Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Malware on CPAN

by Anonymous Monk
on Jun 20, 2012 at 04:21 UTC ( #977218=perlquestion: print w/replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

On PerlMonks, on many SOPWs I have written I have placed "no CPAN please" in them. The community then responds to me with a boilerplate "you too can install CPAN modules". I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.

Scenario one, with CPANTesters and other people who automatically build modules, and the fact that PAUSE tarballs are unmoderated, has anyone ever been caught in the 17 year history of CPAN releasing a benign module with a rootkit, backdoor, virus, or "calling home"?

Scenario two, has anyone released a truly malicious module without any POD or any redeeming qualities that will attempt to trash the system when its is run automatically by CPANTesters?

And scenario 3, if someone did release a tarball with a kernel privilege escalation exploit in it, what will CPAN, PAUSE, and Perl community do? and to what degree will that tarball be scrubbed off the internet?

Before you ask what is my mission, I proclaim that I have been sent here on an edict from the House of PHP to proselytize all you heathens to the salvation of my Most Honorable Lord Phalanger.

Replies are listed 'Best First'.
Re: Malware on CPAN
by Khen1950fx (Canon) on Jun 20, 2012 at 05:42 UTC
    The community will do plenty. First, the author of the malware would be barraged by a blizzard of nasty emails. They would be hounded to the ends of the earth:). Second, I doubt very much that it would really get by the volunteers that monitor PAUSE. They do a great job, considering all the the work that is thrown on them. Third, as a cpantester, I've fine-tuned my firewall. If there's something not kosher going on, I'll get it and notify the appropriate people. I haven't had that problem as of yet. Fourth, it doesn't pay to fight the general community consensus when it says you too can install CPAN modules. After 17 years, it's time to get onboard, no?
Re: Malware on CPAN
by zentara (Archbishop) on Jun 20, 2012 at 10:15 UTC
    I've never heard of any malware, but I do worry, especially when running cpan as root. The most noticed unfounded worry for me, is seeing in some modules, written on Windows I presume, files that unpack on Linux in mode 777, executable by anyone. Many of these files are just text files, but they could be sprinkled with bash commands. Nothing has ever happened though, so I don't worry much, but I shudder every time I see them in an unpacked module.

    Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it.

    Of course, I always download and build all modules as an underpriviledged user, then after inspection, install as root, or even better install to the user's home directory with local::lib

    If you want my honest opinion, the biggest source of network related insecurity comes from downloading the numerous precompiled binary libraries and executables, which the various distributions provide. I always compile myself. You should also compile your own kernel and possibly use something like SELinux.

    I went through alot of worrying about this 10 years ago, but then I realized that it was a waste of time. What is your computer used for? If it's just a personal computer, not involved in any secret activity, the risk of invasion is so small, that the time it takes to run REAL security is too high related to the risk. If some evil agency wants to get access to your computer, they have easier ways than using CPAN or RPM's. 99% percent of all security comprimises come from within your own circle of trust. A co-worker, a girlfriend, etc. who you allow to use the computer are almost always the culprit. You have to watch out for people with USB-Memory-Sticks. :-) They can boot your computer with an on-key OS, and do whatever they want.

    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku ................... flash japh

      "Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it."

      It seems more complicated slight of hand tactics are already in use ;)

        For me, the StuxNet and Flame exploits contain one lesson; one which is conveniently overlooked by almost all reporters, probably on the orders of their higher-up owners and editors. It only attacks MS Windows, so anyone still using Windows must be crazy. Especially if you live in the Arab world :-)

        Back in the day, when every geek who thought Bill Gates and Windows was in cahoots with the NSA was labeled a kook, we were more vigilant. I always suspected that Windows gained such prominance in the OS market, not because Gates was a genius and Windows was so good, but because it gave big governemnt backdoors into everyone's computers. ( I now don my flame proof suit) :-)

        I'm not really a human, but I play one on earth.
        Old Perl Programmer Haiku ................... flash japh
Re: Malware on CPAN
by stevieb (Abbot) on Jun 20, 2012 at 05:27 UTC

    ...and I've never experienced any, at least with the 'name brand' ones that are often recommended here on PerlMonks.

    The most popular ones are community tested. Instead of trolling, could you share with us some popular modules you've come across in the 13 years you've been here that may be infected? That would be the responsible thing to do... no?

      I've made 10000s of writeups but I dont have a memory, so I need your help to remember what modules on CPAN are, were, or could be malware or they phone homed or dropped a rootkit on a machine or wiped out your home folder or caused a kernel panic.
Re: Malware on CPAN
by CountZero (Bishop) on Jun 20, 2012 at 07:47 UTC
    Everytime you reinvent the wheel and do not use an existing module, some PHP-er sacrifices a cute little kitten to his demon-god.


    A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

    My blog: Imperial Deltronics
Re: Malware on CPAN
by toolic (Bishop) on Jun 20, 2012 at 12:04 UTC
    I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.
    If you are seeking wisdom in the form of Perl code, then it is illogical to require "no CPAN". Why would you expect code posted into a PerlMonks node as a response to your question to be better in any way than the code on CPAN? Even if you don't want to install code from CPAN, you could copy-n-paste it from CPAN, just as you would copy-n-paste it from PerlMonks (provided it's pure Perl). Or, you could just look at the source code on CPAN and write your own code based on the algorithm of the code you see.
Re: Malware on CPAN
by moritz (Cardinal) on Jun 20, 2012 at 05:16 UTC

      I know of 3 in the last 12 years which were quasi-fishy uploads with potential

      Mostly its just tar permissions nonsense that linux folks complain to win32 folks -- PAUSE was updated to deal with that (withoutworldwritables)

      There was one real phone-home thing, and the author took to the criticism, and stopped doing that

      Lots of net/web modules use real-live urls for testing, or try to start servers on local-network instead of explicitly localhost -- I keep fighting this one, but nothing nefarious

      There is one thing still on CPAN which could be used for perl rootkits ( i don't want to publicize it) but its NA (45) UNKNOWN (155)

Re: Malware on CPAN
by Your Mother (Bishop) on Jun 20, 2012 at 06:01 UTC

    Oh, I get it. If we use the CPAN, the terrorists win.

      "...the terrorists win."

      'Former' Counterstrike player here. Is that a good thing or a bad thing?

Re: Malware on CPAN
by DStaal (Chaplain) on Jun 20, 2012 at 13:01 UTC
    I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.

    If you don't know why you can't use CPAN, then yes, there is no logic to it. If you have a specific reason then that might be logical - even if that specific reason is 'the boss says so'.

    As for malware - I have a mini-cpan repository that gets scanned by the local anti-virus on a regular schedule. There are a couple of known viruses in it - but upon examination they are in test suites, so that modules can prove they work correctly when dealing with them. (For instance, there is one in Spamassassin's test suite, which from the comments Spamassassin broke on once.) Other than that, nothing gets found.

Re: Malware on CPAN
by frozenwithjoy (Priest) on Jun 20, 2012 at 05:42 UTC
    Your arguments and examples are strong. You've convinced me to reinvent everything. Thanks for helping me to see the light. ^__^

    Seriously though, I've never thought of this nor had any issues. Do you suspect any specific modules as being evil?

Re: Malware on CPAN
by sundialsvc4 (Abbot) on Jun 20, 2012 at 13:43 UTC

    There is no point setting up the spectre of a hypothetical nasty, a straw man, and then calling it a bugaboo and blaming it on CPAN.   You are rattling a chain that isn’t connected to anyone or anything.   You’re arguing for a causal association that simply does not have any meaning at all.   Malice can be done in any language.   In any library.   But a contributed library (Perl or otherwise), which by definition is encountered by and reviewed by a great many people, is far less likely to be a vector for malice than original code which no one other than the disgruntled author may actually see.   There are lots of lone wolves out there, and a few of them might be rabid.   Their malicious tendencies are much more likely to succeed in a “one off” system that only they may see, than by a system that thousands of individuals worldwide must deal with constantly.

      Frankly, Win* || MacOS & !OSX have done their best to sheild users from the underlying processes since day 1. It's hard to point fingers at any perl module for attempting to align itself with the OS's policy.

      As security goes; the only real-life issue I can ever see actually arising -- which is fairly trivial, would be a case of "DNS cache poisoning" coming from the use some NET::, or DNS:: module. Of course, that also requires the module to be installed globally as root, and for the system to be running an Authoritive DNS service locally. Best practices; keep the cache life very short.

      Which brings me to those ^evil^ Win* module writers -- 2 issues:
      1) Notepad has been able to read/write LF line endings since WinNT version 4
      (cat(1)||awk(1) && sed(1) will correct this for *NIX users).
      2) Permissions, eg; 0777. Again, *NIX users have a large toolbox, and can perform the following:

      #!/bin/sh # first, the folders find . -type d -print | while read i do chmod 0755 $i done # now, the files find . -type f -print | while read i do chmod 0644 $i done # a variation using ls(1) could also have been employed

      All, and all; DO examine the source before making && installing. You'd be surprised how much you can learn -- even from the routines included within the source. :)
      --'nuf said.

      #!/usr/bin/perl -Tw
      use strict;
      use perl::always;
      my $perl_version( 5.12.4 );
      print $perl_version;

        Say, why would you do while loop instead of xargs ...

        find ... -print0 | xargs -0 chmod ...

        ... ?

        Somewhat related, I have come to like symbolic permission modes to selectively modify the permissions while preserving the rest ...

        # Strip group- & world-write permissions. chmod -R g-w,o-w directory
Re: Malware on CPAN
by DrHyde (Prior) on Jul 01, 2013 at 11:05 UTC
    I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.
    Of course there isn't. If you ask for a solution to a problem and say "and no CPAN", then I'm going to point you at the appropriate modules on the CPAN anyway, because it's less effort than me copying and pasting their code. If you want to waste your time copying and pasting, that's fine, but don't expect other people to do it for you.
Re: Malware on CPAN
by thomas895 (Chaplain) on Jun 20, 2012 at 21:50 UTC

    It's called reading the code. Of course, everything can be abused in one way or another, but the trick is to avoid sketchy modules and suspicious authours.
    If you are truly paranoid, use a VM image and install it on that to see if it does anything malicious.

    Also, while the binary packages for your system can be useful, it's sometimes best to avoid them. On openSUSE, if you become part of the build service, you can upload what you have compiled from the CPAN(for example), with your own malicious tweaks. Of course, that is one way to get nasty emails and negative "internetz". ;-)
    As a security precaution, I only use the official repos, which contain tested and verified software. Of course, nothing is guaranteed, and it's always possible something slipped through. Generally, however, I do not use the home:* repos.

    confess( "I offer no guarantees on my code." );
Re: Malware on CPAN
by Argel (Prior) on Jun 20, 2012 at 20:04 UTC
    First time I have really seen those concerns raised. The one I am used to is because company or government policy prevents it.

    Elda Taluta; Sarks Sark; Ark Arks
    My deviantART gallery

Re: Malware on CPAN
by jfroebe (Parson) on Jul 01, 2013 at 17:29 UTC

    A strong claim is made but no evidence was given to back it up. I would love to see an example of a malicious module on CPAN. Does anyone know of such a module in CPAN?

    Jason L. Froebe

    Blog, Tech Blog

Re: Malware on CPAN
by Anonymous Monk on Jun 20, 2012 at 23:16 UTC
    1. scenario by this number — answer: yes, we caught you!
    2. scenario by this number — answer: no, because you fail each time!!
    3. scenario by this number — answer: beat you with a wet noodle!!!
    Frankly, I don't care what your mission is, because you FAIL!!!!!

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://977218]
Front-paged by stevieb
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (6)
As of 2018-06-18 21:45 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (110 votes). Check out past polls.