Re: Linux Virus
http://www.securityfocus.com/ there's a link on the main page regarding latest linux worm and http://www.sans.org/y2k/adore.htm -thx, robt Shawn Garbett wrote: > > Whoops, using a Microsoft Windows box with Netscape here at work, > ugh. Had to fight the @[EMAIL PROTECTED] box just to give me the correct URL: > > http://www.msnbc.com/news/554789.asp > > Tyrin Price wrote: > > > * Shawn Garbett <[EMAIL PROTECTED]> [05Apr01 13:17 -0400]: > > > >> There's a new virus in town. Here's the news for the mouthpiece of > >> Bill > >> himself: > >> http://www.allnetdevices.com/wired/news/2001/04/05/motorola_set.html > >> It mentions an adorefind program, has anyone run this under > >> Debian? Are > >> there any recommended package upgrades to prevent these latest > >> rounds of > >> worms? > >> > > The URL above goes to an article having nothing to do with Linux. > >
Re: Linux Virus
On Sun, Apr 01, 2001 at 09:23:33AM +, hzi wrote: > When you use wvdial, you read e-mail as root, don't you? Wvdial is probably > the most common way to set up a ppp conection, since it's suggested in the > Debian docuemtntaion. > So I guess my question would be how to use wvdial and still remain safe > from "virus". Once you sign on with wvdial all users can use the internet, so you don't have to be logged in as root to read your email. There is a program 'pppconfig' which I think is better than wvdial and also makes it easy to allow users other than root to start and stop ppp connections. -- Harry Henry Gebel West Dover Hundred, Delaware pgpu3SpgCGy6s.pgp Description: PGP signature
Re: Linux Virus
> "Ethan" == Ethan Benson <[EMAIL PROTECTED]> writes: Ethan> sudo with an ALL=ALL entry is just as dangerous (more so Ethan> IMO, because it turns user passwords into multiple root Ethan> passwords) then su. Hopefully one day you will be able to something like this: Obtain a Kerberos ticket for root so you can su to root without a password, but use kernel capabilities so only trusted processes (eg. a trusted xterm session) have access to the ticket file. Of course you have to remember not to run untrusted processes in the trusted xterm session (and the attack Ethan describes is still possible unless you protect the .* files too), but I think it is a lot better then allowing all processes access. -- Brian May <[EMAIL PROTECTED]>
Re: Linux Virus
On Sat, Mar 31, 2001 at 11:06:31PM -0800, Karsten M. Self wrote: > on Sat, Mar 31, 2001 at 08:45:25AM -0600, John Hasler ([EMAIL PROTECTED]) > wrote: > > Ethan Benson writes: > > > cat <> ~/.bashrc > > > alias su='su -c ~/.virus' > > > EOF > > > > su might benefit from a configuration file that sets the permissable path > > for -c. > > > > Another possible fix might be for bash to somehow detect "gain-root" > > commands and refuse to alias them. > > Nope. > > sudo provides this functionality. 'su' allows you to become an > effective user. To use 'su' to execute root commands, you require the > root password. What, exactly, are you protecting against. my trick would work on sudo as well, at least the way most people configure it -- by adding a line like this: thierusername ALL=(ALL) ALL in which case they can use sudo to execute ANYTHING as root. so... cat <> ~/.bashrc alias sudo='sudo ~/.virus' EOF same thing as su, if the account we added this to is the admin of the machine and they use su to gain root and perform the adminsitrative task they needed to perform, and they just type `su' at thier command prompt they will get a password: prompt as usual and will enter the root password, but in reality they just executed: su -c ~/.virus see the su man page to see what this does. now if the admin does everything via sudo instead of using short su sessions they will need a ALL=ALL line like above. so next time they sudo something, say: sudo apt-get update the shell will instead run sudo ~/.virus and sudo will ask the password and happily run ~/.virus as root. > Better, IMO, to use sudo to invoke su, and restrict rights to do so to > specified users. what does this buy you? see above. this is in fact less secure IMO, since it turns ordinary user passwords into the root password. if you want to restrict who is allowed to go to root invoke the `wheel' group policy. > For restricted commands access, use the tool designed for this task, > sudo. my point is that if the admin's account is the one getting the nice shell alias dropped into the next time they perform an administrative command -- however they accomplish it, either sudo or su -- they will potentially run the virus/trojan as root. in the case of a ordinary user who is allowed to run ONLY a very small handful of very safe unrootable programs via sudo this alias trick will fail. at least assuming you specify the absolute pathname to the command in /etc/sudoers. sudo with an ALL=ALL entry is just as dangerous (more so IMO, because it turns user passwords into multiple root passwords) then su. -- Ethan Benson http://www.alaska.net/~erbenson/ pgplj47zmgavf.pgp Description: PGP signature
Re: Linux Virus
on Sat, Mar 31, 2001 at 08:45:25AM -0600, John Hasler ([EMAIL PROTECTED]) wrote: > Ethan Benson writes: > > cat <> ~/.bashrc > > alias su='su -c ~/.virus' > > EOF > > su might benefit from a configuration file that sets the permissable path > for -c. > > Another possible fix might be for bash to somehow detect "gain-root" > commands and refuse to alias them. Nope. sudo provides this functionality. 'su' allows you to become an effective user. To use 'su' to execute root commands, you require the root password. What, exactly, are you protecting against. Better, IMO, to use sudo to invoke su, and restrict rights to do so to specified users. For restricted commands access, use the tool designed for this task, sudo. -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org pgpxhUs31xNsw.pgp Description: PGP signature
Re: Linux Virus
On Sat, Mar 31, 2001 at 05:54:07PM -0600, John Hasler wrote:
> Ethan Benson writes:
> > cat <> ~/.bashrc
> > export PATH="$HOME/.evil:${PATH}"
> > EOF
>
> > and put a bogus su shell script in ~/.evil
>
> chmod a-w ~/.bashrc ~/.bash_profile
>
> .bashrc and .bash_profile should be read-only by default, IMHO.
yup ive done this after seeing a few security holes in things like
xchat where a url gets passed unsafely to /bin/sh allowing for crap
like above. unfortunatly its not terribly strong protection since in
many cases its not hard for the exploit to add a chmod u+w ~/.bashrc.
bsd has a `user immutable' bit similar to linux's immutable bit
(except users can set and remove it on files they own, bsd's system
immutable is the equivilent to linux' immutable) except this doesn't
necessarily help either since a chflags nouchg ~/.bashrc isn't any
harder then chmod u+w ~/.bashrc...
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgprw8caqgYr5.pgp
Description: PGP signature
Re: Linux Virus
Ethan Benson writes:
> cat <> ~/.bashrc
> export PATH="$HOME/.evil:${PATH}"
> EOF
> and put a bogus su shell script in ~/.evil
chmod a-w ~/.bashrc ~/.bash_profile
.bashrc and .bash_profile should be read-only by default, IMHO.
--
John Hasler
[EMAIL PROTECTED] (John Hasler)
Dancing Horse Hill
Elmwood, WI
Re: Linux Virus
hzi writes: > When you use wvdial, you read e-mail as root, don't you? I can't think of any reason why that follows. > Wvdial is probably the most common way to set up a ppp conection, since > it's suggested in the Debian docuemtntaion. Which documentation is that? -- John Hasler [EMAIL PROTECTED] Dancing Horse Hill Elmwood, Wisconsin
Re: Linux Virus
hzi wrote: > > Hi- > > When you use wvdial, you read e-mail as root, don't you? Wvdial is probably > the most common way to set up a ppp conection, since it's suggested in the > Debian docuemtntaion. > > So I guess my question would be how to use wvdial and still remain safe from > "virus". this does not make sense at all. you use wvdial as root to connect (you don't have to, I guess, but let's assume you do), there's nothing to prevent you to use that given connection to read email as different user. notice that there are independent processes going on here: - network (you have to have a connection to whereever you get email from) - getting of email - reading of email each of these can be done by different user and definitely by different programs. your first sentence: no, there's no reason to read email as root when you use wvdial. also, while wvdial might be suggested po & poff and its supporting files are set up during configuration and for lot of users that's enough... also gnome and kde have their own programs to start ppp so I guess lot of people using gnome and kde use those. but that's not realted much to the current discussion... erik
Re: Linux Virus
Hi- When you use wvdial, you read e-mail as root, don't you? Wvdial is probably the most common way to set up a ppp conection, since it's suggested in the Debian docuemtntaion. So I guess my question would be how to use wvdial and still remain safe from "virus". Thank you, Regards, Henry At 10:00 PM 3/28/2001 -0500, Ben Collins wrote: On Thu, Mar 29, 2001 at 12:55:16PM +1000, Mark Devin wrote: Does anyone know anything further on this new W32.Winux virus. Check out this link: http://news.cnet.com/news/0-1003-200-5329436.html?tag=st.cn.1.lthd Surely this virus cannot overwrite executables that require root permission? Or can it? No, if this virus actually exists (and I doubt its true, or even particularly threatening), it can only affect your files. Unless you are in the bad habit of reading email as root, and executing random attachments manually. At this point the virus is just a proof of concept, no payload and no replication existing only on the author's HD and the copy he emailled to the anti-viral company. the proven concept may be used to do more interesting things.
Re: Linux Virus
On Sat, Mar 31, 2001 at 08:45:25AM -0600, John Hasler wrote:
> Ethan Benson writes:
> > cat <> ~/.bashrc
> > alias su='su -c ~/.virus'
> > EOF
>
> su might benefit from a configuration file that sets the permissable path
> for -c.
interesting idea, somewhat similar to sudo, though i think sudo's PATH
handling may be broken as of late.
> Another possible fix might be for bash to somehow detect "gain-root"
> commands and refuse to alias them.
this is somewhat weaker, it could also do the following:
cat <> ~/.bashrc
export PATH="$HOME/.evil:${PATH}"
EOF
and put a bogus su shell script in ~/.evil
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgppUhMy5swqO.pgp
Description: PGP signature
Re: Linux Virus
on Sat, Mar 31, 2001 at 07:40:45PM +0200, Roberto Diaz ([EMAIL PROTECTED]) wrote: > > Like every so-called Linux virus, it requires the user to behave stupidly > > - it's really a trojan horse. It has the same permission rules as any > > other program, so it can't change root-owned files, unless they are > > world-writable or you are running as root. > > The thing that's special about it is that it can infect both Windows and > > Linux executables - which is really quite impressive. Otherwise it's > > nothing special. > > What chances do we have to get a virus from a malicious .deb package > someone had leak into debian.org? > > We always run apt-get as root.. dont we? There have recently been some changes to the deb package format, including the ability to sign packages (a feature enabled on RPM for some time). I've only picked up part of the discussion, but it's a suggestion that's been outstanding for some time. It doesn't solve all problems, but it does tighten the holes a bit. Someone got a pointer to the discussion? I'll research later today. -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org pgp4GFe9AsHE9.pgp Description: PGP signature
Re: Linux Virus
Roberto writes: > What chances do we have to get a virus from a malicious .deb package > someone had leak into debian.org? It would have to acquire the signature of a Debian developer to get into unstable, remain dormant for at least two weeks to get into testing, and lie dormant there until the next release in order to get into stable. -- John Hasler [EMAIL PROTECTED] Dancing Horse Hill Elmwood, Wisconsin
Re: Linux Virus
> Like every so-called Linux virus, it requires the user to behave stupidly > - it's really a trojan horse. It has the same permission rules as any > other program, so it can't change root-owned files, unless they are > world-writable or you are running as root. > The thing that's special about it is that it can infect both Windows and > Linux executables - which is really quite impressive. Otherwise it's > nothing special. What chances do we have to get a virus from a malicious .deb package someone had leak into debian.org? We always run apt-get as root.. dont we? Regards Roberto Roberto Diaz <[EMAIL PROTECTED]> http://vivaldi.ddts.net Powered by ddt dynamic DNS Powered by GNU running on a Linux kernel. Powered by Debian (The real wonder) Concerto Grosso Op. 3/8 A minor Antonio Vivaldi (so... do you need beautiful words?)
Re: Linux Virus
Ethan Benson writes: > cat <> ~/.bashrc > alias su='su -c ~/.virus' > EOF su might benefit from a configuration file that sets the permissable path for -c. Another possible fix might be for bash to somehow detect "gain-root" commands and refuse to alias them. -- John Hasler [EMAIL PROTECTED] Dancing Horse Hill Elmwood, Wisconsin
Re: Linux Virus
On Fri, Mar 30, 2001 at 05:46:19PM -0800, Karsten M. Self wrote: > > Hmm...dual-booting considered harmful. Interesting. > > Short version being that relying on OS filesystem protections to keep > you from mangling your system files is an invalid assumption if: > > - You're booting multiple OSs. > - One or more of the OSs offers filesystem access to others. > - The filesystem access doesn't respect user-level permissions offered > by the host OS. > > Very interesting. the other OS need not supply its own filesystem access either. windows and MacOS neither have a clue what ext2 is, and simply ignore ext2 partition types (0x83 or Apple_UNIX_SVR2). however for windows there is a program (or used to be) which would read the raw ext2 partition and parse the filesystem on its own, making it accessable to the windows side. permissions are obviously not enforced. macos has a (rather broken) extension which allows ext2 filesystems to mount like any other mac filesystem. it was read-only last i checked, and barely worked, i think the author abandoned it. in any event it ignored permissions as well. (since the underlying OS has no clue what permissions are) your only hope really is to only boot securable OSes, for the windows side use NT or W2K and not 9x or ME, and be sure to configure it to be secure (don't login to users in the administrators group, fix the broken filesystem permissions etc) > You're not paranoid. They really *are* out to get you. ;-) -- Ethan Benson http://www.alaska.net/~erbenson/ pgpzeiwS5VMGt.pgp Description: PGP signature
Re: Linux Virus
On Fri, Mar 30, 2001 at 05:54:25PM -0800, Karsten M. Self wrote: > on Wed, Mar 28, 2001 at 10:53:33PM -0500, William T Wilson ([EMAIL > PROTECTED]) wrote: > > On Thu, 29 Mar 2001, Mark Devin wrote: > > > > > Surely this virus cannot overwrite executables that require root > > > permission? Or can it? > > > > Like every so-called Linux virus, it requires the user to behave stupidly > > - it's really a trojan horse. > > No, it's not a trojan, it's a virus. > > A trojan, classic definition, is a program that tricks you into running > it, which allows it to run its majick, and generally transfer, in whole, > to another system. The confidence game needs to be played each time the > program is run. > > A virus actively infects other files. The confidence game needs to be > played once. Afterward, you're running what should be good files, which > have been modified in place. Systems such as md5sums should pick these > out (you'd need a pretty sophisticated virus to catch that), but the > roster of infected files on your system could change on a variable > basis. though one could argue that the virus was delivered by a trojan... > > It has the same permission rules as any other program, so it can't > > change root-owned files, unless they are world-writable or you are > > running as root. > > The hard step is going from user-level executable to system-level > executable. You'd need a user-owned binary which a root-owned process > might run to make this transition. cat <> ~/.bashrc alias su='su -c ~/.virus' EOF -- Ethan Benson http://www.alaska.net/~erbenson/ pgpRLOTb3RUaP.pgp Description: PGP signature
Re: Linux Virus
on Wed, Mar 28, 2001 at 10:53:33PM -0500, William T Wilson ([EMAIL PROTECTED]) wrote: > On Thu, 29 Mar 2001, Mark Devin wrote: > > > Surely this virus cannot overwrite executables that require root > > permission? Or can it? > > Like every so-called Linux virus, it requires the user to behave stupidly > - it's really a trojan horse. No, it's not a trojan, it's a virus. A trojan, classic definition, is a program that tricks you into running it, which allows it to run its majick, and generally transfer, in whole, to another system. The confidence game needs to be played each time the program is run. A virus actively infects other files. The confidence game needs to be played once. Afterward, you're running what should be good files, which have been modified in place. Systems such as md5sums should pick these out (you'd need a pretty sophisticated virus to catch that), but the roster of infected files on your system could change on a variable basis. > It has the same permission rules as any other program, so it can't > change root-owned files, unless they are world-writable or you are > running as root. The hard step is going from user-level executable to system-level executable. You'd need a user-owned binary which a root-owned process might run to make this transition. -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org pgpxSkwqT3zYV.pgp Description: PGP signature
Re: Linux Virus
on Wed, Mar 28, 2001 at 07:11:00PM -0900, Ethan Benson ([EMAIL PROTECTED]) wrote: > On Wed, Mar 28, 2001 at 10:53:33PM -0500, William T Wilson wrote: > > On Thu, 29 Mar 2001, Mark Devin wrote: <...> > > The thing that's special about it is that it can infect both Windows and > > Linux executables - which is really quite impressive. Otherwise it's > > nothing special. > > something more nefarious would be for the virus when run from windows > to find linux partitions and use internal ext2 support to modify > binaries on the linux filesystems. Hmm...dual-booting considered harmful. Interesting. Short version being that relying on OS filesystem protections to keep you from mangling your system files is an invalid assumption if: - You're booting multiple OSs. - One or more of the OSs offers filesystem access to others. - The filesystem access doesn't respect user-level permissions offered by the host OS. Very interesting. You're not paranoid. They really *are* out to get you. -- Karsten M. Self http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org pgpZXYmWTILHS.pgp Description: PGP signature
Re: Linux Virus
On Wed, Mar 28, 2001 at 10:19:10PM -0500, Ben Collins wrote: > Anyone can do that. I can write a C program and send it to you that > emails me /etc/passwd and /etc/shadow. You still have to be dumb enough > to execute it. That's not a virus, that's social trickery. Now, if it > emails itself (and remember with Linux there are several dozen email > programs, so finding the right address book format is pretty hard), then > it is viral, sort of, since you still have to manually execute it. Based on my reading of the relevant news stories, this thing looks like a true virus in the old sense of the term: it infects other files and uses them to spread itself. Although I don't expect it to get very far, this sort of thing is potentially far more serious than the Outlook macro worms that everyone is calling "viruses" these days. An old-style virus only requires one person to be stupid enough to run it and then it hides pretty well; a macro worm requires every victim to be stupid enough to either run it manually or use a piece of software (Outlook, outdated BIND, whatever) which allows it to execute without user intervention. For instance, I could write a program, let's call it my_virus, which infects all files in the current directory and its parent directory, as this Winux virus is described as doing. I email it all over the world and a copy happens to arrive in your sysadmin's mailbox while he's working on something in /bin. His mind is out to lunch, so he reads his mail and runs my_virus while still root. Every file in /bin and / is now infected and will infect other files. A week later, you rebuild your pet C project, super_time_waster, and send a copy to your friend. You think it's perfectly benign - you have the source, so how could it be a trojan, right? And /bin/ls tells you it's the version you just buit 5 minutes ago. Too bad that /bin/ls just infected everything in the directory (including super_time_waster) as it told you that... (Worse, after the next reboot, you'll be running an infected kernel, assuming it's at (or symlinked from) /vmlinuz. Depending on the virus's structure, this could make your system unbootable or rapidly infect every executable file on the system.) Then your friend, of course, runs super_time_waster, confident in its authenticity, and infects all of his files. Without a copy of the original my_virus executable going anywhere near his system. I hate to disagree with you Ben, but that's about as viral as it gets. -- Linux will do for applications what the Internet did for networks. - IBM, "Peace, Love, and Linux" Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++> E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI D G e* h+ r y+
RE: Linux Virus
This article might point out some things http://www.theregister.co.uk/content/8/17938.html -Original Message- From: John Griffiths [mailto:[EMAIL PROTECTED] Sent: donderdag 29 maart 2001 5:08 To: Ben Collins Cc: Mark Devin; Debian-user Subject: Re: Linux Virus At 10:00 PM 3/28/2001 -0500, Ben Collins wrote: >On Thu, Mar 29, 2001 at 12:55:16PM +1000, Mark Devin wrote: >> Does anyone know anything further on this new W32.Winux virus. >> Check out this link: >> http://news.cnet.com/news/0-1003-200-5329436.html?tag=st.cn.1.lthd >> >> Surely this virus cannot overwrite executables that require root >> permission? Or can it? > >No, if this virus actually exists (and I doubt its true, or even >particularly threatening), it can only affect your files. Unless you are >in the bad habit of reading email as root, and executing random >attachments manually. At this point the virus is just a proof of concept, no payload and no replication existing only on the author's HD and the copy he emailled to the anti-viral company. the proven concept may be used to do more interesting things. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Linux Virus
On Wed, Mar 28, 2001 at 10:43:12PM -0500, Ben Collins wrote:
> Arguably, there is less of a chance of that under Linux. Most people who
> use Windows (like 99.9%) use either Outlook, Eudora or Netscape for
> email. On Linux, the numbers cannot be used against it. If you target a
> Linux virus for Pine, or whatever, chances are you wont propogate very
> far. Trying to write a virus that works on "most" Linux email clients is
> beyond the scope of a small viral program.
Well, maybe it'll come with an autoconf generated configure. :)
-b.,
who remembers the old "You can spot a virus for CP/M when it has to
be shipped on 100 different floppy formats and requires 3 floppies
worth of drivers."
--
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;
Re: Linux Virus
Well... remember that most of the recent Melissa style worms are slapped together with Visual Basic... Not a great risk that ext2 support will show up :-) --Rich ...and the paperclip winked at me and said: "It looks like you're writing a macro virus... Would you like help?" (another stolen .sig) Ethan Benson wrote: > > something more nefarious would be for the virus when run from windows > to find linux partitions and use internal ext2 support to modify > binaries on the linux filesystems. -- _ Rich Puhek ETN Systems Inc. _
Re: Linux Virus
On Wed, Mar 28, 2001 at 10:53:33PM -0500, William T Wilson wrote: > On Thu, 29 Mar 2001, Mark Devin wrote: > > > Surely this virus cannot overwrite executables that require root > > permission? Or can it? > > Like every so-called Linux virus, it requires the user to behave stupidly > - it's really a trojan horse. It has the same permission rules as any > other program, so it can't change root-owned files, unless they are > world-writable or you are running as root. or your running MacOSX where pretty much all binaries are writable by the default user account. > The thing that's special about it is that it can infect both Windows and > Linux executables - which is really quite impressive. Otherwise it's > nothing special. something more nefarious would be for the virus when run from windows to find linux partitions and use internal ext2 support to modify binaries on the linux filesystems. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpqGGpOEF0Gb.pgp Description: PGP signature
Re: Linux Virus
On Thu, 29 Mar 2001, Mark Devin wrote: > Surely this virus cannot overwrite executables that require root > permission? Or can it? Like every so-called Linux virus, it requires the user to behave stupidly - it's really a trojan horse. It has the same permission rules as any other program, so it can't change root-owned files, unless they are world-writable or you are running as root. The thing that's special about it is that it can infect both Windows and Linux executables - which is really quite impressive. Otherwise it's nothing special.
Re: Linux Virus
On Thu, Mar 29, 2001 at 01:33:30PM +1000, John Griffiths wrote: > t 10:29 PM 3/28/2001 -0500, Ben Collins wrote: > >On Thu, Mar 29, 2001 at 01:26:39PM +1000, John Griffiths wrote: > >> >IMO, this is nothing completely new or innovative. ASM has been around a > >> >long time, even before viruses. It all boils down to people being smart > >> >enough not to accept attachments form people they don't know, and > >> >especially don't execute programs sent to you randomly over the > >> >internet. > >> > >> Agreed up to a point. But all you need is one person to open it blind and > >> then the rest go out to the adsress book and appear (to the next > >> recipients) to be someone they know. which alters the balance somewhat. > > > >Good point...kind of a "the chain is only as strong as its weakest link" > >scenario :) > > > > Also worth noting that the last few headline virusses on windows have done no > more damage than a user-level virus operating on a unix machine. > > they have been notable in the denial of service aspects of their replication, > and the cunning nature of their social engineering. Arguably, there is less of a chance of that under Linux. Most people who use Windows (like 99.9%) use either Outlook, Eudora or Netscape for email. On Linux, the numbers cannot be used against it. If you target a Linux virus for Pine, or whatever, chances are you wont propogate very far. Trying to write a virus that works on "most" Linux email clients is beyond the scope of a small viral program. -- ---===-=-==-=---==-=-- / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=--===-=-=-=-===-==---=--=---'
Re: Linux Virus
t 10:29 PM 3/28/2001 -0500, Ben Collins wrote: >On Thu, Mar 29, 2001 at 01:26:39PM +1000, John Griffiths wrote: >> >IMO, this is nothing completely new or innovative. ASM has been around a >> >long time, even before viruses. It all boils down to people being smart >> >enough not to accept attachments form people they don't know, and >> >especially don't execute programs sent to you randomly over the >> >internet. >> >> Agreed up to a point. But all you need is one person to open it blind and >> then the rest go out to the adsress book and appear (to the next recipients) >> to be someone they know. which alters the balance somewhat. > >Good point...kind of a "the chain is only as strong as its weakest link" >scenario :) > Also worth noting that the last few headline virusses on windows have done no more damage than a user-level virus operating on a unix machine. they have been notable in the denial of service aspects of their replication, and the cunning nature of their social engineering. plus re-insalling my OS is a lot less painful than losing my personal files. (backups notwithstanding)
Re: Linux Virus
On Thu, Mar 29, 2001 at 01:26:39PM +1000, John Griffiths wrote: > >IMO, this is nothing completely new or innovative. ASM has been around a > >long time, even before viruses. It all boils down to people being smart > >enough not to accept attachments form people they don't know, and > >especially don't execute programs sent to you randomly over the > >internet. > > Agreed up to a point. But all you need is one person to open it blind and > then the rest go out to the adsress book and appear (to the next recipients) > to be someone they know. which alters the balance somewhat. Good point...kind of a "the chain is only as strong as its weakest link" scenario :) -- ---===-=-==-=---==-=-- / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=--===-=-=-=-===-==---=--=---'
Re: Linux Virus
>IMO, this is nothing completely new or innovative. ASM has been around a >long time, even before viruses. It all boils down to people being smart >enough not to accept attachments form people they don't know, and >especially don't execute programs sent to you randomly over the >internet. Agreed up to a point. But all you need is one person to open it blind and then the rest go out to the adsress book and appear (to the next recipients) to be someone they know. which alters the balance somewhat.
Re: Linux Virus
On Thu, Mar 29, 2001 at 01:07:49PM +1000, John Griffiths wrote: > At 10:00 PM 3/28/2001 -0500, Ben Collins wrote: > >On Thu, Mar 29, 2001 at 12:55:16PM +1000, Mark Devin wrote: > >> Does anyone know anything further on this new W32.Winux virus. > >> Check out this link: > >> http://news.cnet.com/news/0-1003-200-5329436.html?tag=st.cn.1.lthd > >> > >> Surely this virus cannot overwrite executables that require root > >> permission? Or can it? > > > >No, if this virus actually exists (and I doubt its true, or even > >particularly threatening), it can only affect your files. Unless you are > >in the bad habit of reading email as root, and executing random > >attachments manually. > > At this point the virus is just a proof of concept, no payload and no > replication existing only on the author's HD and the copy he emailled to the > anti-viral company. > > the proven concept may be used to do more interesting things. The concept is still dependent on the user executing an attachment (depending on their email client, which most Linux clients are smart), and it can still only affect user owned files, not root (unless said email is read, and attachment is executed, by root). Anyone can do that. I can write a C program and send it to you that emails me /etc/passwd and /etc/shadow. You still have to be dumb enough to execute it. That's not a virus, that's social trickery. Now, if it emails itself (and remember with Linux there are several dozen email programs, so finding the right address book format is pretty hard), then it is viral, sort of, since you still have to manually execute it. Yes, it is pretty nifty that it can run on i386-Linux and Windows using basic asm. However, that is a very limited thing, and for it to really do someting useful, it will need to do a lot more, and will most likely be less able to run on both Windows and Linux from one binary. IMO, this is nothing completely new or innovative. ASM has been around a long time, even before viruses. It all boils down to people being smart enough not to accept attachments form people they don't know, and especially don't execute programs sent to you randomly over the internet. -- ---===-=-==-=---==-=-- / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=--===-=-=-=-===-==---=--=---'
Re: Linux Virus
At 10:00 PM 3/28/2001 -0500, Ben Collins wrote: >On Thu, Mar 29, 2001 at 12:55:16PM +1000, Mark Devin wrote: >> Does anyone know anything further on this new W32.Winux virus. >> Check out this link: >> http://news.cnet.com/news/0-1003-200-5329436.html?tag=st.cn.1.lthd >> >> Surely this virus cannot overwrite executables that require root >> permission? Or can it? > >No, if this virus actually exists (and I doubt its true, or even >particularly threatening), it can only affect your files. Unless you are >in the bad habit of reading email as root, and executing random >attachments manually. At this point the virus is just a proof of concept, no payload and no replication existing only on the author's HD and the copy he emailled to the anti-viral company. the proven concept may be used to do more interesting things.
Re: Linux Virus
On Thu, Mar 29, 2001 at 12:55:16PM +1000, Mark Devin wrote: > Does anyone know anything further on this new W32.Winux virus. > Check out this link: > http://news.cnet.com/news/0-1003-200-5329436.html?tag=st.cn.1.lthd > > Surely this virus cannot overwrite executables that require root > permission? Or can it? No, if this virus actually exists (and I doubt its true, or even particularly threatening), it can only affect your files. Unless you are in the bad habit of reading email as root, and executing random attachments manually. -- ---===-=-==-=---==-=-- / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=--===-=-=-=-===-==---=--=---'
