[conspire] Autodowload a Virus

Rick Moen rick at linuxmafia.com
Mon Jan 4 21:51:04 PST 2010

Quoting Ruben Safir (ruben at mrbrklyn.com):

> As per previous conversation between list memebers
> http://lwn.net/SubscriberLink/367874/8f87d6dc7df4936f/

It might be worth noting that the incident described doesn't involve
"autodownloading a virus".  It was essentially a social-engineering
attack that coaxed some number of Ubuntu users into shooting at their
own feet.  Attack goes like this:

1.  Create a supposed GNOME screensaver.  Create a .deb package of it,
that includes preinst and/or postinst scripts that, if run, cause the
target system to do something the user wouldn't want.

2.  Upload the supposed GNOME screensaver .deb file to gnome-look.org,
where it'll appear among countless other files with no meaningful
information and showing as having been uploaded by nobody in particular.

3.  Wait for reckless people to download the file and feed it to their
package-handling subsystems with root-user authority.  Scripts then run
with root authority, because the user essentially said to do so.

Please note that I've commented fairly extensively at the LWN news item.

Just as it's really, really dangerous to assume that arbitrary Firefox
extensions listed at http://addons.mozilla.org/ from nobody in
particular are good for your system, the same applies for other
arbitrary downloads from people you have no reason to trust --
ESPECIALLY when you turn around and run them with root authority.

There is no way to prevent users from destroying their systems, if
they're willing to carry out unwise actions with root authority.  In
fact, "viruses" are the least of their worries, in that case.

More information about the conspire mailing list