Re: Is my paranoia unfounded or not

On Wed, 06 Jun 2007, in the Usenet newsgroup comp.os.linux.misc, in article
<Nu-dnfvnVZtvnfrbnZ2dnUVZ_qydnZ2d@xxxxxxxxxxx>, notbob wrote:

If you weren't paranoid enough, before, read this:

http://www.cio.com/article/114550

He learned, for example, that an aquarium employee had downloaded an
audio file while eating a sandwich on her lunch break. He learned that
when she played the song, a rootkit hidden inside the song installed
itself on her computer. That rootkit allowed the hacker who'd planted
it to establish a secure tunnel so he could work undetected and "get
root"-administrator's access to the aquarium network.

Windoze user running as "administrator" (which is why everyone tells you
not to try to run as 'root')

What's worse, that lunch break with the sandwich and the song download
had occurred some time before he got there. In fact, the hacker had
captured every card transaction at the aquarium for two years.

Not wishing to belittle the problem, but this story smells of embellished
folklore - the windoze luser being able to remember that she downloaded
the song at lunch (where/how) two years earlier while eating a sandwich.
Did the "song" source (including rootkit) still exist on the lusers hard
disk? Sounds rather inept for a malware author, don't you think?

IOW, chkrootkit may be useless.

May??? Talk about an understatement!

"chkrootkit" (http://www.chkrootkit.org) and the equally flawed "rkhunter"
(http://www.rootkit.nl) are just about the most useless applications
available. Both are mainly shell scripts, and thus easy to understand.
Both are window dressing ONLY, and are trivial to fool. For example,
both look for a file named "/tmp/.../a" or "/tmp/.../r" and if that is
found they declare you are infected with the 55308 worm (a port scanner
from June 2003). Now, should the malware author do the unthinkable and
change the name of the file to something exotic like "/tmp/.../A" (or
indeed _anything_ other than "/tmp/.../a" or "/tmp/.../r"), neither of
these useless "tools" will find the worm. (In fairness, at least both
make an attempt to search for a file or directory named "...", BUT ONLY
IN SPECIFIC DIRECTORIES - not globally.)

The other problem with both "tools" is frequent false alarms caused by
shoddy coding techniques. An example of this is using 'grep' to search
for the string 'adore' (the Adore worm targeted Red Hat 7.0 system
vulnerabilities in 2001) which will be found in the string 'Isadore' or
'Labradorean', never mind words that are based on 'adore' like 'adorer'
or 'unadored'.

Saw an article in another newsgroup last week where _both_ 'chkrootkit'
and 'rkhunter' were crying about the 'eth0' interface having a packet
sniffer running when none in fact were - the false alarm caused by a
dumb test that used 'grep' on the output of '/sbin/ifconfig' and noted
the string 'PROMISC' in the third line. This was caused by running a DHCP
client, but neither "malware detector" bothered to explain the test, or
note the possible false alarm. Rather interesting, as DHCP and BOOTP
predate either application by over five years.

Bottom line - if either 'chkrootkit' or 'rkhunter' report a positive,
either it's a false alarm, or you've managed to get infected by something
written by a really stupid malware author who hasn't bothered to take the
trivial steps needed to prevent detection by either "tool".

Your only way to really be sure is to do a fresh reinstall and keep
security patches current while constantly monitoring your system.

The clean install from trusted media and security updates is always the
sure solution. As for monitoring the system, many users lack the skills
to do so, and must depend on other tools. The classic tool is "tripwire"
(which I understand to be unmaintained now) or it's replacement 'aide'.
There are others of similar concept. These work by using cryptographic
hashes of all files on the system, and comparing these hash values with
a set you created when you installed on a known clean system. This
allows detection of _changes_ (but if it detects a change, is it one
that _you_ made. or a bad guy - you have to update the hashes every time
you do ANY updates). As the hashes are unique to your system rather than
generic, they have an enormously better chance of detecting problems.

Old guy
.

Relevant Pages

  • Re: OT: Musical Devices
    ... Alot of the songs I download are not even available on other media now. ... And then there are the local musicians here in this country that make a song that's popular on the local charts and radio but can't break into the international charts... ... paid money for the venue to play at. ... on the income that artists receive. ...
    (alt.mountain-bike)
  • Re: Sell your digital downloads directly from your web site - MySongStore.com
    ... Ever wanted to sell your digital downloads directly from your web site? ... other sites (74% of all download revenues). ... When creating your checkout counter page, ... Sell even a single song ...
    (alt.guitar)
  • Re: Sell your digital downloads directly from your web site - MySongStore.com
    ... Ever wanted to sell your digital downloads directly from your web site? ... other sites (74% of all download revenues). ... When creating your checkout counter page, ... Sell even a single song ...
    (alt.guitar)
  • Re: Sell your digital downloads directly from your web site - MySongStore.com
    ... Ever wanted to sell your digital downloads directly from your web site? ... other sites (74% of all download revenues). ... When creating your checkout counter page, ... Sell even a single song ...
    (alt.guitar)
  • Crawler 3D Marine Aquarium Screensaver 4.2
    ... Download this amazing 3D screensaver and liven up your desktop with ... brand new 3D Marine Aquarium. ... Watch the incredible sea life of dolphins, ...
    (comp.software.shareware.announce)