Re: [opensuse] Who said Linux doesnot get Virus infections

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Bolt wrote:
On Tue, 7 Aug 2007, Michael Letourneau wrote:-

David Bolt wrote:

<Snip>

As more and more file types get linked to more applications I am not so
sure that "executing" something has the same meaning it used to. Say you
download a new screen saver, you never really execute that, but your
window manager utilizes the data in it.

Erm, you can execute a screen saver if you test it. And the window
manager will do so when the specified idle time is reached.

As an example, I set the screen saver on my 10.2 system to be BSOD and
here's me locating the just where the file is, and what type it is:

davjam@donnas:~> grep -i "saver" ~/.kde/share/config/kdesktoprc
[ScreenSaver]
Saver=bsod.desktop
davjam@donnas:~> grep -i "exec" /opt/kde3/share/applnk/System/ScreenSavers/bsod.desktop
Exec=bsod
TryExec=xscreensaver
Exec=kxsconfig bsod
Exec=kxsrun bsod -- -window-id %w
Exec=kxsrun bsod -- -root
davjam@donnas:~> find /usr/ -mount -name bsod 2>/dev/null
/usr/lib64/xscreensaver/bsod
davjam@donnas:~> file /usr/lib64/xscreensaver/bsod
/usr/lib64/xscreensaver/bsod: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared
libs), for GNU/Linux 2.6.4, stripped

All of which makes for an ideal method of introducing a trojan onto a
system[0]. And, just to make sure it works across the widest variety of
systems, all that's required is to create a statically linked 32bit
binary and it'll run on virtually any x86-32 or x86-64 based system.


Err No... The file itself should usually be read only and only
changeable by root, and if you are allowing stuff like this to happen as
root more fool you....


Of course, there's also those infections that occur without user
intervention, but those tend to come in through security holes in server
daemons which are unlikely to be running on a normal users desktop
system.


Yup, I would classify those more as worms or exploits rather than virii.

They're under the general "viruses" tag. For my definitions, worms
require no assistance to spread, as they actively search for
files/systems to infect. Trojans require human assistance to spread and
are designed to pretend to be one thing while actually being something
completely different. True viruses also require human assistance to
spread, but do so completely unknown to the user. Boot sector viruses,
and those wonderful macro viruses, are what I'd call a virus. I wouldn't
classify any of the recent Windows "viruses" a true virus, I'd call them
a trojan instead.


An opinion maybe, but technical nonsense otherwise

1) The classical viruses come in two groups boot sector and binary file
infectors, with nominal sub=class functions of droppers a (virus which
drops a trojan, virus of a different type etc). Some later DOS viruses
spread using all techniques.

Boot sector viruses are a vulnerability for systems which use the boot
sector to load code that identifies where to load the OS, which covers
just about anything. The only time a system is normally vulnerable
nowadays is when booting media (the media soes not have to be bootable
and boot sector protection in BIOS is usually trivial to circumvent, the
only real safety is to only allow booting from trusted boot media when
required). The period of time between the machine being started and the
OS taking control is a particularly vulnerable moment, but it is now
very difficult to infect when the OS is running and in control (but not
impossible).

File infectors need read access to the file to infect with malicious
code. As it is normal practice to keep most system files read only to
users the possibility of causing system wide problems is really down to
your security practices.

When executable file formats were very simple these were relatively easy
to write.

The key characteristic of a virus is the ability to replicate the
original funtionality. Hence boot sector viruses modified boot sectors,
and file infectors change files with code to infect other files when run.

These viruses do not need human intervention to spread, just various
forms of human stupidity.

2) Macro and script viruses are special case of 1 (I was on a CHEST
software committee in the early 1990s that identified this as a
potential issue then). Basically any programming code can be be infected
with code with viral characteristics. Scripts are code. These are
considerable easier to produce than executable code base viruses hence
their current popularity.

3) Trojans may subvert systems, but do have have the ability to
replicate so hence ARE NOT viruses.

4) The first reference to the concept of a computer worm I came across
in J.Brunners book Shockwave Rider, worms do not really replicate they
propogate the worm itself may disappear but it delivers malware code
(usually a trojan of some sort) which it may use to propogate itself
elsewhere.The distinction is subtle but important. Worms actively
exploit weaknesses and are more of a strategy than anything else.

[Odd thing is the idea of self modifying and replicating code is a
legitimate area in A.I. research].

But most of the popular services have had some issues, ftp, mail, http,
ssh...

The last Linux worm I saw was one that was spread via infected
Apache/PHP systems. It worked by having the exploitable PHP parse a
command string and fetch a script from some site, chmod the script, and
then call it. That script would then download a couple of ELF
executables, one of which turned the server into a zombie controlled via
IRC, and configured them to start on boot. Thankfully, it's been a
couple of years since I saw that, but I still have the sample I managed
to acquire stored in an encrypted archive, along with a large selection
of Windows viruses[1][2].


This really cannot be called a worm, this more strictly is a dropper.


<snip>

David Bolt


What!!!!????

- --
==============================================================================
I have always wished that my computer would be as easy to use as my
telephone.
My wish has come true. I no longer know how to use my telephone.

Bjarne Stroustrup
==============================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGucTyasN0sSnLmgIRAhQ1AJ49qx0y8lJw1+hZ3bZ992Ni3LboDQCgkF78
UpWDeXt9CPqMtZqs9BuQlhE=
=eHYv
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages

  • Re: Dual boot and virus
    ... they may infect the OS in use or whatever they find on the ... but if you had a virus in the RAM and you ... |> systems and asking about viruses and worms. ... | Safest way is to use two separate removable hard drives. ...
    (microsoft.public.security.virus)
  • Re: Virus Acquisition
    ... the other part is where to locate said viruses not by ... Randem Systems ... Find whatever virus or other malware you want to infect the computer with. ...
    (microsoft.public.windowsxp.general)
  • Re: mac users
    ... if you go to the apple / mac site and choose the Mac OS ... Power, Nintendo or Playstation for gaming, and Windows for Solitaire/ ... Spam-Spewing Zombie viruses. ... viruses that infect home computers and turn them into spam sources ...
    (soc.religion.quaker)
  • Re: [Full-Disclosure] Viral infection via Serial Cable
    ... Current viruses do not even need user ... some expect to contact a stupid user who's using some ... The worms are using servers and their vulnerabilities (and the admin ... There were no known way for automatically execute the ...
    (Full-Disclosure)
  • Re: Viruses Mac vs. PC
    ... But market economics does not drive evolution and evolution does not ... drive computer viruses. ... there are still plenty of hosts to infect. ... are more Windows viruses than Linux/x86 viruses? ...
    (comp.sys.mac.advocacy)