| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Re: January 15 is Personal Firewall Day, help the cause Hi "Exibar", Am Fre, den 16.01.2004 schrieb Exibar um 21:23: > > > Linux in the wild viruses that come to mind: Scalper, Ramen, Lion, > > > Simile..... I'm sure there are lots more as well. > > > > None of those was an e-mail virus. They were worms. An e-mail virus > > scanner wouldn't have done any good. chkrootkit. You may not be running a virus scanner, but certainly you are not stupid enough to ignore the need for chkrootkit and some file integrity checker like AIDE or tripwire?! > correct, but I'm not talking about ONLY catching e-mail viruses, that's > not the only reason you install A/V software on your desktop. It is the only reason actually. A virus scanner doesn't catch a well written rootkit. Other tools are used to protect against this. Since rootkits don't reproduce themselves like viruses (definition of virus!) chkrootkit is not called a virus scanner yet it actually works the same. > Worms are more dangerous than e-mail viruses in my eyes, especially if you're blocking > all executables from coming in through your mail gateway. What is the logical and semantic link between the first half of this statement and the latter? If a user of Linux only networks blocks or filters Windows binaries OF ANY SORT (thus viruses, dialers, malware...), then this doesn't raise the risk of getting infected with a worm. ANY program that has been compiled to run on Windows platforms WILL NOT RUN on any Linux system. There simply is no way such a virus could INFECT a Linux system yet we saw how the latest Blaster varients AFFECTED Linux systems running the RPC service. Blaster managed to DoS that specific service and kill the daemon running behind that port. Nothing more happened and nothing more can happen unless the worm manages to inject Linux binary code that can run on the Linux box and exploit a bug (buffer overflow...) in the service exposed. What happens then? Rights management kicks in. Linux daemons run as users with minimal rights. If binary code gets injected into a linux box via such a daemon it can only execute as this user with minimal rights. If there isn't a local exploit to gain root then the worm is trapped inside this user and probably a chroot environment and can do no more. End of story. > Without A/V > software you're susseptable to these worms running rampant on your machine > and network. Only Linux binary worms under certain conditions. I don't know of any "in the wild" right now. The measures a) Rights Management b) File Integrity Checking c) chkrootkit d) Firewalling e) Regular Patching won't allow the worm to a) run as user with root privileges or even browse the system any further than the associated user can do b) modify ANY part of the system without letting the administrator know c) be undetected for long d) even get onto the machine as long as the exposed services don't have known exploits e) exploit on known bugs because there are patches to fix problems THIS is how things work in Linux/Unix. Now, how about Windows? :-) > Without A/V you'll also have the problem of people clicking on links and > inadvertantly downloading a backdoor or a rootkit. That's true on a system where you use the Internet Explorer with its flawed activeX and rotten "Zone" model. Even if a user downloads a backdoor, rootkit or anything else, then the above methods will stop it cold. The user is not root. Thus the system is only exploitable if the malicious program can exploit a local exploit. Besides, Open Source Browsers take security serious. It is the Internet Explorer that is known to allow such blatant security risks. The buzzword is activeX which simply IS MISSING in open source web clients. > A firewall will help, > but not prevent this from happening. A firewall will keep unused services behind unused ports from being attacked. A firewall doesn't help if a service to the outside world is exploitable. Assuming from what you wrote I may say that it seems you are not very familiar with security concepts on non-Windows systems as I frequently got the impression that you think a win32 virus is able to run in a Linux environment. Please correct me here, but I advise you to check before you write such nonsense, because it cannot be the underlying base of this discussion. kind regards, Tobias W.
Powered by blists - more mailing lists