: what on earth was Charles thinking?
> Thinking here of my non-tech family who now enjoy the relative lack
> of software threats by "embracing the penguin"...
It's not just non-techs, it's techs too.
After using KDE for something like six or seven years, I was horrified
to discover that double-clicking a script *executed* the script
instead of opening it in an editor... and executed it in the root of
my home directory instead of the directory it was in, thus maximising
the damage it did when it ran. (At least Gnome *asks* whether you
want to open or launch executable scripts.) In six years, I had never
double-clicked an executable script, and the first time I did, I lost
data.
I can't even say I'll never do it again, because I write a lot of
executable Python scripts, and I edit them from the GUI but execute
them from the command-line. I'm sure it will happen again eventually,
because I'm only human.
And honestly, any tech using a GUI is eventually going to be faced
with a filename like
(say)
"Battlestar.Galactica.S02E19.A.Really.Long.Episode.Name.EZTV.DVDRIP.blah.blah.blah.blah.avi
exe" and double-click it without noticing the .exe part. It's easy to
do. There's a reason why Unix and Linux defaults to making files
non-executable and requiring people to explicitly make them
executable.
What Pan does, by accident or design, is a shockingly bad thing. It's
introducing typical Windows-like insecurity into Linux.
(Pan is hardly the only culprit. KDE and Gnome have introduced
launchers that don't need to be executable to execute. Foolish
foolish foolish.)
--
Steven D'Aprano
_______________________________________________
Pan-users mailing list
Pan-users@nongnu.org
http://lists.nongnu.org/mailman/listinfo/pan-users
