Rootkits!?

Was talking with someone and mentioned Ubuntu and Kubuntu and how much I like them. He said 'beware of rootkits" yada yada..., this gave me pause.

Well I know that Linux as a whole is pretty safe from what I have read and that no one is spending alot of time making viruses and such for Linux systems. That being said is there something I am missing? Any validity to the rootkit statement? How can I check for rootkits or anything else for that matter. I have been keeping both systems updated.
If anyone has some good advice on this I would greatly appreciate it. Thanks and have a great day.

 

One thing to keep in mind is a rootkit isn't a virus, it's just a software or a collection of stuff that gives something full access to your computer.

Sure on Windows systems that something is usually a virus, but it's perfectly valid to have an actual hacker install a rootkit manually.

Those are the types of rootkits you commonly see on linux systems, since while linux isn't popular for home systems, it's the majority of servers.

There are programs to detect rootkits and provide security, like chrootkit. But most of these programs are really designed for servers, and thats the main target for hackers. As long as your just running a desktop/laptop system, keeping up to date should be fine.

 

Here's how you avoid rootkits:

1) Don't install stuff from outside of your distro's package repository. EVER. Ignore the advice of anyone who tells you otherwise.

2) Keep on top of updates.

3)Use a firewall.

Done.

 

Everybody who wants to run a Linux system should write that down a hundred times before installing Linux.

 

I guess it is a good warning, but you really shouldn't see a rootkit in the wild unless you are doing something unusual. The packages you get from updates will be signed with a PGP key on any deb-based distro. You will be warned if any packages from additional repos don't have signatures or if the signatures are broken or expired, etc. There is no real need to worry unless you are installing unsigned software packages from unknown sources or have had your system broken into.

 

To clarify, if you are not installing from legit source(say debian), it is no longer rootkits that you need to worry about as you are effectively giving up all security.

rootkits usually refers to programs that is supposed to be run by regular(i.e. non-root) users by penetrate the holes of linux and gain root access. IOW, in addition to not installing from unknown source, you should be very careful for giving people local shell access(including telnet/ssh) to the machine.

Debian once had a high profile incidence of this. The attack started from gaining normal user shell access(bad password or something) then run some rootkit programs to gain root and propagate from there.

 

And how does one verify that their downloads haven't been tampered with?

Or unless you use Arch.

They don't do package signing, so there's no way to verify that you're receiving trusted software.

 

I guess the ones who have enough experience to judge the trustworthyness of a 3rd party repsitory don't need the advise from others to use it. Therefore the initial statement stands:
Don't add random repositories because some guy in a forum or some random website told you so!

One shouldn't blindly trust the PGP signature of a distro either. I remember a case where the signing servers of a distro were hacked but fortunately no manipulated packages have been distributed. I'm not sure but I think it was Fedora 1 or 2 years ago. In the end there's no way to be sure.

 

Yes, such a shame that it's BS and not realistic.

 

Generally if you're doing the sorts of things that require you to install something outside from of your distro's repos, you know enough to know how to ensure that it's trustworthy.

Anybody installing Oracle, for example, is not likely to be the sort of user to fall prey to a trojaned RPM.

If you think it's "BS and not realistic" for normal users, perhaps you can explain why you think that?

 

See attachment for list of repositories I have downloaded from. Should there be any concern here?

 

I would assume these are all good sources. However, the main concern is not they are hackers but that how good their sites are protected. Canonical may have the resource but some amateur guy acting in good faith ?

 

I'm not sure about these labels, their sources.list entries would be easier for me to interprete but I'll try anyway:
1. "Provided by Ubuntu" should be the official Ubuntu repositories. There's nothing wrong with that if you trust Canonical (if you didn't you wouldn't use Ubuntu, would you?).
2. "Canonical Partners": Is that Multiverse? Afaik Canonical does not do security checks on Multiverse. You totally depend on the word of these external maintainers that they won't infiltrate your system. The risk of a corrupted repository should be very low though. I'd only use that repository if I had good reasons to do so. Do you have them?
3. "For Purchase" nearly always means it's closed source. So not only no independent institution checks it but worse: Nobody can check it because it can't be examined. I'd consider this repository a time bomb.
4. Bunch of PPAs: Same as 2. but with a much higher level of mistrust (except for the Mozilla PPA, here'd be concerned about the stability).
5. System Load ... : No idea what that is but the name sounds like it's pretty superfluous, which might not be harmful but violates the KISS principle and should therefore be thought over.

 

Yes it becomes a problem in trusting 3rd part packages - but again if the only way to get those packages not part of the official repos is through these 3rd party repos - then you have only 2 choices:

1. dont install that software - live with some alternative if any from the offical repo
2. take the risk of installing the software and hope it is not tampered

I'd do the second - but that is just me.... Computers basically are not secure beyond a point...

 

True enough. I tend to do everything in my power to ensure that point comes when someone has physical access to my machine while it's on.

Debian has tens of thousands of packages. I have yet to come across something which I needed which was not packaged (with the exception of a couple of pieces of software of which I either personally know and trust the authors or was one of the authors. ) Obviously YMMV -- but I'd go as far as to say that the vast majority of desktop users don't need anything outside of their distro's repositories. 99% of the time that I see someone installing random software from some random download site it's because they didn't realize that it (or an equivalent) was available from a trusted source (such as their distro's repos.)

 

Thanks for all the insight. I have pretty much only downloaded from "Provided by Ubuntu" site. Never have purchased anything, and the Canonical Partners doesn't have much anyway. The last 4 on the list is what I was most concerned about, although, I have only downloaded maybe a total of 4 things from those sites, all it takes is 1.
I pretty much use this lappy for surfing the net at work and as a linux learning tool. I don't pay bills with it, or anything that requires a level a security beyond surfing the net. I may even wipe it and reinstall if I suspect anything. I will try one of the rootkit programs mentioned earlier but I seem to think that those server "system type " programs and may not do any good on this laptop. Thoughts?

 

The main question is, why do you have all those repositories activated if you don't use them?

 

chkrootkit is not intend to protect you for this. As I have mentioned before, if you use compromised repo, all security is already up in heaven.

If you use it the way you are(no sensitive activities), you are fine. That is equivalent to 'sandbox'

 

I had used them all at one point except for Canonical and Purchase repositories as those were auto installed when I installed Ubuntu 11.04. The Medibuntu I can't remember what that one was for but the Screenlet one, and systemload were exactly those items screenlets and Systemload monitor app. I suppose I should delete the repositories I don't use, however if there are apps that require updates, would that sever the link?

Oh, and another thing, I'm still learning all this and how the linux world works.

 

Yes, if you delete the repo then the packages you pulled from them will no longer be updated.

You can use Synaptic to figure out what packages came from where. (Synaptic is *vastly* better than the "Software Center" that Ubuntu's been pushing lately. This is but one example of why Ubuntu's homegrown solution is inferior.)

Hey, no sweat. It takes time to learn stuff, especially since the package management concept is foreign to users from other OSs. I think it's a superior way to manage software, but the fact that Windows and OS X (up until recently) had nothing like it can mean that the learning curve can be a little on the steep side.

Besides, that's what discussion forums like this one are for. (Back in my day it was Usenet and IRC, but the principle's the same...)