header image
[ # ] My first Linux virus?
September 7th, 2007 under InfoSec, rengolin, Unix/Linux

Wandering around my Linux filesystem I found a weird directory in /home …


drwxr-xr-x 2 root root 4096 2007-08-19 12:03 eb588afc0325b12eeb074fd6

Ok, I thought, I didn’t create that. If it’s a virus, it’s the most stupid virus in existence, but, we never know… Then I got inside and see what files it had, and found this:


$ l eb588afc0325b12eeb074fd6/
total 956
-rw-r--r-- 1 root root 865822 2007-08-02 21:41 mrt.exe._p
-rw-r--r-- 1 root root 96216 2007-08-02 21:34 mrtstub.exe
-rw-r--r-- 1 root root 45057 2007-08-19 12:03 $shtdwn$.req

Mamma mia, if it really is a virus, it’s even more stupid trying to put .exe files in my Linux box! Anyway, The Oracle would know the answer… Searching for mrtstub, the first hit is this page, directly from the enemy’s site. Not too far I found the origin:

mrtstub is part of the Malicious Software Removal Tool. It is responsible
for copying mrt.exe to the correct location and launching it.

Long story short: I have dual boot (which I never use but my son plays sometimes) and my Linux home directory is mounted using an ext3 driver for Windows. Microsoft asked me to install this Malicious Software Removal Tool which I denied 10 times asking every bloody time NEVER TO INSTALL IT IN THE FUTURE until the 11th was my son that wasn’t even asked but turned it off as he always do and Microsoft stealthily installed this piece of crap in my computer.

That’s enough, I’ll spend a fiver and buy a cross-over software to run my son’s games on Linux and remove this crap out of my computer once and for all.


Read the Comments

[ # 100 ] Comment from Dick [September 8, 2007, 7:10 PM]

I did the same a while back and totally removed windows
best thing i ever did.
if the dual boot isn’t there i started to use linux apps more
and dot’ miss it any more

[ # 101 ] Comment from rengolin [September 8, 2007, 7:33 PM]

This is the only dual-boot system at home and is with it’s days counted… ;)

[ # 103 ] Comment from Shawn [September 8, 2007, 7:56 PM]

Since they can’t “repeat” updates, they release a new MSRT every month. This is why he had to keep denying it, over and over. Windows Installer should store temporary files in c:\{guid}.

[ # 104 ] Comment from gogel [September 8, 2007, 8:20 PM]

Unfortunately for you, games do not run so smooth on cross-over software. Of course, some do but the new titles usually do not. Or do not work so reliably. As about malicious software removal tool, it is quite useful (not evil,anyway…)
My advice is to keep that windows partition around (or on another computer…) because depending on the games you son likes crossover might not run that games at all or you will have a hard time running them.

[ # 97 ] Comment from rengolin [September 8, 2007, 8:34 PM]

About games and Linux, I’ve found a lot of good games (that are keeping me busy) but I’m afraid I can’t share that with my son… too violent. ;)

Tremulous http://tremulous.net/
Spring http://spring.clan-sy.com/
sauerbraten http://sauerbraten.org/

For kids Linux have a better list than Windows:

Pingus http://pingus.seul.org/
Slune http://home.gna.org/oomadness/en/slune/index.html
SuperTux http://supertux.lethargik.org/
GCompris http://gcompris.net/
Neverball/Neverput http://icculus.org/neverball/
Stellarium http://www.stellarium.org/
and many, many others…

My son only uses Windows for Need for Speed and Caesar VI, most of the time he boots to Linux and sometimes he uses my cluster to play Nethack… ;)

[ # 98 ] Comment from rengolin [September 8, 2007, 8:36 PM]

About mounting my home directory as root… tell me about it… Who was the creepy stupid that did the ext3 module to mount as root?!

But I was also stupid not to check that, so my fault at the end too… Anyway, I was just feeling stupid and liked to share my stupidity with you! :D

Glad you liked it.

[ # 99 ] Comment from rengolin [September 8, 2007, 8:39 PM]

At last, about the Digg effect and the CPU quota, sorry about that. Next time I’ll do this.

[ # 102 ] Comment from x [September 8, 2007, 8:48 PM]

The mistake was mounting your linux partitions in Windows. If all Windows is used for is to play games, there is no need for it to have access to your ext3 partitions. What would you have done if Windows had gotten infected with a real virus that corrupted your ext3 partitions?

[ # 95 ] Comment from rengolin [September 8, 2007, 9:35 PM]

Absolutely! I needed to copy some files but should have unmounted the partition as soon as I had finished.

But I doubt Windows could infect me with a real virus, no Windows virus run on Linux. Btw, a very interesting article (2003) about Windows and Linux viruses.

[ # 87 ] Comment from Jeff Anderson [September 8, 2007, 10:08 PM]

Get rid of your son’s games.. they don’t contribute to anything other than stupidity and wasting time anyway. Teach him the value of learning something instead of wasting his brain on useless games.

[ # 88 ] Comment from rengolin [September 8, 2007, 11:01 PM]

He already hack Unix and program in C++, what else there is to know?! ;)

[ # 89 ] Comment from Loki [September 9, 2007, 12:06 AM]

Never underestimate how far Microsoft will go to keep you around. It’s a malicious and hateful way to run a company, and it shows.

[ # 91 ] Comment from Sushanth [September 9, 2007, 6:20 AM]

Hey,

I am just putting this out there. I Could be wrong.

It looks to me like the malicious software removal tool installer, unzipped itself to run the setup and ask you the question – if you wanted to install it ?.

Since you hit cancel, it was never installed but the files that were unzipped to run the setup were not cleaned from you system by some mistake. Usually these installation files are deleted and are like temproary directories created with a random name like “eb588afc0325b12eeb074fd6″.

[ # 85 ] Comment from Personal Development for the Book Smart [September 9, 2007, 6:24 AM]

A little OT here. Saw your post in blogcatalog about digg traffic crashing your site. I am thinking of switching to either bluehost or hostmonster. Which would you recommend?

[ # 86 ] Comment from ComputerBob [September 9, 2007, 1:00 PM]

I ran a Windows/Linux dual-boot for about a year, but I finally got sick and tired of Windows refusing to run or causing other problems because it didn’t like the fact that it wasn’t the only OS on the PC.

Since I teach courses in MS sofware, I still need to run it at home, but I wanted a way to keep the two OS’s as isolated from each other as possible. That’s why I decided to use a hardware-based dual-boot system on my computer. Now I can quickly and easily switch between WinXP and Mepis Linux without ever having any any problems. I wrote about it on my ComputerBob.com web site:
http://www.computerbob.com/guides/hardware-based_dual-boot_pc.php

[ # 92 ] Comment from helios [September 9, 2007, 6:44 PM]

Without a doubt or moments hesitation, I fully recommend Bluehost. The only hosting company I have ever had survive back to back to back slashdottings.

Everyone else crumbled after the first one…three of them never lasted past the first 30 minutes of hits.

h

[ # 93 ] Comment from mosab [September 10, 2007, 12:37 AM]

Thank God i have no kids, i am not even married yet :)

i had this dual boot system , but i removed it a couple of years ago,

i don’t play games much but SuperTux really is good for me..

i will teach my son to play well, i might even join developing a competitive linux game,

i still got time before his majesty arrives, i mean my son of course ;)

[ # 94 ] Comment from rengolin [September 10, 2007, 8:50 AM]

This is bluehost and didn’t help much. None of them will help you, really, you can do what I did, use wp-cache. Turn it off whenever you’re changing your site and then on again when you’re posting only.

I’ve set the timeout to 60 seconds, which is more than enough.

[ # 96 ] Comment from stoned [September 10, 2007, 10:08 AM]

I don’t see how a dual boot system is still necessary. If people just move their data to one system, they will be better off. And for OS-dependent applications, games etc to be missed, well, if you don’t break some eggs, there’s no progress. Four years ago I tried a GNU/Linux – Win dual boot to a new machine in my workplace. Gradually, switching to Win became less and less frequent and after 3 months I realized that I no longer need it. Linux was ok for every day use, office operations, development. At the next upgrade, I ditched the bloated OS.

[ # 90 ] Comment from rengolin [September 10, 2007, 12:09 PM]

Linux is not only OK for me, is essential! I can’t do much on a Windows box nowadays.

The only reason to have the dual boot was Flight Simulator (X-Plane and Flight Gear are not up to it yet) and I don’t fly for ages now.

Anyway, in the next spare time I’ll just crop the /windows partition out of the map and be happy.

[ # 84 ] Comment from Chris Lees [September 11, 2007, 11:08 AM]

I’d advise you to get rid of the Ext3 driver from Windows, and instead either mount your Windows partition read/write in Linux, or get some sort of external media which can handle your cross-platform transfer needs. Although Windows viruses don’t run on Linux (well, not really) it’s possible in the future for a Windows virus to contain a Linux payload, using the Ext3 driver to install it into your init scripts on the Linux partition.

[ # 83 ] Pingback from Linux в digg на русском » Blog Archive » Мой первый Linux-вирус? [September 13, 2007, 3:30 PM]

[...] Перевод заметки My first Linux virus? [...]

[ # 82 ] Pingback from Linux virus. « Malcolm’s Home [September 13, 2007, 5:09 PM]

[...] Опубликовано в Четверг, 13 сентябрь 2007 года by mlclm Оригинал на англ.Перевод на русскомЧестно, как то странно…Бывало и у [...]

[ # 81 ] Comment from rengolin [September 21, 2007, 7:27 PM]

Following the same idea, here’s another example of what Microsoft is doing:

Microsoft-updates-Windows-without-users-consent

[ # 80 ] Comment from rvincoletto [September 29, 2007, 8:55 PM]

Hi!
Information Security Carnival 3rd edition is up here, and your article was selected!

Comment, link to us! Spread the word!

[ # 79 ] Comment from Robert [October 15, 2007, 10:09 AM]

I’m a happy camper ever since XP SP2 came out. Tried Ubuntu 7.04 a while ago, got no network (ifconfig eth0 up, service network restart did the trick), was disappointed once again and remove Linux permanently from my computer.

[ # 78 ] Comment from rengolin [October 15, 2007, 11:06 AM]

Excuse me, were you unhappy because you had to restart your network???

On Windows I have to install the driver from CD (and reboot) to make my wired interface work! You would probably think that this is ‘normal’, wouldn’t you?

[ # 77 ] Comment from Carl [October 16, 2007, 2:15 AM]

Well I run WinXP and mepis 6.5, and used to use ntfs-3g all the time, but eventually corrupted my win partition (I used to keep my music on ntfs partition and played with amarok). Now I only let ext3 driver use a separate ext3 partition and never my home or root! I use winxp for transcoding media files (as its painfully slow in xp under vmware).

[ # 76 ] Comment from rengolin [October 16, 2007, 8:42 AM]

Hi Carl, with the ext3 driver I thought I could let a shared disk that both could write (not the case of NTFS) but I don’t want Windows to be root in my /home.

What I’m doing now is to have an external harddisk via USB as ext3 mounted with the same module but only with backup data, ie. I’ll never execute anything directly from the disk.

I know it’s not perfectly safe but it’s working so far…

[ # 75 ] Pingback from Munich Unix » My first linux virus? [November 10, 2007, 2:49 PM]

[...] read more | digg story [...]

[ # 74 ] Comment from Winblowa [December 11, 2007, 9:38 PM]

I ditched windows and installed ubuntu. Simplicity comes at a cost however. I had to install quite a few programs, codecs, drivers, etc… To make it work optimally on my PC. Very easy to do though.

[ # 73 ] Comment from BiT [December 26, 2007, 7:20 PM]

Hm very good

[ # 105 ] Comment from Mark [February 15, 2008, 1:00 PM]

“Get rid of your son’s games.. they don’t contribute to anything other than stupidity and wasting time anyway. Teach him the value of learning something instead of wasting his brain on useless games.”

To Jeff Anderson,

I just had to comment. For God’s sake, lighten up. He’s a kid, just let him be one. Soon enough, he’ll be wearing tartan slippers and smoking a pipe while reading The Times just like you.

[ # 106 ] Comment from Eric [November 21, 2008, 2:45 PM]

You are aware that MS releases a new malicious software removal tool each month, right? If you tell Windows update to ignore one, it will offer you another eventually. Why not just delete the directory that it made when someone told it to install, it won’t just install without you agreeing to an EULA, and continue on your way. I don’t see how you could really stretch this issue into a Microsoft is the Devil post, it really is reaching.

Write a comment





License
Creative Commons License
We Support

WWF

DefectiveByDesign.org

End Software Patents

Avaaz.org

See Also
Disclaimer

The information in this weblog is provided “AS IS” with no warranties, and confers no rights.

This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion.

Feel free to challenge and disagree, and do not take any of it personally. It is not intended to harm or offend.

We will easily back down on our strong opinions by presentation of facts and proofs, not beliefs or myths. Be sensible.

Recent Posts