Can you create a fake (malicious) Ubuntu iso

Question

Recently I got into an exchange with someone on social media about the security of Linux versus OSX and Windows. I stated that it is possible (and probable) that someone could code a low level back door ( or whatever pesky malware they desire), and put it into the open source Linux code they downloaded, as well as add all of the proprietary software that Ubuntu has; compile it to an iso and label it as “UbuNtU”. This new iso would install an OS that would look and feel like the real ubuntu, however it would have a back door that nobody could see. This would require a faked checksum as well, but that is somewhat besides the point because it can be faked too. (also the user might be just given a usb from a trusted source with the fake iso). My question is straightforward, could somebody create a fake Ubuntu with a back door by compiling the open source software into an iso and labeling it as “UbUnTu”. I would also like to add that this can be done with OSX and Windows however it would be much more difficult due to that fact that neither of these are open source!

I strongly believe that open source software is more vulnerable to hackers point blank!

This is why it is vital to verify the integrity of the ISO file after you download it, and before using it to install the OS on your system. See https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview for more info. — mti2935, Aug 19 '21 at 01:43
There is nothing about open-source software that makes it "easier to hack". On the contrary, having more people look at your code means it's more likely that someone will identify an issue. — , Aug 19 '21 at 11:48
_"This would require a faked checksum as well, but that is somewhat besides the point because it can be faked too."_ - Really? How? — marcelm, Aug 19 '21 at 18:43
"however [faking OSX and Windows images] would be much more difficult due to that fact that neither of these are open source" -- that is not at all true. — Alex Reinking, Aug 19 '21 at 19:19
What is the relevance of the differently capitalised name (UbuNtu, UbUnTu, etc.?). If you're going to create a malicious ISO, why would you want its appearance to deviate in any way from the original? — Jon Bentley, Aug 19 '21 at 19:40
@marcelm With a MiTM attack you can present a different version of the site which displays the checksum. Once you've tricked the user into installing the first malicious OS, it can do this for you on all subsequent downloads without any need for MiTM. — Jon Bentley, Aug 19 '21 at 19:41
@MechMK1 do you have a citation for that? We’ve seen many, significant, widely used OS projects with glaring vulnerabilities. — Tim, Aug 19 '21 at 20:28
@JonBentley varied capitalisation on the internet typically means something is said in a mocking tone. In this case it likely intends to highlight the fakeness of that ISO. As for your second comment, the latter part does not apply at all because you will have compromised the system already - that's a completely different attack vector. The former part makes sense but is irrelevant to whether the system is open-source or closed source. Also, MITM is fairly effectively mitigated by SSL which is used by most (all?) popular distribution pages. — user9123, Aug 19 '21 at 22:06
@Tim it's a trend not a rule, there are examples of vulnerabilities in many open-source software, but they tend to be fewer and found and patched quicker. If you need an example, have a look at [UACMe](https://github.com/hfiref0x/UACME) - there are still some well-known privilege escalation vulnerabilities in Windows. Meanwhile, compare this to that recent sudo privilege escalation bug and how quickly it got patched - not just in one OS, but in tens or hundreds of distributions. — user9123, Aug 19 '21 at 22:13
@user9123 what I’m looking for is a citation (a peer reviewed paper ideally) with evidence for the statement that “having more people look at [it] makes it more likely that someone will identify an issue”. It would also be nice nice to see a citation for “they tend to be fewer and found and patched quicker”. Examples are great, but one anecdote isn’t what I’m after. You’ve just cherrypicked two examples which support your case. — Tim, Aug 20 '21 at 08:08
@Tim [This paper](https://doi.org/10.1145/1188913.1188921) supports my claim, which is for all intents and purposes, self-evident. Also, claiming that software is more secure *because* it's closed-source is security-by-obscurity, which has been known for ages to be a bad idea. — , Aug 20 '21 at 10:54
@MechMK1 I wasn’t claiming it was more secure closed. I was asking for evidence that it’s more secure when OS - so thanks for providing that! — Tim, Aug 20 '21 at 11:54
Your question is: "Can I put malware on a CD?" I mean, yeah, duh. Obviously. "Ubuntu" has nothing to do with the answer. You can create a fake malicious anything. — Boann, Aug 20 '21 at 13:03
You might want to read about [this recent event](https://www.wired.com/story/solarwinds-hackers-continue-assault-new-microsoft-breach/) where Microsoft's internal systems were breached. — JimmyJames, Aug 20 '21 at 15:44
@JonBentley _"With a MiTM attack you can present a different version of the site which displays the checksum."_ - Not if the checksum page is served securely (i.e., using https). A checksum served over an insecure connection is largely pointless, of course. — marcelm, Aug 20 '21 at 16:23
A real example of this happening was Linux Mint: a few years ago, [their website was hacked](https://blog.linuxmint.com/?p=2994), and the download links were pointed to an ISO with a backdoor. Website being hacked could also mean that the checksums can be changed to match the new ISO file, thus no way to verify it.. — Jonas Czech, Aug 20 '21 at 16:35
@JonasCz And also [this happened](https://www.wired.com/story/solarwinds-hackers-continue-assault-new-microsoft-breach/) and no one knows what backdoors might have been added to MS products as a result. — JimmyJames, Aug 20 '21 at 21:33
Where do you intend to get a checksum for Windows? Unlike Ubuntu, I know of no place where I can get reliable checksums of Windows. — J. Mini, Aug 21 '21 at 15:16
Ken Thompson held a Turing award talk on "Trusting trust" - https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf - which is very relevant to this subject if you consider it as "Where can I put malware in open source software" (quick summary: hack the toolchain - which these days include the cpu). — Thorbjørn Ravn Andersen, Aug 22 '21 at 06:59

score 66 · Accepted Answer · answered Aug 19 '21 at 01:11

66

If an OS is open source or not is not the important factor if someone could build a malicious installer image.

Recent versions of Windows use a technique that bases on WIM images which can be generated from existing Windows installations just like a backup software creates an image. Therefore it is pretty easy to generate a malicious Windows image, just capture an existing Windows installation that has been prepared with malware.

The same is true for Linux based OS like Ubuntu.

Therefore no matter what OS you install it is important only to use installer respectively ISO images that are directly downloaded from a trusted source using a secure channel like HTTPS, usually directly from the manufacturer or alternatively if you can verify the authenticity e.g. using a GPG signature.

answered Aug 19 '21 at 01:11

Robert

1,373
2
12
13

29

It's pretty easy to inject drivers into a WIM image. If you can inject drivers, it'd be easy to inject anything. Is this easier than mangling an ubuntu image? It's probably about the same difficulty actually. – user10489 Aug 19 '21 at 01:37
16

On a side note, Microsoft has recently removed a lot of installation image downloads from their website, so despite having a valid key you might have to resort to shady sources to get your DVD image. One could argue this makes Windows actually *more* susceptible to such an attack. – AndreKR Aug 19 '21 at 14:14
1

@AndreKR There is (was) a perfectly legal tool by Microsoft for creating installation media that will download and create either an ISO or an installation flash drive of W10 in several different versions. – mishan Aug 19 '21 at 19:37
@AndreKR link: https://support.microsoft.com/en-us/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d – mishan Aug 19 '21 at 19:39
3

@AndreKR So, the reason there are no openly advertised ISO locations for download is that there is this tool that automates that process that is the "official way" of getting ISO and creating installation media. If you just google you will get to the several support pages that will navigate you to it. Sadly, any support by Microsoft is a bloated jungle that is unreasonably hard to navigate full of outdated information, redundant information written slightly differently, and pages that are just boilerplate and absolutely useless. – mishan Aug 19 '21 at 19:46
(which reminds me of the joke: "Google has the largest data centers in the world. Microsoft has a million servers, nobody in there knows what they do or where they all are, but they have them...somewhere") – mishan Aug 19 '21 at 19:48
@AndreKR https://www.microsoft.com/en-us/software-download/windows10ISO ? – Nonny Moose Aug 19 '21 at 21:09
1

@mishan If you click for example Windows 7 on that website, you'll get... well, I'm not sure, maybe there *is* a link somewhere there, but I don't see it. – AndreKR Aug 19 '21 at 23:24
1

@NonnyMoose Try that for Windows 7 or let's say Office 2016. – AndreKR Aug 19 '21 at 23:24
@AndreKR Oh, I didn't realize that you meant they removed those images. I guess that makes sense, since those pieces of software are no longer officially supported. Of course your original point stands; people will still want them for various reasons other than official support. – Nonny Moose Aug 20 '21 at 18:29
@user10489 I would say adding malicious software to a Windows image is definitely easier than coding new malware and adding it to a Linux image. Even the average corporate IT department can create a Windows image with a custom set of software and finding malware for Windows is extremely easy (just start clicking on questionable links and it will come to you). Writing anything from scratch will take longer. – user3067860 Aug 20 '21 at 19:01

score 31 · Answer 2 · answered Aug 19 '21 at 14:48

31

First of all:

This would require a faked checksum as well, but that is somewhat besides the point because it can be faked too.

What do you mean by faked? If the user checks the checksum against the one provided on the distribution's official page, the attempt is instantly foiled because the checksum will be different. There's no way around that (of course except for finding a hash collision but... good luck with that).

Moving on, as most answers already stated, the attack you describe is certainly very feasible and has been done! But it has been done regardless of whether the software is open-source or closed-source. I mean, if you believe otherwise, go ahead and download/install a Windows ISO from a site other than Microsoft's and see how safe you feel. Not to mention the countless examples of malware-infested pirated software which is proprietary.

In fact, I can make a pretty good counterpoint: open-source software is free so there's no need to pirate it or download it from shady sources. Meanwhile, proprietary software is often pirated meaning it has much higher potential to cause malware infections.

To summarise, it may be marginally easier to patch an Ubuntu ISO than a Windows ISO. But it'll be thousands of times easier to infect someone with the pirated Windows ISO than the Ubuntu one, because anyone can download Ubuntu for free so they have no reason to trust you.

answered Aug 19 '21 at 14:48

user9123

563
3
10

1

" If the user checks the checksum against the one provided on the distribution's official page, the attempt is instantly foiled because the checksum will be different. There's no way around that" - how do you know you're definitely on the distribution's official page? – Jon Bentley Aug 19 '21 at 19:45
8

@JonBentley Like anything else, you have to trust _something_ initially, and then 'bootstrap' trust about other things. Ideally, you'd already know the official page/site for a given distribution (and then trust that it hasn't been hacked). Practically, you can check multiple sources of info and verify that they agree, e.g. about the official page of a distribution, and maybe also check that no one is reporting that the page/site has been hacked; HTTPS (TLS/SSL) helps too! But this is all imperfect to some degree. – Kenny Evitt Aug 19 '21 at 21:43
5

@JonBentley HTTPS proves that a cert authority has verified that whoever is serving the site is the owner of the domain. DNSSEC will have verified that the domain records are intact. As long as the domain name is correct, you should be fine. If infrastructure hosting the site is compromised, you have bigger things to worry about because then even the official ISO is likely compromised. Of course, the above could fail under certain circumstances, but all of that is out of scope of this question anyway because it goes for any website at all and is not relevant to system ISOs specifically. – user9123 Aug 19 '21 at 21:58
1

I'm not sure if it's part of the OP's confusion but a [cryptographic hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) is used to verify a distro, not a [checksum](https://en.wikipedia.org/wiki/Checksum). As explained in the accepted answer [here](https://security.stackexchange.com/questions/194600/checksum-vs-hash-differences-and-similarities), A hash is much more resistant to malicious 'fakes' i.e., collisions. – JimmyJames Aug 20 '21 at 15:41
@JimmyJames you need more than a simple collision attack to do that, a much more difficult attack called second pre-image attack because the official version is already fixed – Manish Adhikari Aug 22 '21 at 10:01
@ManishAdhikari Yes, thanks. In my mind, a pre-image attacks are a subset of collisions but it seems that is not how the terminology is generally used (despite the descriptions of pre-image attacks being described using the term 'collision'.) In the future, I'll try to use the accepted terminology. – JimmyJames Aug 22 '21 at 17:55
@JimmyJames Second pre-image attacks and collision attacks both create collisions but the difference is unlike in collision attacks, you are not free to choose both the messages in second pre-image attacks. I am also in the same page as you. I have seen people describing why MD5/SHA1 are unsafe to use because they are not collision resistant but give examples of second pre-image attacks instead despite neither have yet been known to be vulnerable to second pre-image attacks. – Manish Adhikari Aug 23 '21 at 03:42
@ManishAdhikari This is good feedback but I just want to reiterate the point I meant to make: checksums are not hashes and cannot be used to protect against malicious actors. – JimmyJames Aug 23 '21 at 14:35
2

I don't know how you use these terms but from what I understand to be the general usage, checksums are hashes (which are any functions that convert arbitrary data into fixed size numbers/bitstrings), they are not however cryptographic hashes which are hashes which provide first and second preimage resistance and collision resistance. Of course only cryptographic hashes are to be used in this scenario. – Manish Adhikari Aug 23 '21 at 16:52
1

@ManishAdhikari Yes, that was the point I was trying to make. Sorry for the lack precision in my terminology. – JimmyJames Aug 24 '21 at 16:29

score 8 · Answer 3 · answered Aug 20 '21 at 13:17

I strongly believe that open source software is more vulnerable to hackers point blank!

Windows is a closed source software, yet there exists Windows XP Gold and Vision Ultimate which are unofficial ISOs of Windows that contain pre-installed software, tweaks, etc. So it's possible to make a fake ISO even if the software is not open source.

I can't add a link because it's piracy but these can be found easily on Internet.

score 1 · Answer 4 · answered Aug 20 '21 at 20:04

I'd say this is mostly answered, but I'll also add that Ubuntu now supports SecureBoot as well. You wouldn't be able to modify certain parts of the kernel at minimum without the computer refusing to run it.

Of course, there's plenty that can still be done in userland, but there is some security in place.

I am unsure how the hypothetical ISO would end up on anyone's computer, though, since I imagine most people download it from the official sources.

score 1 · Answer 5 · answered Aug 20 '21 at 23:10

As many others have already pointed out, your inclination to believe that open source software is more easily hacked/exploited is completely unwarranted. The point of this answer is just to share a personal story of mine that speaks to this, forcefully so, in my opinion:

Many many years ago (back when Windows NT was standard issue in enterprise deployments) i felt compelled to subvert a particular installation by modifying the console/desktop logon process so as to capture user's logon credentials. As you may imagine, i have no access to anything like Microsoft's source code, yet it took me less than an afternoon to find the relevant module (i still remember it was called WINGINA.DLL; no idea if it's still around in current versions, as i have long since let go of Windows completely), then to identify the very few functions that had to be modified, and to fit the required code (x86 assembly, obviously) into several nooks & crannies that these executables tend to have unoccuppied. It worked beautifully.

Now suppose i wanted to fix, for myself, one of the many flaws that Microsoft's products have (and i don't mean only security flaws). For the vast majority of cases, that would be very hard (next to impossible, really) without source code.

So the lack of an open source is a tremendous hindrance to amelliorating a product; not so much when it comes to covertly turning it into malware.

score 0 · Answer 6 · answered Aug 22 '21 at 03:11

You are missing the point here. The main difficulty of this attack is not in making it possible to create a malicious ISO, it is in convincing a victim to use it.

That has been done over and over again to all kinds of software. Why do you think tech support scam by and large uses "we are Microsoft tech support" disguise? And how well do you suppose that works? (spoiler: very well)

"Click that link" "authenticate this action" are ultimately social engineering attacks, and the software used being open source is not really making it much easier to make it look convincing. As already stated in the answers, faking hash is quite a hard task but also too much effort given people very commonly wouldn't check it and a harder part would be to convince someone to download from your mirror and not some of the official ones. Chain of trust is a thing; it is not terribly hard to compromise locally but everything security-related is based upon it. Main protection mechanism in FOSS is basically that in order to cause significant damage, one would need to build up a lot of reputation first AND somehow fly under the radar of people reading the code.

The main reason many open source bits of software are potentially more vulnerable than their closed-source counterparts is just not enough scrutiny. Too much software, too many updates - it is feasible to sneak in some vulnerable code with malicious intent.

TL;DR: If you can convince people that you are a trusted source of software and they should run it, the rest is a piece of cake.

score -1 · Answer 7 · answered Aug 19 '21 at 07:38

-1

Sure, malicious code could be injected into packages in the ISO - the same way malicious code is often injected into Windows and MacOS media that people download from unofficial sources. There is no difference here between Ubuntu, Windows and MacOS.

ISO files are often mirrored so its likely that your ISO image is not downloading directly from the vendor's website. Thats why they will provide you with MD5/SHA/GnuPG checksums on the Ubuntu/MS/Apple website. You use the checksum to validate that the ISO image you downloaded is the ISO the vendor made. This effectively means you have an authoritative method to validate your ISO.

Checksums are usually provided by all before mentioned vendors on downloads.

Your belief that open-source is more vulnerable to hackers is both true and false... but mostly false. You think "i can see your code, so I can hack you" - which is completely wrong. Peer reviewed code is significantly more secure.

The fundamental things that secure you on the internet (VPN, SSL/TLS, etc) is predominantly based on open-source. (Else it would be based on trusting a company that's unwilling to show you whats behind the curtain).

Your argument is like saying a car with 6 wheels will always go faster than a 4 wheel car. If your basing this observation on traction alone - then its possibly correct, but there are significantly more variables involved in a car that determines its top speed.

I recommend you read "The Cathedral and the Bazaar" - which compares the mindset of open and closed source. Its a few years old, but should give you some insight.

answered Aug 19 '21 at 07:38

Frank Jackson

27
3

5

*"Peer reviewed code is significantly more secure."* - that statement is true. But it is not true that OSS is always peer reviewed or that the peer reviews have a high quality and therefore OSS has a better quality. Just because the source is open does not magically create experts which have time and knowledge and nothing else to do than reviewing the code. There were enough disasters in the past which showed a lack of good review or any review at all in open source, even for critical software components like OpenSSL. It does not mean that OSS is worse, but it also does not mean it is better. – Steffen Ullrich Aug 19 '21 at 08:52
4

Was *The Cathedral and the Bazaar* really about open vs closed source? IIRC it was more like two kinds of open source. But it was a long time ago that I read it. – user253751 Aug 19 '21 at 14:24
@SteffenUllrich - totally agree. The statement was to show that saying OS is more insecure simply because the code is visible creates a false-dichotomy and there are significant other factors that should be taken into account. – Frank Jackson Aug 19 '21 at 23:46
@user253751 - I may have to re-ready it myself 20 years later. I always felt that the essay gave a good indication of the open vs closed source benefits/penalties. but the essay is based on open source. So you are correct. It might not be the best reference material - happy to remove it from my response. – Frank Jackson Aug 19 '21 at 23:54
@user253751 Per wikipedia: "The essay's central thesis is Raymond's proposition that "given enough eyeballs, all bugs are shallow" (which he terms Linus's law): the more widely available the source code is for public testing, scrutiny, and experimentation, the more rapidly all forms of bugs will be discovered. In contrast, Raymond claims that an inordinate amount of time and energy must be spent hunting for bugs in the Cathedral model, since the working version of the code is available only to a few developers." – JimmyJames Aug 20 '21 at 15:50
@SteffenUllrich This is true but with OSS, it seems to me that access to open source by researches e.g. at universities all over the world is a key factor. In order to do similar analysis on closed source, those same researchers need to have been given permission and most likely sign a bunch of legal documents such as NDAs. This pretty obviously raises the bar to access significantly compared to a publicly accessible repo. And even if they find major issues, they may not have the right to publish anything about them which is the whole point, from their perspective. – JimmyJames Aug 20 '21 at 15:56
@JimmyJames: Just because review of OSS is easier does not mean that it is actually done in the needed extend and quality. Just take a look at OpenSSL: essential part of many applications for years but not enough review, leading to bugs like Heartbleed. Only after this bug companies started to invest sufficient money to maintain the code base, which then led to a considerable improvement. Good developers are scarce which means that they usually have well paid jobs and not much time to do free code review. This leaves unpaid code review to less experienced developers or nobody is doing it. – Steffen Ullrich Aug 20 '21 at 18:04
@SteffenUllrich I'm not, in general, disagreeing with you but I'm not sure it's a valid argument to point to one defect found in OpenSSL as proof that OSS doesn't provide advantages in this context. There are an immense amount of vulnerabilities that have been found in closed source products. If that's the only example you can find, then that's pretty good compared to the apparently endless stream of vulnerabilities that have come of MS over the years. – JimmyJames Aug 20 '21 at 21:30
@JimmyJames: This was only an example of a critical project where the lack of review was obvious. There are lots of vulnerabilities in OSS and there are lots in closed source. The initial argument I was making was that OSS is not just magically better before everyone in theory *can* review it - because this does not necessarily actually leads to more high quality reviews. There are lots of examples for good and bad for both closed and open source. At the end it depends where the efforts are actually spend, i.e. where money, time and knowledge is. And this can be both open and closed source. – Steffen Ullrich Aug 21 '21 at 03:07
@JimmyJames The "given enough eyeballs" premise is not holding. Modern software has reached a size where most people are not interested in scrutinizing software not immediately relevant to what they want to do with their computer, so there simply isn't enough eyeballs to cover everything. Also real malicious code still works well enough so there is no bug reports, and therefore no reason to look at it. – Thorbjørn Ravn Andersen Aug 22 '21 at 07:08
@SteffenUllrich I once worked with a person who told me that their sister-in-law got into a car wreck and some large logs came through the windshield. The claim was that she survived only because she wasn't wearing a seatbelt. I'm not completely sure of the veracity of this story but I can imagine how that might happen and even if it did, I still think wearing a seatbelt is a good idea. To mount an argument that OSS doesn't provide a benefit here, you need to have statistics, not just anecdotes. Also, how does the fact that a security researcher found Heartbleed fit into your argument? – JimmyJames Aug 22 '21 at 17:16
@ThorbjørnRavnAndersen So close the source so there's no way to review it? I'm not arguing that OSS is a *sufficient* condition for security researchers to find vulnerabilities, rather that it's more akin to a *necessary* condition. – JimmyJames Aug 22 '21 at 17:18
@JimmyJames: *"To mount an argument that OSS doesn't provide a benefit here, you need to have statistics, not just anecdotes."* - I'm only questioning the claim made by the author of the answer. Based on your argumentation the author would need to show the statistics to support their claim. Maybe you could help the author here. – Steffen Ullrich Aug 22 '21 at 17:21
@jimmijames no that is not what I am saying. I don’t know how you concluded that. Let me phrase it otherwise - the amount of code to review increases faster than the amount of eyeballs to do the reviewing. – Thorbjørn Ravn Andersen Aug 22 '21 at 19:48

Can you create a fake (malicious) Ubuntu iso

7 Answers7