Re: Suse 9.X and the SOBER worm

From: Rick Moen (rick_at_linuxmafia.com)
Date: 05/06/05 

Date: Fri, 06 May 2005 02:13:34 -0400

[Followups have been set to comp.os.linux.security.]

chrisv@texas.net <chrisv@texas.net> wrote:

> How does Suse protect against it in email attachments? Is AntiVir
> enought protection? Is Linux inherently protected from this type of
> virus? Please inform..

"Sober" is a Microsoft Visual BASIC executable attachment that arrives
attached to an e-mail. The payload has a .zip or .exe filename
extension. For activation, it relies on recipients having an
environment supporting such executables, and users stupid enough to
execute binary program attachments received from nobody in particular.

If activated on a Win32-supporting machine, it forks off an SMTP engine
process to further propagate using e-mail addresses scanned from
certain sorts of files on local disk volumes, makes some changes to the
local Win32 registry (if this is an MS-Windows machine), displays some
sort of lying message to the local user,

I have no doubt that some variants differ slightly from that
description, but the details really don't matter. The minor point, of
two, to note is that it's an MS-Windows executable, and thus natively
can run -- assuming someone's stupid enough to run it -- on MS-Windows
machines and OSes with some sort of close compatibility.

The _major_ point to note is the one about requiring a recipient stupid
enough to go out of his way to run the executable. Let's assume for the
sake of discussion that a Linux system emulates MS-Windows's structures
closely enough that it _could_ support running Sober. OK, fine: Now
consider the other part, what's required to get the user to run it.

There are 123 e-mail programs that run on Linux.[1] Not a single one of
them will run a received attached executable for no better reason than
the user "clicking on" it. The standard Unix default treatment is that
you could save that file, e.g., to /tmp, and then, if you _really_
thought it wise to execute it, could do "chmod u+x /tmp/savedprogram" or
some equivalent, and only _then_ run it. The chmod command is necessary
because, by universal convention embedded in the system call used, the
file will _not_ get saved with the executable bit set. Thus, the user
has to use "chmod" (or equivalent) to enable it manually.

The culture and structure of Linux (which reinforce each other) are such
that it's made non-routine to perform such a reckless action: The user
has to go out of his way to make it possible. The intent, in part, is
to encourage the user to become wary when suddenly the system's somewhat
in the way of him doing it. It gives him an opportunity to stop and
think "Wait, do I want to do this? Is this in my interest? Or am I
laboriously taking aim and shooting at my own foot?" Which is a Good
Thing.

It is also inherent in Linux (as in Unixes generally) that the system
doesn't prevent you from doing stupid things, because that would also
prevent you from doing clever things. So, ultimately, if the user is
determined to blow up his system, the system won't stop him, and will
barely slow him down.

But, at that point, if he's that reckless, there are about a thousand
other ways he's more likely to blow up his system, first.

So, in at least two separate senses, Sober and kin are no threat at all.
If you're passing mail _through_ a Linux box and want to artificially
protect vulnerable downstream MS-Windows boxes, where that mail will be
read, and where (with good reason) you probably don't trust the users,
the mail-reading software, or the user culture / system architecture,
then you can run Linux software to detect and strip the MS-Windows
viruses. If you don't have vulnerable downstream systems, don't bother.

Big-picture essays about Linux and "virus threats" (long):
http://linuxmafia.com/~rick/faq/index.php?page=virus 

-- 
Cheers,                 "Heedless of grammar, they all cried 'It's him!'"
Rick Moen                       -- R.H. Barham, _Misadventure at Margate_
rick@linuxmafia.com

Relevant Pages

  • Re: Will Linux become as vulnerable as MS ??
    ... > beeing vulnerable to viruses. ... > that they know are executable, and execute intentionally. ... >> Linux, each distro is a little different, and even within the distro, ... > Since clicking on a script is easier than typing it's name, ...
    (comp.os.linux.security)
  • Re: So leaky that a $4 billion industry was built to protect it
    ... The owner can read and write and execute the file. ... this is similar to the "limited user rights" concept. ... Windoze on the other hand doesn't have this kind of security. ... Can't happen on a Linux system. ...
    (microsoft.public.windowsxp.general)
  • Re: NASM source files extensions
    ... But we don't need an excuse to talk about Linux. ... If "a file" doesn't have the appropriate header, setting the executable bit will only change the error message from "permission denied" to "can't execute binary file". ... moment you tell the file system that it's an executable (by changing ... Is there a new standard shell, ...
    (alt.lang.asm)
  • Re: virusscanner
    ... The simple fact is that a virus written for Linux could not run under ... Unlike with Windows, you could not just click on a virus and allow it to ... execute because you cannot automatically save something with execute ...
    (alt.os.linux.suse)
  • Re: Only Five More Days to Go!
    ... Autocad is a toy compared to what is available in Linux. ... Did you know it is also easy for Linux to have 2 keyboards and assign one each to multiple display so 2 people can use the same computer at the same time and not hammer each other? ... Virtually every technology in MS-Windows is a proprietary bastardization of xNIX and open standards. ... Dual display was available for Windows 98!! ...
    (microsoft.public.windows.vista.general)