I understand that no Operating System is 100% safe. Although this backdoor is likely only affects certain Linux desktop users, particularly those running unstable Debian or testing builds of Fedora (like versions 40 or 41), **Could this be a sign that antivirus software should be more widely used on Linux desktops? ** ( I know this time is a zero-day attack)
What if, malicious code like this isn’t discovered until after it’s released to the public? For example, imagine it was included in the initial release of Fedora 40 in April. What if other malware is already widespread and affects more than just SSH, unlike this specific case?
My point is,
- Many people believe that Linux desktops don’t require antivirus software.
- Antivirus can at least stop malware once it’s discovered.
- Open-source software is protected by many parties, but a backdoor like this one, which reportedly took 2 years to plan and execute, raises my concern about being more cautious when choosing project code maintainers.
- Linux desktops will likely be targeted by more attacks as they become more popular.
IMO, antivirus does not save stupid people(who blindly disable antivirus // grant root permission) but it does save some lazy people.
OS rely heavily on users practicing caution and up-to-date(both knowledge and the system). While many users don’t follow tech news, they could unknowingly be running (this/any) malware without ever knowing. They might also neglect system updates, despite recommendations from distro maintainers.
This is where antivirus software can be useful. In such cases, users might be somewhat protected once the backdoor signature is added to the antivirus database.
Thankfully, the Linux community and Andres Freund responded quickly to this incident.
Anti-viruses are a scam and always have been. They aren’t much more than security theater and box ticking. Don’t get into the mindset that you can outsourse security to a single product. Security is something that happens in depth. The more intrusive av software can itself become an attack vector as it often runs with lots of privileges.
Distros operate with webs of trust and cryptographically signed packages. Your distro installer verifies the integrity of the package. There is no need to check a third party signature database. It adds no value. Even well audited software could contain hidden vulnerabilities so increasingly we are running software with less capabilities via systemd, flatpak/brwrap or in containers. The environment is very different to the origins of av software on Window 9x where people would download random unsigned executables to a system with no privilege restrictions.
There are lots of challenge for the FOSS community. We love features and freedoms and those features and freedoms sometimes make security more complicated. We need to show more restraint packaging software like ssh and not add so many patches and additional dependencies. We also need to show more restraint in the typical rust, go or javascript project where adding dependencies is so easy we end up sometimes including hundreds of them for stupid crap like coloured messages or being able to handle a dozen config file formats. I don’t care about your garbage collection or advanced compile time checks, if you include hundreds of crates from other developers you are no better than npm and I would put more faith in a 20 year old c library.
And more, it’s known that av can increase sloppy behavior regarding security in people that does not know about security, making them feel safe and, therefore, clicking anywhere and installing anything
Av does increase the risk of being infected for most people
The way this xz backdoor was treated is good enough!
- Identify
- Announce
- Evaluate
- Rollback
Always with good version control and cryptographic keys to sign the packages
deleted by creator
An antivirus wouldn’t protect against the xz exploit. Imagine it did pull down the database of hashes and found a malicious xz binary, what is it going to do?
It can’t quarantine it, because that would break programs. It could update it, but shouldn’t your package manager be the one in charge of that? So the best it can do is notify you of the exploit… Which also feels like a thing the package manager should be doing.
I think instead of an antivirus, we should have a stricter permissions model. Certain applications can identity locations as “private” which blocks untrusted applications. So a random file you downloaded won’t be able to read your browser cookie jar or Discord session.
Random files you download from the internet should be executed in an unprivileged context which requires a “do you want this application to have access to this?” prompt whenever it does something sketchy.
Interestingly, afaik, Valve already runs Windows games in a secure container when using Proton. Fun fact.
I’d add that if one of the basic libraries is compromised, you can’t trust the anti-virus or really any other program on that system.
Yep, the antivirus might need a compression library to manage its database. :P
The xz issue might not directly affect an anti-virus, so maybe in this specific case, it would work fine. But it wouldn’t be hard to come up with another library that would make the anti-virus moot. And even in the xz situation, doesn’t it affect systemd?
All bets are off when you can no longer trust low level software like this.
Didn’t Guix solve that one with its full-source bootstrap?
Sorta.
You still need to trust a full Linux kernel and x86 hardware system.
I am not familiar with that. From a quick glance it looks like the new HURD. But I think even there you’re relying on the work of others.
I did not know that about proton. Interesting.
https://cyberplace.social/@GossiTheDog/112194735806991939
"4 days since XZ backdoor became public knowledge and most major Linux AV and EDR security vendors still have zero detections… they haven’t even set the static file hashes as malicious.
Can’t wait for all the vendor blogs in a week saying they fully protect against the threat. 👍"
The answer to your question: no.
Unless they’re running LFS, I don’t see the point. By the time the antivirus database is updated, surely an update will be available in the package repo?
The Linux ecosystem is built around package repos rather than manually installed software, so antivirus makes even less sense on Linux than it does on Windows. If there’s malware it’ll get removed from the repo as soon as it’s detected.
I generally agree, but I will point out there are more ways to get packages than a repo - sure most things come from there, but plenty of things are provided as standalone installers (e.g., .deb packages). Having something that can scan that random .deb you need to do that one thing could be nice.
Not saying AV is the fix, but if Linux is ever going to become even slightly mainstream, you need some way to keep the “normies” from hurting themselves
No, av would not stop this kind of attack….
ClamAV is used widely though on inbound SFTP shares though in a corporate environment
By the way, all Fedora packages are scanned with ClamAV as part of bodhi tests. Here’s the test matrix where xz 5.6.0 passed the scan, and would have allowed the exploit in for the F40 beta if it wasn’t obsoleted by another build where the vulnerability’s mechanism was disabled because it triggered valgrind failures in other software.
Sure, there’s more sophisticated AV software out there, but at the end of the day, the F40 beta was temporarily saved because of luck, the beta freeze period, and valgrind. The ecosystem as a whole was saved because “Jia Tan” wasn’t aware that making Postgres run slightly slower immediately raises alarm bells.
That’s not how antimalware software works. They can do nothing against backdoors.
Nope. In Linux the typical action is to immediately get a fix out ASAP and be done with it.
Plus it’s unlikely that AntiVirus would actually make any difference. Even in Windows many things go undetected. All it does is bog down your system
What? Use a bloatware that consumes a lot of resources, slows down the whole system and increases the attack surface instead of regular updates? Are you kidding?
Not to mention the proprietary nature of most mainstream antimalware solutions means is can conveniently ignore threats. Such software also tends to be spyware and sometimes even malware
I dont think av would help with a backdoor, only things like malware, miners, ect. I feel most people that use linux can figure out not to run lil-uzi_leaked-song.mp3.exe
Music.exe, ahhh the good ol’ limewire days of being too young and novice to not know better.
In this xz scenario an antivirus wouldn’t do shit. it’s better to find and fix vulnerabilities rather than bog your system down with malware
Antivirus software is highly unlikely to detect a backdoor
Antivirus doesnt work. It would need to monitor the whole system all the time, making it like twice as slow. How do you “stop” such a malware? You cant even uninstall xz without borking systemd.
Using SELinux especially for user programs, downloading only from trusted repos, having home non-executable apart from that and using a nonwheel user is the best you can do. Apart from using a hardened base Distro, like Secureblue, QubesOS or Tails.
So, I got malware that seemed to create an hidden proxy or VPN or something when I was online, without me having to install anything. I was on Fedora using Firefox in private mode with Ublock Origin and some script blocker. Ghostery, or Privacy Badger, or something. Fedora has it’s firewall enabled and blocking inbound connections, and SELinux was running. It would occasionally report small things like VLC or Clam AV wanting access to something.
It took me a little bit to realize something was wrong.
I realized it after Google started demanding repeated captcha attempts for everything, I started seeing unsuccessful attempts to sign into my Microsoft account from around the world, and some websites started blocking my IP for abuse. A few times, the blocking page (usually Cloudflare) showed that my public IP was over 240.0.0.0, in the unassigned block. My modem logs showed my machine making outbound connections to these random or impossible IPs at times that roughly lined up with my connection issues.
But if I simply hit refresh on those pages when they blocked me, the websites suddenly returned my correct residential IP address and started working again. I was slow to catch on. Hell, I hadn’t even used my Microsoft account for years, and I assumed Fedora with SELinux would alert me if anything strange was going on. It didn’t. My machine started acting weird, but I couldn’t place my finger on exactly how. I tried tools like Clam AV, or any number of intrusion detection solutions to assuage my growing paranoia. Problem is that they require some knowledge and you have to set them up before things go wrong.
Besides a terminal tool to unhide running processes, which inconsistently returned zero to dozens of unknown short-lived programs with increasingly high PIDs, nothing was detected. I later ran that unhide tool on a live USB of Fedora, and it did the same thing, so I assumed it was a false positive.
Ultimately, it was my fault, I know. I just went on a shady website to watch a TV show. Stupid, but not uncommon. My android phone also started acting strangely around the same time. I assume because I visited the same site to finish some season in bed using Firefox mobile. It’s been replaced entirely now.
But the point is that SELinux didn’t stop anything, I didn’t have to explicitly download or install anything to my machine, and it was some kind of drive-by infection that somehow added my machine to a kind of botnet, I think. Hard to tell just from the various logs I gathered from my machine and modem.
I don’t know what it was doing, but when I finally put all the pieces together, I completely wiped the drive in that machine, including a long dd operation on the drives with /dev/random. Still not sure what I’m going to do with it.
I’m also not sure if the infection was limited to Firefox itself, or if my entire machine was compromised. I may never know for sure.
While I was being stupid, I wasn’t being completely reckless and just running untrusted code from strange places. I watched TV in Firefox’s embedded video player. All it took was going to a website that I found by other people recommending it on social media. I should have known better, but I’m human.
If I can’t even visit a webpage without getting invisible botnet malware that escapes professionally configured tools like SELinux on Fedora, then how are complete newbies, or kids, or grandparents, or “know just enough to be dangerous nerds” (like me) supposed to be safe?
I agree that the user is the single biggest point of failure in security, and should be mindful. But when you’re not installing random Github packages, or turning off your firewall, or enabling SSH, and your machine can still get so easily pwned, what then?
That’s the value of anti-virus software. Yeah, it’s not perfect, but neither is your list of rules to follow. There is no single perfect approach, and people are lazy, impulsive, and sometimes drunkenly want to watch Breaking Bad. I don’t know what the solution is, but outright denying everyday antivirus seems… unwise, I guess?
Even if if takes a month for the vendor to be able to detect it, that’s still protection for anyone who comes after. It doesn’t have to be perfect to make a positive difference.
And, no: For anyone curious, I’m not going into more detail about the website.
Additionally setting up a firewall is pretty important.
Your distro should absolutely include that. And make sure to actually close all not needed ports, which is more work but the GUIs allow that easily.
Most if not all don’t
Fedora does
It does? I run Fedora and when I spin anything up it becomes available outside my machine. I installed Firewalld
Okay thats crazy. Maybe RPM installs can losen the firewall, or maybe common things are always open.
The maintainer of xz was pressured into adding a new, unknown maintainer because he was alone and most likely unpaid. Had this critical piece of software been well-funded and the maintainer well-compensated, he probably never would’ve added the maintainer.
Regardless, I’m not sure how an antivirus would help here. This was a component upon which many others were built. How would this have been detected heuristically? Maybe somebody with a deeper understanding can also weigh in whether SELinux could’ve helped here, but if it’s a
lib*
, I guess not.IMO the major problem is upstream: fund critical components. If you work in an org using opensource (and I bet you do), try and get them to set aside some kind of budget for opensource projects they use. For example a simple 100€ distributed across selected projects every month or every year. Or more, whatever… just something.
Also probably reproducible builds would help. The distributed archives should not differ from that of multiple build services.
Realistically, I think vendors will be trying to push their crap using this attack as leverage. They did it with Heartbleed, Shellshock and the Log4j issue. Their software won’t/wouldn’t accomplish anything, just like it didn’t with those issues, but they’re sure as hell gonna try to make it seem like it does.