[TAG] (forw) Re: Linux Viren

Rick Moen rick at linuxmafia.com
Wed Jan 3 01:49:05 MSK 2007 

----- Forwarded message from rick -----

Date: Mon, 1 Jan 2007 18:35:52 -0800
To: luv-main at luv.asn.au
Subject: Re: Linux Viren

Quoting achalmers at westnet.com.au (achalmers at westnet.com.au):

> But ... damn, how many times have we been over this? :) 

Often enough to FAQ it.  ;->
http://linuxmafia.com/~rick/faq/index.php?page=virus  and also
"Viruses and Trojans and Worms, Oh My! Linux Security and the Bad Guys'
Tools" on http://linuxmafia.com/presentations/

> So patch early & patch often...

The need for which can be radically reduced by eschewing code that sucks:
http://www.ranum.com/security/computer_security/editorials/master-tzu/

Please see also my remarks about "Lupper" at the first URL cited:
To the extent it had any brief success at all, that worm attacked very
badly designed code that sysadmins had to outside their distros'
software maintenance systems to install.

So, don't rush to think that you (generic "you") are as well prepared to
select good codebases, avoid bad ones, and keep them maintained.  The
distros in general do a really good job, and are busy being your
strongest defence even if you aren't aware of that, e.g., when Red Hat 
showed leadership in subtituting BIND9 for BIND8, CUPS for lpd, Dovecot
IMAPd for WU-imapd, Pure-FTPd (I think) for wu-ftpd, and so on.  

> Having a viable (and tested) system restore method for your boxen
> would be ideal. (Feel free to document your process and share your
> results.)

Mine's here:
"Backup Scheme" on http://linuxmafia.com/kb/Admin/

-- 
Cheers,
Rick Moen                      "vi is my shepherd; I shall not font."
rick at linuxmafia.com                               -- Psalm 0.1 beta
Poster's address, anti-munged for Web archives, is:   rick @ linuxmafia . com .

----- End forwarded message -----
----- Forwarded message from rick -----

Date: Mon, 1 Jan 2007 19:39:39 -0800
To: luv-main at luv.asn.au
Subject: Re: Linux Viren

Quoting Roger (hovergo at net-tech.com.au):

> Thanks folks, you have put my mind at rest once more.
> I felt at the time that the statement was either FUD of a justification to 
> use the latest very very expensive windows server edition.

FYI, I try to keep documentation on all known Linux malware on
http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5 -- and also 
_anaysis_ of that malware, which is a lot more valuable than news
coverage is.  You _could_ just check for new entries there.

To my knowledge, there's been nothing even remotely near significant
since Lupper, 13 months ago, and that reportedly hit so few sites that
it barely made an impression at all.  (You really had to go out of your
way to have a PHP-driven Web site _that_ badly built and maintained.)

One places where virus "infection" does fairly frequently crop up on
Linux is an an _after-effect_ of system root compromise via other means.
E.g., you ssh into a university machine from your Linux box, and scp
files back to yourself.  Unbeknownst to you, the university box has been
rooted, and the trojaned /usr/bin/ssh utility conveys your ssh tokens
back to the bad guy, who now sshes into _your_ box and find a way to
escalate privilege to root.  Then, to hide himself/herself, he/she
installs a "rootkit" set of intruder-hiding software that includes ELF
infector RST.B, whose presence maintains a UDP-based backdoor for the
intruder, in case you start trying to kick him/her off.

It's common for Linux users to eventually notice the RST.B virus, not
have a clue how it got there, and make a bad guess that RST.B must be
"spreading across the Internet" or something daft like that.

-- 
May those that love us love us; and those that don't love us, may
God turn their hearts; and if he doesn't turn their hearts, may
he turn their ankles so we'll know them by their limping.
Poster's address, anti-munged for Web archives, is:   rick @ linuxmafia . com .

----- End forwarded message -----
----- Forwarded message from rick -----

Date: Tue, 2 Jan 2007 12:55:11 -0800
To: luv-main at luv.asn.au
Subject: Re: Linux Viren

Quoting Richard Keech (rkeech at redhat.com):

> According to wildlist.org, there is still no record of any in-the-wild
> Linux "virus".

That speaks well for their credibility, since the antivirus industry has
a long record of stretching the truth in this area.

There was a brief period around 2001-2002 when there were still enough 
unpatched RHL 6.2 boxes (no RHN, yet) and RHL 6.2-7.2 boxes (no default
iptables script, that being added as of RHL 7.3) to support "worm"
attacks against significant numbers of Red Hat boxes with vulnerable
network daemons exposed to the Internet.  However, we're talking about
some few thousand systems worldwide, during the worst of that period.

Of course, if you're determined to propagate malware using Linux, Matt
Moen (no relation) found that WINE has _almost_ achieved full
bug-for-bug compatibility.  Maybe in 2007.
http://www.newsforge.com/article.pl?sid=05/01/25/1430222


-- 
Cheers,                  Higgeldy Piggeldy             "Phooey on Freud and his 
Rick Moen                Hamlet of Elsinore            Psychoanalysis -- 
rick at linuxmafia.com      Ruffled the critics by        Oedipus, Schmoedipus,    
                         Dropping this bomb:           I just loved Mom."       
Poster's address, anti-munged for Web archives, is:   rick @ linuxmafia . com .

----- End forwarded message -----

More information about the TAG mailing list