[lug] Virus software for Linux

rm at fabula.de rm at fabula.de
Mon Apr 22 03:09:10 MDT 2002 

On Thu, Apr 18, 2002 at 02:52:40PM -0600, Peter Hutnick wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thursday 18 April 2002 02:18 pm, Jonathan Briggs wrote:
> > I have to disagree with the general idea that virus scanners will be
> > useless on Linux.  I think that with the popularity of Linux rising,
> > virus scanners will become necessary as standard parts of desktop
> > security.
> 
> Surely being a prevalent system draws the attention of virus authors.  OTOH 
> the argument that Linux doesn't have viruses because it is obscure sounds 
> even less believable today than it did a couple of years ago.
> 
> It is simply trivial to write a windows virus and non-trivial to write a Linux 
> virus.

Huh??? Don't tickle my pride as a programmer! Your statement might have been
true a few years ago, but in todays world of Linux dominance (<grin/>) we have
to cope with a large comunity of users that run their boxes as standalone work-
stations connected to the net. These people, inocent and unknowing as they might
be, form the fast majority of system administrators these days. We also see
a 'standardisation' of compile/install mechanisms (Perl's 'perl Makefile.PL && make && make install
or Python's 'python setup.py install' or even the './configure && make install' of GNU)
that enables almost anybody to install new software. Now, sincerly, how many of us
do a code audit before we install new software? With just a little bit of social
engeneering (' you need to be root to install this software to be able to get realtime
scheduling for this perl MP3 module ;-) and a few lines of code a dedicated  'bad guy'
can do a lot of harm.

 > Many of today's "virus scanners" are actually much more than that.  They
> > include what amounts to host-based intrusion detection.  For example,
> > malicious JavaScript and Flash programs may be blocked, even if the web
> > browser would be happy to execute them.  Trojan programs (not
> > technically viruses) may be blocked, even if the user is silly enough to
> > execute them.
> 
> I don't mean this in a mean way, but what do you think IDS is?  It certainly 
> doesn't have anything to do with flash or javascript.

Once most of the 'intrusion' starts from client programs on workstations it sure
does.

> I'd also submit that this is very browser dependent.  So, for instance, there 
> was a hack that would cause IE to over-write the boot sector.  A typical 
> Linux system has /two/ defenses against this.  1. A normal user cannot write 
> to the boot sector and 2. "native" Linux browsers won't try.

1.) with more and more non-technical users we'll see an increasing number of
    people working as root on a daily basis ("... it's sooo convenient"). I've
    seen more than one recently.

2.) This is rather 'blue eyed' (is this an exisitng english idiom?) You 
    are aware that some ftp server distribution (was is wu-ftp) _was_ hacked
    and patched with a troyan for more than a day? Nothing to stop me. Assuming
    that something won't be done just because it never has been is pretty naive.
  
> > We may also have to deal with Microsoft Office on Linux.  It can be run
> > today using the Codeweaver Crossover program, and in the future there
> > may even be a native port.
> 
> Who is we?  There is no doubt that user-space apps can walk all over a users 
> own files on a UNIX like system with a traditional permissions system.  (Not 
> so with ACLs, but that is another debate.)
> 
> I don't run programs that have a history of doing so.

Never used sendmail, he :-))))

> So, I guess if you choose to run crappy software you need other crappy 
> software to de-crapify it.  I concede the point.

Linux from scratch, you say it.

> > If Linux starts running Microsoft software, Linux will need to deal with
> > Microsoft (non)security (mis)features.  We will certainly need virus
> > scanners then.
> >
> > Remember, it isn't much comfort that your root owned system programs and
> > files are perfectly safe, when all the data owned by your user account
> > has just been wiped out.
> 
> Now you are saying "you."  Don't include me in your sick little world of 
> programs that produce system commands at the request of strange data.
> 
> Seriously, how bizarre is it to run software who's only job is to selectively 
> break the functionality of other software so it doesn't damage your data at 
> the request of arbitrary data /pushed/ to you off the internet?

The _one_ program that has broken most of my systems recently is perl as distributed
in recent Debian systems (in testing, i must confess). The growing compexity of current
distributions has lead to a sad state of missing quality control ... 
And related to that: the whole share-the-code attitude has lead to a lot of code that
gets shared and never should be (writing secure and stable code that can safely distributed
is much harder than the occasional perl hack. Many OS hackers don't see this).

   Ralf Mattes
> - -Peter
> 
> - -- 
> /"\ ASCII Ribbon campaign against HTML e-mail
> \ /
>  X   Get my PGP key at http://hutnick.com/pgp
> / \  6128 5651 6F23 EC17 6EBD  737D 960A 20E6 76CA 8A59
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE8vzIYlgog5nbKilkRAistAJ4xjOrZhJHGo7Rz73Zyypo+drUmQQCeJKkg
> uJ86eg/KNoEME0CDhqcC4Jc=
> =uk4N
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list