[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] virus/worms (was: High School Educational Programs)

To: seul-edu@seul.org
Subject: Re: [seul-edu] virus/worms (was: High School Educational Programs)
From: Cameron Miller <cdmiller@adams.edu>
Date: Mon, 07 Jan 2002 08:42:39 -0700
Delivered-To: archiver@seul.org
Delivered-To: seul-edu-outgoing@seul.org
Delivered-To: seul-edu@seul.org
Delivery-Date: Mon, 07 Jan 2002 10:45:39 -0500
References: <Pine.LNX.4.43.0201041524200.14819-100000@pilchuck.reedmedia.net>
Reply-To: seul-edu@seul.org
Sender: owner-seul-edu@seul.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011012

Jeremy C. Reed wrote:

> On Wed, 2 Jan 2002, Michael Viron wrote:
> 
>>2.  The e-mail itself would then have to be opened by root
>>3.  The attachment (whether a shell script or C program) would then have to
>>be saved to a file.
>>4.  Next, root would have to do a chmod +x on the file.
>>5.  Finally, root would have to execute the file.
>>
> 
> It doesn't matter if it is root. The virus may be able to do its damage
> with the privileges that the current user (and group) allow it.
> 
> For example, it could replicate itself by sending to everyone in your
> address book(s).

Actually, to do this, assumptions need to be made about the e-mail 
client one is using. Is it Evolution, Kmail, Pine, Mutt, XFMail, Mozilla 
, Netscape, Star Office, Elm, etc..  And it is a trojan rather than a 
virus, since the end user has to actually run the program to activate it.

> 
> Or, it could run a network (even http or smtp) service (using some high
> port); i.e. it could be used to to relay mail by listening to smtp on some
> port (like 2525) and then send the mail on.
> 
> Or under regular user privileges, you could run a file server on a high
> port to distribute illegal or inappropriate files.
> 

Thus nice default linux tools like disk quotas and firewalls, which are 
activated by default in several major distribuitons these days, even at 
the desktop level.

>>If such a virus is sent to a user instead, at most it would delete that
>>users files (if they decided to save / add execute permission / and execute
>>the attachment -- unlikely, if you ask me), which can be easily restored
>>from backup.
>>
> 
> The exploit can be more than just deleting files; for example, it could
> modify your current files and user configurations. (Maybe change the shell
> login script to reprompt for username and password and then mail them to
> the virus maker. Or set an alias for "su" to their own code for stealing
> and emailing the root password!)

These examples have been around almost as long as UNIX, and yet there 
are still very limited reports of them actually having worked.  One has 
to make too many assumptions about the end users configuration.  In a 
free software freedom of choice world, end user configurations will vary 
hugely.  What shell?  What distribution? What Window Manager?

> 
> On Thu, 3 Jan 2002, Chris Hornbaker wrote:
> 
> 
>>With email, virii are pretty much not a problem. Most virus writers that I
>>have heard of try to attack Outlook or some part of a specific OS. Not only
>>that, but a student would have to save the attachment, open a terminal (the
>>admin could simply make it so that they can't open a terminal), become root
>>(this would stop them dead in their tracks), type chmod +x filename, then
>>./filename to run it. So as you can see email virii aren't a real problem for
>>Linux. not only that but email clients default to text only. So, macro virii
>>would would simply be seen is a bunch of gibberish, if seen at all.
>>
> 
> The main problem is getting the user to execute the virus (including
> making it executable). So maybe the virus writer can hide his weapon
> within a game and include the instructions on how to use it.
> 
> Or is there any email clients or file managers that try to automagically
> make programs executable and execute them for you if you double-click on
> them?
> 
> There are other ways to take advantage of a user (including root), for
> example the Blackbox window manager allows the style (theme) file to
> include code that can be ran when the style is loaded; usually this if for
> setting the background. But some malicious style designer could take
> advantage of root running blackbox. (By the way, I wrote a patch to fix
> that Blackbox problem.)
> 

And once again, the assumption, root is using it's own GUI?  Most admins 
I know don't even have a GUI on the root account.

>    Jeremy C. Reed
>    http://www.reedmedia.net/
> 
> 

All that being said, a truly successful UNIX based virus would require a 
root level security hole present in enough related systems for the virus 
to survive, which is unlikely in the free software and open source 
world.  An example did occur in the SUN world, remember the DDOS network 
  attacks a few years ago?  Many DDOS clients were automatically 
installed on Solaris machines worlwide using a remote root exploit in 
Solaris.

A Linux virus has yet to make any real headway.  I suspect that a bunch 
of MCSE's misconfiguring a lot of Linux systems could make a Linux virus 
an eventual reality.

- cameron

-- 
- cameron miller
- UNIX Systems Administrator
- cdmiller@adams.edu

References:
- [seul-edu] virus/worms (was: High School Educational Programs)
  - From: "Jeremy C. Reed" <reed@reedmedia.net>

Prev by Date: [seul-edu] 30 members and counting
Next by Date: [seul-edu] Beta 3 Press Release -- final notes for translators.
Prev by thread: [seul-edu] virus/worms (was: High School Educational Programs)
Next by thread: [Fwd: Re: [seul-edu] High School Educational Programs]
Index(es):
- Date
- Thread