Mozilla and Linux.RST.b

[IKnowNot]

Saw posted at
Viruses not just a Windows issue

According to a report from antivirus company Kaspersky, Mozilla.org recently hosted Linux versions of the Mozilla browser and Thunderbird mail client that were infected with the Linux RST.b virus.

But if you follow the links contained you find at
Analyst's Diary Infected files found on mozilla site

many disgruntled members concerning the reporting.

At
Mozilla Security Center
there is

Security Advisory (September 21, 2005) The Mozilla Foundation is aware of the Linux.RST.b virus that infected Linux Korean contributed versions of Mozilla Suite 1.7.6 and Thunderbird 1.0.2, as reported by Kaspersky Lab. No versions of Mozilla Firefox were infected. Infected files have been removed from the Mozilla ftp mirror network as of September 17.

Mozilla recommends to our Korean users who have downloaded affected products to run an AntiVirus product on their machine to scan for the Linux.RST.b virus and delete infected files. Further information about the Linux.RST.b virus can be found here: http://us.mcafee.com/virusInfo/defau...&virus_k=99978

So apparently it was a mirror site that contained the infected files. No word as to how they got there, but just something to be aware.

[HTRegz]

Hey Hey,

Since I haven't posted in a bit, I think it's time to jump back in..

It's amusing that the original article is titled as it is.... and even more so that it contains this line:

Unfortunately as Linux grows in popularity it is inevitable that it will attract attention from authors of malicious code.

This is actually a quite old virus... Symantec puts the discovery date as being April 23, 2002 (source)..

While it's true that any system can get a virus, as it has been said several times, the operating system is only as good as the user. It sounds like there was an idiot working on the Korean version who somehow managed to download and run a virus that's quite outdated. Maybe they purposely did it to backdoor users systems... It's fishy that it's only supposed to affect the /bin directory and the directory that it's executed it and still managed to infect the distributed version of mozilla... but then again, that's just my opinion.

The Analyst's Diary link was actually fun to read... everyone's blaming someone for it.

Peace,
HT

[Linen0ise]

I agree with the folks on that external site. Sure Mozilla hosted files but they are also built nightly and updated sometimes. The problem stems whenever another 3-party or website gives a review of the package and offers you to download from their site instead of the author. In fact, you have several 3-parties who give you the option to download from the publisher's site rather than theres....mostly for more up-to-date versions. What bothers me also is the fact, you find 300 source IP's on a file sharing network downloading Trojan baited software packages. If you thought you downloaded a 0-day movie but instead it turns out to be porno or an movie of an advertisement then you know what's up.