[Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
tobias at weisserth.de
Fri Jan 16 21:29:57 GMT 2004
Am Fre, den 16.01.2004 schrieb Exibar um 21:23:
> > > Linux in the wild viruses that come to mind: Scalper, Ramen, Lion,
> > > Simile..... I'm sure there are lots more as well.
> > None of those was an e-mail virus. They were worms. An e-mail virus
> > scanner wouldn't have done any good.
chkrootkit. You may not be running a virus scanner, but certainly you
are not stupid enough to ignore the need for chkrootkit and some file
integrity checker like AIDE or tripwire?!
> correct, but I'm not talking about ONLY catching e-mail viruses, that's
> not the only reason you install A/V software on your desktop.
It is the only reason actually. A virus scanner doesn't catch a well
written rootkit. Other tools are used to protect against this. Since
rootkits don't reproduce themselves like viruses (definition of virus!)
chkrootkit is not called a virus scanner yet it actually works the same.
> Worms are more dangerous than e-mail viruses in my eyes, especially if you're blocking
> all executables from coming in through your mail gateway.
What is the logical and semantic link between the first half of this
statement and the latter?
If a user of Linux only networks blocks or filters Windows binaries OF
ANY SORT (thus viruses, dialers, malware...), then this doesn't raise
the risk of getting infected with a worm.
ANY program that has been compiled to run on Windows platforms WILL NOT
RUN on any Linux system. There simply is no way such a virus could
INFECT a Linux system yet we saw how the latest Blaster varients
AFFECTED Linux systems running the RPC service. Blaster managed to DoS
that specific service and kill the daemon running behind that port.
Nothing more happened and nothing more can happen unless the worm
manages to inject Linux binary code that can run on the Linux box and
exploit a bug (buffer overflow...) in the service exposed.
What happens then? Rights management kicks in. Linux daemons run as
users with minimal rights. If binary code gets injected into a linux box
via such a daemon it can only execute as this user with minimal rights.
If there isn't a local exploit to gain root then the worm is trapped
inside this user and probably a chroot environment and can do no more.
End of story.
> Without A/V
> software you're susseptable to these worms running rampant on your machine
> and network.
Only Linux binary worms under certain conditions. I don't know of any
"in the wild" right now.
a) Rights Management
b) File Integrity Checking
e) Regular Patching
won't allow the worm to
a) run as user with root privileges or even browse the system any
further than the associated user can do
b) modify ANY part of the system without letting the administrator know
c) be undetected for long
d) even get onto the machine as long as the exposed services don't have
e) exploit on known bugs because there are patches to fix problems
THIS is how things work in Linux/Unix.
Now, how about Windows? :-)
> Without A/V you'll also have the problem of people clicking on links and
> inadvertantly downloading a backdoor or a rootkit.
That's true on a system where you use the Internet Explorer with its
flawed activeX and rotten "Zone" model.
Even if a user downloads a backdoor, rootkit or anything else, then the
above methods will stop it cold.
The user is not root. Thus the system is only exploitable if the
malicious program can exploit a local exploit.
Besides, Open Source Browsers take security serious. It is the Internet
Explorer that is known to allow such blatant security risks. The
buzzword is activeX which simply IS MISSING in open source web clients.
> A firewall will help,
> but not prevent this from happening.
A firewall will keep unused services behind unused ports from being
attacked. A firewall doesn't help if a service to the outside world is
Assuming from what you wrote I may say that it seems you are not very
familiar with security concepts on non-Windows systems as I frequently
got the impression that you think a win32 virus is able to run in a
Linux environment. Please correct me here, but I advise you to check
before you write such nonsense, because it cannot be the underlying base
of this discussion.
Full-Disclosure is hosted and sponsored by Secunia.