lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401171843.i0HIh4K4008211@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Re: January 15 is Personal Firewall Day, help the cause 

On Sat, 17 Jan 2004 08:43:52 MST, Bruce Ediger <eballen1@...st.net>  said:

> The commercial anti-virus people have never really addressed the
> lack of in-the-wild viruses for the unixes in general, and linux
> in particular.  Or, back in the day, why didn't VMS suffer from
> a plague like DOS did and Windows does?

Google for '+VMS +WANK'.  So it was certainly *possible* to create a VMS-based
worm.  However, that was back in the Elder Days, when VMS and other dinosaurs
still walked the earth in great numbers. And all the various systems in those
days had minor outbreaks of things - there was the CHRISTMA EXEC and variants
that plagued VM systems on Bitnet and VNET, the Morris worm that beat up on VAX
and Sun-3 boxes, and a host of other things on other systems.

But that was in the Elder Days. And that's an important point - VMS didn't have
a major worm problem mostly because in the days when it had market share, the
number of black hats who had access was limited.  Whoever released WANK had to
get access to HEPNet first, which for 98% of the users out there was
non-trivial.  But once you got onto HEPNet, there were enough VMS systems to
sustain a virus.  On the other hand, even then DOS and Windows had a significant
market share and information exchange (on floppys and BBS back then).

And that's the crucial point - the rate of information exchange with similar
systems.  Can your worm/virus contact another vulnerable system before it is
eradicated on its current host?  This is something that public health workers
have understood for a long time - for many diseases it is *not* necessary to
vaccinate 100% of the people, because a 95% or so rate is sufficient to keep it
from getting an epidemic going.  You're simply not likely enough to meet
another vulnerable person while you're contagious.

Now, it's safe to assume that every black hat has Internet access, and can
release a worm.  However, due to monoculture effects, there are only a very
limited number of operating systems and services that a worm can realistically
exploit.

Windows? A worm won't starve.  It will die of indigestion, and take out the net
if it burps.

Linux?  I strongly suspect that Lion was fairly close to as big as a Linux worm
can possibly get - and it was nowhere the size of most Windows worms.

Solaris?  We've seen automated scans for rpc.ttdbserver exploits, and had
clusters of machines all get whacked at once.  There's ecological space for
a slow-moving patient worm here...

HP/UX, AIX, Tru64?  A worm *might* be able to survive on these platforms,
but it would have to be very stealthy to survive on a given host long enough to
actually find another host to jump to.

Other boxes like MVS, VM, VMS, HPE, and the like?  The worm is almost
certain to die of starvation and/or boredom.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040117/71efcd2d/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ