Seems to have been intended to be posted, rather than sent just to me in private mail.
----- Forwarded message from Bob Scofield <scofi...@omsoft.com> ----- Date: Sun, 3 Jun 2018 09:23:47 -0700 From: Bob Scofield <scofi...@omsoft.com> To: Rick Moen <r...@linuxmafia.com> Subject: Re: [vox-tech] Linux Computer Infected Since Rick expresses skepticism for antivirus companies in this post, I'll use this one to report on my latest discovery. The problem with my computer started after I updated to the latest version of ESET antivirus for Linux. The only thing I had not done to get my re-install finished was to re-install ESET. So this morning I did. And after the install the problem reappeared. Cinnamon and Thunderbird would crash. Firefox was completely unusable. So I uninstalled ESET and now everything is back to normal. Bob On 06/02/2018 11:48 PM, Rick Moen wrote: > Quoting Timothy D Thatcher (daniel.thatc...@gmail.com): > >> Hah, I'm glad it was nothing as nefarious as some weird malware or >> rootkit, or as irritating/potentially expensive as an actual hardware >> failure. Great work, and thanks, Rick. > One more comment (and yes, as can be seen on > http://linuxmafia.com/~rick/faq/ and > http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3, this _is_ > something of a hobbyhorse of mine): > > > _Rootkits_ are by definition NOT attack tools. Period. > > > Yes, the contrary is widely believed, and I know exactly which > commercial interest promotes that and many similar misunderstandings: > It's the security / antimalware industry, which has absolutely no > interest in a well-informed computer user community who understand > security threats. They want a spooked community willing to outsource > and open wallets. > > This essay ended up being long, and isn't yet in proper presentation > format, but I think bountifully illustrates my point about that industry: > http://linuxmafia.com/kb/Essays/security-snake-oil.html > > > Back to rootkits: A rootkit is a set of replacements for regular > administrative monitoring tools (ps, netstat, top, ls, etc.) that have > been gimmicked to ignore the files and processes of an intruder. > The intruder enters a system and escalates to root authority via > OTHER MEANS ENTIRELY, and only then, armed with stolen root authority, > replaces normal system tools with rootkit replacements in order to hide > himself/herself. > > Quoting (myself) from http://linuxmafia.com/~rick/faq/#virus5: > > > [omitting here a very long alphabetical list of 'ringers'; things often > claimed in error to be 'viruses' that simply aren't] > > Every one of those is some sort of _post-attack_ tool; all are > erroneously claimed on sundry anti-virus companies' sites (and > consequently in various news articles) to be "Linux viruses". Some > are actually "rootkits", which are kits of software to hide the > intruder's presence from the system's owner and install "backdoor" > re-entry mechanisms, after the intruder's broken in through other > means entirely. Some are "worms"/"trojans" of the sort that get > launched locally on the invaded system, by the intruder, to probe it > and remote systems for further vulnerabilities. Some are outright > attack tools of the "DDoS" (distributed denial of service) variety, > which overwhelm a remote target with garbage network traffic from all > directions, to render it temporarily non-functional or incommunicado. > > The news reporters and anti-virus companies in question should be > ashamed of themselves: None of the above, in itself, can break into any > remote Linux system. All must be imported manually (or equivalently by > script) and installed by an intruder who has cracked your system by > other means. > > That incompetent reporting sometimes has extremely damaging > consequences: In 2002, British authorities arrested > > (https://www.nytimes.com/2002/09/20/world/computer-virus-author-arrested.html) > the alleged author of the T0rn rootkit, based on their mistaken notion > that it's a "Linux virus". (My efforts to get the Reuters / NY Times > story corrected were ignored, except by cited anti-virus consultant > Graham Cluley, who told me he'd been misquoted.) > > I should mention in passing that feeble albeit genuine malware like the > RST and OSF ELF-infectors are often downloaded and manually installed, > locally, by attackers AFTER THEY'VE ENTERED AND CRACKED ROOT VIA OTHER > MEANS ENTIRELY, often as part of their "rootkits". Some of these help > keep alive UDP-based backdoors to preserve their ongoing access. The > point, again, is that they're an _after-effect_ of break-in, not a > method of attack in themselves. It's like a burglar disabling your > back-porch door lock from inside your kitchen; it's damage, but not the > guy's means of entry. > > _______________________________________________ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech ----- End forwarded message ----- _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech